https://teaching.blog.gov.uk/2017/10/24/general-data-protection-regulation-evolution-or-revolution-for-schools/

General Data Protection Regulation: Evolution or Revolution for Schools?

Finger pressing enter on a keyboard

Like the DfE, many schools are increasingly talking about General Data Protection Regulation (GDPR) - the beefing up of data protection, which will be written into law in May 2018.

The obvious question is: “where do I start?”  Typically, the first place most people begin is by reading the Information Commissioner’s Office (ICO) overview of the GDPR and GDPR: 12 steps to take now, and are thinking, “what does this mean for us?”

Whether the new regulation represent revolution or evolution for your organisation depends on current practice, but generally speaking I’d recommend 3 things:

1. Focus on why this is important

Sure, it’s legislation, and there are potential fines for serious breaches, but for most schools the focus should be on the third word in the title: ‘Protection’. It’s about keeping the large volumes of sensitive data about young and sometimes vulnerable children safe.  A pretty essential thing to do well, and something that can help get your staff engaged in a more effective way than quoting mandatory work just to comply.

2. Work out what’s new about the regulations

In particular, there is a shift in emphasis which means that data controllers, like schools, not only need robust processes and controls, but need to be more pro-active in demonstrating them.  There are also more things considered as sensitive data, and the bar is raised on where citizens should have transparency and choice about where their data goes.

3. Understand your school's data ecosystem

Any data controller should be on top of protecting sensitive data know where it is stored, where it goes, and what is done with it. Can you draw that for your school or organisation?

Initial steps to take now

Working with the head teacher and business manager, here’s how we went about it at Dobcroft Infant School…

Step 1: Think where personal data is captured during school life – this is likely to include admissions, parental forms, assessment, school trips etc.

 Step 2: Think about where that data is used – generally it’s for contacting people, for tracking education, or for maintaining regular school facilities and activities like libraries and canteens.  Several, but not all of your systems, may interconnect with the core management information system (MIS).

 Step 3: Think who you share that data with – for schools this commonly includes local authorities, multi-academy trusts, the DfE and beyond.

Building a picture of your new data landscape

You might already have that picture.  You might not, and if not, just have a go…you won’t get it right first time, but show it to a few colleagues across the school, iterate it a few times with them and you’ll be that bit closer to de-mystifying GDPR.

The working version at our infant school is looking like this:

Data landscape

That overview sets us up for the next task – showing where the sensitive data is in that ecosystem, and the associated security.

Looking ahead, schools will want to think about how we evolve our privacy notices and messages to parents. Investing some time now in doing the work outlined above will be a good step to support communicating to parents and pupils about what data you process and why.

The role of Data Protection Officers under GDPR

There’s also plenty to think about in terms of an appropriate Data Protection Officer role - the focus of which shifts slightly under the proposed GDPR towards managing subject access requests, ensuring staff are aware and up to date with their responsibilities and the legal principles under which data is processed.

As the education sector prepares for May 2018, whilst DfE cannot give advice to individual schools, we will be talking with the ICO about the top issues schools ask and we’ll make sure to blog further thoughts and recommendations. Online forums can also help the sector collaborate and share approaches and questions about data protection, data handling and GDPR.

 

3 comments

  1. Comment by Christine Jackson posted on

    Interesting starter for ten. I think the challenge is in the new accountability requirement. Recording what's done with the data, who it's shared with, the legal grounds for each type of processing etc renders the task a bit more complex. But it isn't difficult.

    Reply
  2. Comment by Peter Richmond posted on

    Is it the core role of the Local authority to produce a model policy for schools re GDPR?

    Reply
  3. Comment by Tom Meiklejohn posted on

    There is good guidance out there with regard to the legal basis for processing of data that falls under article 6 of GDPR (where special categories are not included) but much of the data that is processed can fall under article 9 (special categories of information). It is unfortunate that paragraph 2(h) couldn't have been extended to the education sector as this would have made determining the legal basis much simpler. As it is there doesn't seem to be anything within article 9 other than consent that can be used as a legal basis for processing this information (SEN, health, even just recording ethnicity) so there's a lot of head-scratching going on here.

    Reply

Leave a comment

We only ask for your email address so we know you're a real person