Under the GDPR, every school must have a data protection officer (DPO). It is the school’s responsibility to ensure compliance with data protection regulations, but your DPO will monitor this and be there to inform and advise you.
These officers carry out a number of tasks – from organising training, to reviewing and updating documents and procedures and reporting data breaches. So what support should a DPO expect from their school to be able to do their job effectively?
Legally, schools must provide certain support to their DPOs. The GDPR sets requirements on this, so make sure you are aware of your school’s responsibilities and have systems in place to meet them.
Staff know when to work with your DPO
First, your DPO must be informed and consulted on all data protection issues. DPOs need to know when impact assessments are due to be carried out and should be consulted promptly if and when a data breach occurs.
All your staff have a part to play here; they must know to speak to the DPO if they suspect a data breach, are undertaking a new form of data processing, or if a person makes a subject access request. Think of it as similar to the relationship between staff and the designated safeguarding lead in this respect.
Your DPO must be in a senior position and must report to the highest management level – your board. Given the importance and scope of the role, you should invite your DPO to regularly participate in senior and middle management meetings.
Crucially, all your staff need to listen to the DPO’s advice and expert opinions on data protection, and if there is disagreement over a course of action, the school must clearly document why.
Provide the right resources
The DPO is entitled to adequate time and resources to do their job, so you need to agree this with your governors/trustees and make sure you honour the commitment. “Resources” means not only budget and support staff, where appropriate, but also use of the school premises, facilities and equipment, as well as access to support from school services such as HR, legal, IT and security.
The time your DPO will need to spend will largely depend on the size of your school and complexity of your data processing activities. If you are not sure how long they will need, you could start with three hours per-week (a popular recommendation) and adjust as necessary later on.
Time and budget for on-going training
Part of the DPO role is to remain skilled and up-to-date with data protection issues and changes in legislation. To support this, the school has a responsibility to provide adequate opportunities for training and professional development. Make sure you allocate sufficient funding for this, as well as office supplies, legal advice and travel expenses, in your DPO’s budget.
Respect your DPO’s independence
It is important that you recognise and respect the autonomy of your DPO: he or she must be able to act independently. This means that the school must not tell the DPO how to perform their role or to take certain views on data protection issues – particularly where interpreting the law is concerned.
In addition, your DPO should always be allowed to report directly to your board if they disagree with the school’s decision.
Finally, you cannot dismiss or penalise your DPO for doing their job. For example, if your DPO provides advice that the leadership team disagrees with, you cannot use this as grounds for dismissal or denial of benefits that other employees receive. Of course, DPOs can still be dismissed for reasons unrelated to their data role, such as underperformance or misconduct.
Conclusion
Put simply, you and your whole staff team must work with your DPO to ensure compliance, and give them the support they need to succeed in their roles. It is a new role for many schools, and many organisations in other sectors, so everyone will be finding their feet for a while. However, the requirements explained above – while not exhaustive – serve as a broad guide to what you need to provide to your DPO, and what your DPO should expect of you.
- Beth Walton is senior content producer at The Key, which provides leadership and management support to schools. Visit https://thekeysupport.com/
Further information
- For more information on the DPO role and your obligations towards your DPO, as well as wider guidance on the data protection regulations, visit The Key’s web pages via http://bit.ly/2GTftLH
- Data Protection Officers, guidance from the Information Commissioner’s Office, http://bit.ly/2FKYoXG
- Further education-specific information from the ICO is available at https://ico.org.uk/for-organisations/education/ & https://ico.org.uk/for-organisations/education/education-gdpr-faqs/