Mapping our data landscape is the key step to ensure that the other aspects of GDPR we are focussing on are built upon solid foundations. As May 2018 and GDPR coming into effect draw ever closer, we are using it as an opportunity to do a full set of housekeeping on personal data usage.
We can only deliver our intentions around best practice on other areas of GDPR (e.g. staff awareness, parent/pupil communications about data usage, data retention, the right conditions for processing data etc.) if we understand the landscape thoroughly.
Like many schools, we try to ensure data protection of sensitive data is seen as one element of child protection.
Getting on board with GDPR
Forget the threat of fines, or any other scare stories with GDPR that regularly land in my mailbox, the mission statement here is to continue to identify and manage risks to keep our children safe. We can all get on board with that.
Fully understanding the data and systems around school catering was one area I found a challenge.
We use finger print recognition, or biometric data, a new special category of data in GDPR. It needs the gold standard treatment of being secure and used appropriately.
It is also an area of school life where other personal data items (free school meal entitlement, religious beliefs, medical conditions) are used and moved quickly between a large group of catering staff. In short, I sensed risk.
The mechanics within our catering service are very complex and there are various pieces of software involved as we use a cashless system and online payments. The main thing to get to grips with was the way the tills function when they draw and process data from a variety of sources.
The 'User Journey'
To understand it all, I needed to follow the process through. The ‘user journey’ as people call it these days:
In essence, when a student wishes to buy a meal:
- They place their finger on the fingerprint reader
- The till accesses a server in school to look up the fingerprint for identification, which in turn has drawn data held in the MIS
- In addition, the till must check there are sufficient funds by communicating with the student top up machine or the parent payment system
- The food is purchased
- Finally, the new balance and details of the food purchased is communicated back to the parent
The value of conversation proved to be crucial. I worked with our main catering provider and asked for their input into the data flow diagram.
This served two purposes; firstly to understand the viewpoint of the people using the system on a daily basis and secondly to highlight that we are being proactive in this area and expect them to be the same. It has met both purposes.
I know from conversations with other Head teachers that there are variations of arrangements within school meal services and many different systems, all of which process personal and sensitive data. So, I suppose in short, that’s saying that we had to understand our world, and we may each be that little bit different. No one else could do that thinking for us.
Once the mapping was refreshed, it was time to consider carefully the security of that data. Unlike some other areas of school life, this one is very much an online-based environment. Thus revisiting role-based access rights, such as who can use the data and for what purpose, as well as tasks like ensuring that when staff leave they can no longer access the data etc., has been important.
Additionally, it was vital to ensure and evidence through good communication that staff knew their responsibilities and our processes to protect the data around encryption and strong passwords.
Unlike much of a school’s data which is only accessed by ‘our’ staff, catering personnel are often different. If they are employed by contractors, then a data processing agreement (or a controller-processor contract) needs to reflect what the data processor (the contractor) is doing for the school (the data controller).
If that is your model and you do not have an agreement like that, I would suggest you resolve it quickly.
Communication and Colloboration
It is my job as the data controller to ensure all staff are fully aware of their responsibilities when handling personal data and particularly sensitive data. Working with catering contractors has allowed me to bring them into our plans for raising awareness amongst staff.
Again, it came down to conversation and collaboration, not a paper exercise.
Our excellent caterers are in school to look after staff and students’ dietary wellbeing. Compared with when I started this work and these conversations, I now feel much more reassured that they understand that caring for personal data is a key part of their role.
So, in that sense, I say thank goodness for GDPR!