On May 25, the General Data Protection Regulation (GDPR) comes into effect, which leaves schools little time to get prepared.
Until very recently, local authorities have not provided enough clear information to schools on how they should be tackling the issue. Thus, schools have been left to decipher what is fact vs fiction and what are the right and wrong ways to handle the requirements from the mixed messages they receive.
There are many voices on GDPR, from those warning schools about the risks to those which are simply scaremongering. Below is my advice on how to ensure that your school is GDPR-compliant.
The background
When we talk about legislation in the education sector, it tends to be that the local authority disseminates any important updates to its schools while in academy trusts, business managers, finance managers, heads and deputy heads share information and provide guidance on any changes that need to be made. However, with GDPR, it hasn’t been this way. Why? Well, the difference is that GDPR isn’t just for schools – it applies to every organisation that handles the personal data of individuals, be that students, customers, employees, passengers, patients, prisoners (the list goes on).
As such, the Information Commissioner’s Office (the UK authority on GDPR) has issued generic, all-encompassing guidance that organisations must read and interpret before deciding how it applies to them and the way that they operate.
This means that there is no specific guidance for schools – there is no specific guidance for anybody. And that is why a degree of scaremongering and panic has ensued.
Preparation is key
With the implementation deadline of May 25 fast-approaching, the key challenge for schools is to find out what they need to do and to do it now. The starting point is the 12 steps set out by the ICO (see further information). Essentially, this is the blueprint to compliancy, so if your school can get these areas covered, then you are home and dry. The good news is that schools are used to keeping records and adhering to procedures, so much of what you are already doing will apply to GDPR – you will just need to check that you are doing it in line with the requirements. For me, the key areas schools need to take into account are as follows.
Training
The senior leadership team will need to extinguish any prevailing negativity about GDPR and how “complicated” it is and get their staff on board. By doing so, staff will begin to see that it is for everyone’s benefit.
They must primarily be aware of the 72-hour deadline for reporting any data breach and the need to follow any new procedures the school puts in place to ensure the security of personal data. Perhaps consider appointing a number of staff GDPR champions as a rotating responsibility to answer the questions of others. This way, everyone will eventually become familiar with the requirements.
Data discovery
To be able to protect data pertaining to individuals, you need to know where it is located. This applies to paper and online files and documents – including where there may be duplicate copies or where staff are retaining their own versions. This is often a time-consuming task, but schools can be helped by software solutions that seek out every GDPR data-type file on the network.
Data protection
It is important for schools to know that the software and apps your school is using are GDPR-compliant – i.e. the data these applications collect is not excessive and that it is kept sufficiently secure. You will need to keep a record in line with this requirement and again, there are software solutions that can help with this.
Data breaches
As mentioned, all data breaches must be reported within 72 hours and all staff must know this. Again, everything must be recorded as evidence of what happened and whether the data was at risk. For example, if a teacher left an unsecured USB stick in a classroom PC overnight, the school should be able to prove via its records whether the data was encrypted, whether the PC was accessed and whether the classroom was locked.
To help prevent data breaches, schools will also need to ensure security measures are in place on their network, e.g. adequate antivirus protection, security alerts to notify technicians of multiple login attempts from a particular machine and so on.
Individuals’ rights
When a request is submitted to the school to disclose or delete an individual’s data, you will need a workable procedure in place to deal with this. So formulating a detailed process for how your data is collected, used, stored and shared is essential. Use “what if?” scenarios to help you. For example: what if a parent wanted all data held about their child disclosed to them? Which member of staff would be responsible for finding it, collating it and sending it to that parent? Who would record that process and how?
Data Protection Officer (DPO)
Schools must appoint a DPO and this must be an appropriate person who is impartial and does not have a conflict of interest.
The ICO has issued general guidance about the DPO role (see further information) and is of the view that there is no reason why a DPO cannot know the staff or pupils in the school – i.e. why the DPO cannot be a member of school staff. However, according to the ICO, what would prevent a member of staff taking on the DPO are:
- If they didn’t have enough experience or knowledge of data protection law, bearing in mind the complexity of data processing in the school, and the level of protection required.
- If they didn’t understand how data in the school was used.
- If their professional duties aren’t compatible with the duties of the DPO and lead to a conflict of interests.
In my view, there is simply too much grey area when it comes to what schools can and cannot do in the proper implementation of GDPR and this is one example. Yes, school staff can be DPOs provided they “have enough experience/knowledge of data protection law” – but with pressure on staff (especially teachers) coming from all sides, expecting them to find time to delve into data protection law on top of everything else could well prove be the straw to break the camel’s back.
Ultimately, it’s better clarification and more transparent guidance that schools need right now. How are schools supposed to evaluate what constitutes a “conflict of interest”? How can individuals know if their professional duties are not compatible with that of a DPO? This is where the existing guidance falls short.
Evidence
The mantra is: record and report everything. This evidence is your safeguard should the worst happen and a data breach occur that requires investigation.Next steps
It is important to remember that GDPR isn’t something you need to get ready by May and can then forget about. Therefore it is better to empower and enable schools to be self-sufficient. However detailed GDPR is, it is really not rocket science and with some time dedicated to it now, there’s no reason why a school shouldn’t have measures in place in time for the deadline.
- Al Kingsley is the managing director of NetSupport and also chair of the Hampton Academies Trust.
Further information
- General Data Protection Regulation: Evolution or Revolution for Schools? The DfE Teaching Blog, October 2017: http://bit.ly/2j0ufHa
- Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now, Information Commissioner’s Office: http://bit.ly/2ymWk0k
- Data Protection Officers, guidance from the Information Commissioner’s Office, http://bit.ly/2FKYoXG
- Further education-specific information from the ICO is available at https://ico.org.uk/for-organisations/education/ and https://ico.org.uk/for-organisations/education/education-gdpr-faqs/
- This article was updated on March 13, 2018, to include an update from the Information Commissioner’s Office regarding the appointment of Data Protection Officers.