GDPR – Top 4 Things Schools Are Confused About

GDPR: Top 4 things schools are confused about

18 months after the GDPR and DPA 2018 became law, many schools still haven’t fuelled up for their data protection compliance journey and many have not even left the driveway! Whilst I recognise educating children is the prime objective of schools, the safety and well-being of every person in the organisation is essential to achieve that goal. Protecting and securing personal data is part of that.

I developed our GDPRiS software to streamline schools’ compliance journeys and to offer guidelines to ensure they can meet the legal requirements. Schools ask our Customer Success Team loads of questions and there’s a common thread across most of them showing that schools are still confused.

Here are our answers to the top 4 things schools regularly ask:

#1 Who is responsible for data protection?

The data controller is 100% responsible to ensure all data is processed appropriately and kept safe. The organisation, ie a school or MAT, is the data controller. Thus, its governing body carries full responsibility that data protection meets legal requirements and data is kept at the highest standard of security.

The Data Protection law imposes three basic duties upon data controllers:

  • A data controller must have a legitimate reason to process data.
  • All data processing must meet the principals of data protection.
  • Special category data imposes stricter rules upon the processing, which the data controller must oversee.

It’s a responsibility that cannot be taken from you.

#2 Parents evening – can we leave children’s books outside the classroom for parents to view?

This is such a common question and the answer is all about risk.

A leading barrister once told me that if any school wants to be 100% risk-free we should tell them to send all the children and staff home and raise the buildings to the ground. No activity can be risk-free. However, you must consider the risks and act accordingly to reduce them.

What is the risk to a child if someone else’s parent sees their books? Maybe the child could be teased and that’s not right! Thus, find some way to reduce that risk without stopping a very valuable educational activity.

  • Put up a notice setting out your expectations of parent behaviour.
  • Put books at a distance from each other with the child’s name clearly marked.
  • Put the books inside something like a box, folder or large envelope.
  • Consider very carefully whether children with special needs or vulnerable children’s books should be able to be accessed without supervision.

It’s not rocket science, just common sense.

#3 Why can't the Head, Deputy, Business Manager or Head of IT be our DPO?

Your DPO must be independent to oversee your data protection processes. For important assessments and tests, you don’t allow children to mark their own work. Likewise, the Head, Deputy, Business Manager or Head of IT will make decisions about data protection at school and this must be open to independent scrutiny.

#4 What counts as a breach and do I report it to ICO?

There is no organisation that has no data breaches. However, we have a culture of hiding our short-comings and pretend they didn’t happen. Reporting every breach will have a very positive impact on data protection in your school. If you know what you did wrong, you can fix it and become better. Even the near misses hold important lessons that can be learnt.

So, what counts as a data breach? Here are just a few examples:

  • Without a doubt, the largest instances of breaches in schools are sending personal data to the wrong person, such as by email, post or fax. These MUST be logged and reviewed for impact on the individuals involved. If there is a risk to individuals (to their rights and freedoms) then it MUST be reported.
  • A student or unauthorised staff member accesses a staff laptop because it has been left logged in or they know the login details, and it contains or has access to personal data. Depending on what has been accessed, or if you cannot be sure what has been accessed, then certainly, this is a reportable breach.
  • You sell old equipment such as PCs, laptops or filing cabinets and they still contain personal data. Organisations have been fined for this.
  • One you may not think is a breach is when your networks or systems go down, this counts as a loss of availability of personal data and must be reported as a breach.

I have no doubts that the new data protection laws have forced many organisations to review their policies and procedures and give individuals greater reassurance that their data is safe. Schools are custodians of large quantities of sometimes very sensitive data and we owe it to our students and staff who work at our schools to keep it safe.

About the author

Lynne Taylor is Founder and CEO of GDPR in Schools (GDPRiS) and founder of ParentPay. Lynne is passionate about helping schools focus on educating the children in their care. When she realised the increased workload and indeed financial impact that managing the changes to data protection were going to have in schools, she gathered her team of dedicated educationalists to develop a low-cost cloud-based solution for schools.  More than 2,500 schools currently rely on GDPRiS to monitor and manage data protection.


Join Our Newsletter

Simply add your email and you'll get expert advice weekly, direct to your inbox.

Previous Post Old Entry

Share this article:


Next Post New Entry
WordPress Lightbox Plugin