GDPR - Top 4 Things Schools Are Confused About

GDPR: Top 4 things schools are confused about

18 months after the GDPR and DPA 2018 became law, many schools still haven’t fuelled up for their data protection compliance journey and many have not even left the driveway! Whilst I recognise educating children is the prime objective of schools, the safety and well-being of every person in the organisation is essential to achieve that goal. Protecting and securing personal data is part of that.

I developed our GDPRiS software to streamline schools’ compliance journeys and to offer guidelines to ensure they can meet the legal requirements. Schools ask our Customer Success Team loads of questions and there’s a common thread across most of them showing that schools are still confused.

Here are our answers to the top 4 things schools regularly ask:

#1 Who is responsible for data protection?

The data controller is 100% responsible to ensure all data is processed appropriately and kept safe. The organisation, ie a school or MAT, is the data controller. Thus, its governing body carries full responsibility that data protection meets legal requirements and data is kept at the highest standard of security.

The Data Protection law imposes three basic duties upon data controllers:

A data controller must have a legitimate reason to process data.
All data processing must meet the principals of data protection.
Special category data imposes stricter rules upon the processing, which the data controller must oversee.

It’s a responsibility that cannot be taken from you.

#2 Parents evening – can we leave children’s books outside the classroom for parents to view?

This is such a common question and the answer is all about risk.

A leading barrister once told me that if any school wants to be 100% risk-free we should tell them to send all the children and staff home and raise the buildings to the ground. No activity can be risk-free. However, you must consider the risks and act accordingly to reduce them.

What is the risk to a child if someone else’s parent sees their books? Maybe the child could be teased and that’s not right! Thus, find some way to reduce that risk without stopping a very valuable educational activity.

Put up a notice setting out your expectations of parent behaviour.
Put books at a distance from each other with the child’s name clearly marked.
Put the books inside something like a box, folder or large envelope.
Consider very carefully whether children with special needs or vulnerable children’s books should be able to be accessed without supervision.

It’s not rocket science, just common sense.

#3 Why can't the Head, Deputy, Business Manager or Head of IT be our DPO?

Your DPO must be independent to oversee your data protection processes. For important assessments and tests, you don’t allow children to mark their own work. Likewise, the Head, Deputy, Business Manager or Head of IT will make decisions about data protection at school and this must be open to independent scrutiny.

#4 What counts as a breach and do I report it to ICO?

There is no organisation that has no data breaches. However, we have a culture of hiding our short-comings and pretend they didn’t happen. Reporting every breach will have a very positive impact on data protection in your school. If you know what you did wrong, you can fix it and become better. Even the near misses hold important lessons that can be learnt.

So, what counts as a data breach? Here are just a few examples:

Without a doubt, the largest instances of breaches in schools are sending personal data to the wrong person, such as by email, post or fax. These MUST be logged and reviewed for impact on the individuals involved. If there is a risk to individuals (to their rights and freedoms) then it MUST be reported.
A student or unauthorised staff member accesses a staff laptop because it has been left logged in or they know the login details, and it contains or has access to personal data. Depending on what has been accessed, or if you cannot be sure what has been accessed, then certainly, this is a reportable breach.
You sell old equipment such as PCs, laptops or filing cabinets and they still contain personal data. Organisations have been fined for this.
One you may not think is a breach is when your networks or systems go down, this counts as a loss of availability of personal data and must be reported as a breach.

I have no doubts that the new data protection laws have forced many organisations to review their policies and procedures and give individuals greater reassurance that their data is safe. Schools are custodians of large quantities of sometimes very sensitive data and we owe it to our students and staff who work at our schools to keep it safe.

About the author

Lynne Taylor is Founder and CEO of GDPR in Schools (GDPRiS) and founder of ParentPay. Lynne is passionate about helping schools focus on educating the children in their care. When she realised the increased workload and indeed financial impact that managing the changes to data protection were going to have in schools, she gathered her team of dedicated educationalists to develop a low-cost cloud-based solution for schools. More than 2,500 schools currently rely on GDPRiS to monitor and manage data protection.

Join Our Newsletter

Simply add your email and you'll get expert advice weekly, direct to your inbox.

Previous Post Old Entry Next Post New Entry

About The Author

Ian Richardson

Built hundreds of website and helped countless schools realise their potential online. Ian should be called upon for straight-talking advice and to make a difference to the way you present your school through every outlet.

https://www.schudio.com/author/ian/

Like this blog? Stay up to date …

Simply add your email and you’ll get expert advice weekly, direct to your inbox.

Google Rating

4.9

Schudio

4.9

gail barlow

14:35 23 May 18

Ian Richardson and his team at Schudio created such a user friendly website for our school. The uptake amongst parents accessing information on our website has increased and the training the Schudio team gave the admistration staff has been excellent. Regular updates from Schudio and ease of contact has certainly helped keep our website up to date, compliant and a joy to access!

Archbishop Temple School

09:49 24 May 18

Schudio offered excellent value for money to redesign the school website & very good training and support.

Carol McDonald

12:29 23 May 18

S Attwood

10:45 05 Jul 18

We’d been with our previous hosting provider for nearly four years and although the website had served us well, web design and hosting had moved on substantially in that time. The old website needed a substantial change and we looked to Schudio as a partner to help with that process.We found Schudio’s approach to school website services very refreshing; it was to not just provide a design and web hosting service. It was to work with us in a school-focused manner that made them stand out against their competitors. Everyone is incredibly flexible and helpful, which made the whole transition process much easier. Communications were always dealt with promptly as the team project-managed the work on Schudio’s side well. The project was well managed and everyone knew what was expected of each other. The school logo and branding was updated by working with their really helpful designer.Feedback about the new look has been really positive and we are making it easier for visitors to find the information they are looking for.Schudio stands out for me because they offer a incredibly useful OFSTED checking service and provided design advice to make our website work in the way we wanted. They also keep us informed with changes in the OFSTED regulations and continue to work with us to develop our website.

AnneMarie Pincombe

18:38 14 Oct 18

I recently attended the Ofsted School Website Requirements training course run by Schudio. It was most informative and helpful, with practical suggestions on how to make website administration manageable. All the Schudio trainers were approachable and extremely helpful. I am hoping to attend more Schudio courses in the near future.

Cathedral School

13:19 12 Oct 18

A really excellent opportunity to review our website content as well as having the time to explore further development of the site with Schudio staff. Many thanks

Carr Hill High School

07:15 18 Oct 18

We’ve worked with Schudio for over three years now. They have seen us through the launch of a new website and, most recently, a rebrand. The team are professional and knowledgeable and nothing is too much trouble. Everything they do is school centred and their experience of the education sector is invaluable. They are continually looking at ways to improve the user experience and new features are added to the CMS regularly enabling us to continue to provide our students and parents (both current and prospective) with the best possible website experience. They also offer additional services, such as the website Ofsted Checker, going above and beyond what a website company has to offer its clients.

Suzanne Smith

10:06 10 Sep 18

I couldn't recommend Schudio highly enough! The whole process of changing provider and updating our website was made simple and easy.

See All Reviews

School Website Software

Website Compliance

Parental Engagement

School Marketing

Social Media Manager

VLE & Online Learning

School Admissions & HR