As mentioned in David’s blog, GDPR can help facilitate some very useful conversations. It has been the case in our school too.
I confess I thought having EU regulations about data on the agenda for a staff meeting at the end of a busy day was going to be a tough sell, but I needn’t have worried. Once staff made the connection between child protection and data protection themselves, the engagement was fantastic.
As part of our GDPR preparation, our leadership team sat down and did the data mapping of our systems and processes several months ago. We have been using that to engage with suppliers about their own readiness, as well as do some early work on the key risks we want to manage down. And we’ve needed a fair bit of time to get au fait with the new language and definitions, for example around special categories of data.
Our early staff engagement focussed on three key areas.
We talked about how the data world has changed in the 20 years since the Data Protection Act (Smartphone anyone?!). We talked about the links with child protection, and how it is right that pupils and parents are aware of how their data is used, and how to exercise the rights they have as part of how we work with them.
Validate the data map
Rather than show a diagram and ask ‘is this right?’, we asked more open questions. The strong message that came out from that seemed to be that whilst SLT were very astute on the systems that contain personal data, the wider staff group were really hot on the physical places we store and use personal data, notably data around special educational needs and medical information.
Brainstorm our current risks and how to mitigate them
Talking these through with staff identified a number of small tweaks to our physical storage of data and ways of working in particular. Very quickly we identified that our mitigations were a combination of people (being aware and responsible data users), processes (how those highly aware people will work to ensure we protect the data) and technology (how we’ll ensure the technology that we use to do our jobs is secure and minimises data use). We’ll be working on all three in the coming months.
Moving forward, we also agreed these principles…
- GDPR should not make silly things happen. If we reach an odd conclusion when working through the detail that doesn’t feel in the best interests of our children, we should take the step back and look again. Chances are we have gone wrong somewhere in our thinking.
- Our approach should be to continuously drive down risks. To do that, we need to clearly articulate the risks and our strategy for managing them down so it can be challenged and supported by our governing body.
- It is a little and often job. We’re all still learning and not many of us went into education to read detailed legislation! But we should be on the front foot to understand and deliver the right response.
- Communicating is important. We’ll commit to ensuring parents (and staff for our workforce data) are really well informed on data usage and their rights. The point of registering as a new pupil, as well as our website, are two key parts to that strategy. And we will talk regularly and often with schools we collaborate with in our locality, as this will help us be efficient and effective in responding to GDPR.
In summary, for me engaging staff on data protection isn’t a matter of detailed, dry material about ‘what does the law say and what is changing?’, rather it was about quickly using that to set up a very practical conversation about our ways of working now and in the future.
As a result of the all-staff conversation, our team have become that bit more aware of their own responsibilities, and our SLT have a better line of sight on the risks and challenges as a result of staff engaging with the topic. Well worth half an hour on a wet Wednesday afternoon!