Blogs/Vlogs

DfE release their GDPR toolkit for schools

10 May 2018

The General Data Protection Regulation or GDPR; it’s certainly the hot topic at the moment. Finally the Department for Education (DfE) have released some specific guidance to schools on the impending Regulation which comes into force on 25 May.

Hopefully by now, with the deadline just a couple of weeks away, most academies are well on the road to ensuring they will be GDPR compliant. You do wonder why the DfE could not have published this document much sooner, and whether if they had been able to do so, schools may have saved a considerable amount of time and money!

It is worth noting that the DfE toolkit has been released as a ‘Beta’ version and that it is likely to be refreshed once the Data Protection Bill is finalised. An informal consultation exercise is now open until 1 June 2018.

The toolkit has been pulled together with the help of various other organisations, including some academy trusts and other schools.

Speaking to our clients the response to the toolkit of those that have read it are mixed. Larger, more established trusts have generally already developed their approach to GDPR and this toolkit may be of less use to them. Some small trusts, particularly single primary academies, may find the toolkit to be a more useful resource.

The toolkit has been written to support schools in developing their policies and contains nine steps which should help schools ‘efficiently develop the culture, processes and documentation required to be compliant’.

There are a number of examples and useful case studies which explain the reasons why certain personal data will be held and how some schools are approaching specific issues.

Data may be held for various reasons and one justification may be that consent has been provided by the individual. If relying on consent this must be given voluntarily and be specific to the data. Quite often, however, it is wrong to automatically fall back on consent and there will be another reason for holding or processing the data. Examples of where consent is a valid reason include:

  • photographs – using photographs of students in a printed student magazine or retaining beyond a child’s time in school if shown in a display for a specific activity;
  • retaining a database of former pupils for fundraising or other purposes; and
  • holding biometric data, for school canteen systems using fingerprints, for example.

Examples where consent is not the reason for holding the data include:

  • processing a parent’s phone details is likely to be to message urgent school information or to contact in the event of an emergency; and
  • photographs – many schools have photographs of children and key medical conditions on the staff room wall. This information is not held because the parents have given consent, but because the information is essential for keeping the children safe.

Some other issues to highlight:

  • Where an academy trust uses ‘middleware/data integrators’ that extract data from a core management system (for example Wonde, OvernetData, SalamanderSoft or Ruler). It is vital that you understand what information is being extracted and how it is being used and/or shared with other systems.
  • Safeguarding is always important in schools. Some safeguarding information has to be held until the child is 25 years of age which means holding the data securely for the long term.
  • If CCTV is used in the school then a Data Protection Impact Assessment will need to be carried out.
  • Schools will need a detailed policy setting out whether staff can take information home, and if so, what data can be taken and what procedures need to be followed. There should also be clear policies on the use of personal IT equipment, including tablet and smartphone devices.
  • All data breaches – however small – should be recorded and investigated. Whilst insignificant on their own a number of similar small breaches may highlight a trend or weakness in procedures.

I do hope that you are making progress with the GDPR requirements and do not feel overwhelmed. There is a lot of work involved but I know some organisations have found there are some benefits to being forced to consider their processes and they have been able to become more efficient as a result of reviewing systems and changing the way they deal with certain things.

We have already been asked to review information security systems as part of internal audit work and we expect there will be more of these requests in the coming months. Whilst we are not GDPR experts – and everyone is learning in this together – we are able to provide some guidance and can review compliance with your own internal procedures on a 'gap analysis' basis to ensure you are doing what you say you will be doing.

If you want to discuss any of these points or other issues which concern you at the moment please contact me or your local academy expert. To read more of our academy school blogs, click here.

Let's talk! Send an enquiry to your local UHY expert.