All schools typically work with huge amounts of data, much of which is more sensitive than the data held by the majority of businesses. This data includes a whole raft of special category data, including health, mental health, safeguarding and child protection, as well as data relating to finance, human resources, and education.
By Antonia Noble, Barrister and Founder of Carter Noble
What this article covers:
- How schools can reassure governors that data protection is being properly handled
- Understanding schools’ data protection policies and systems
- Assigning a dedicated data protection link governor
- Appointing a data protection officer (DPO)
- Dedicating the attention data protection requires
- Maintaining regular staff training
- Annual / bi-annual data protection policy updates
From both an ethical and legal standpoint, robust data protection is an absolute must for schools. The potential consequences of data breaches are too severe to not give it the time and attention required to do it properly.
To bring this sharply into focus, in February 2021 the Data Protection Commission reported that 6,600 data security breaches were notified last year. The most frequent cause of breaches, accounting for 86 per cent of cases, was unauthorised disclosure. In one particularly concerning case, the grandmother of a child in care was unintentionally provided with address and contact details of the child’s foster parents and the location of the child’s school
Since May 2018, UK schools must adhere to strict guidelines published in the GDPR and other legislative provision including the Data Protection Act 2018: a set of regulations that are more rigorous than previous legislation and carrying more severe penalties for non-compliance. All UK schools must both comply with GDPR provisions and also prove that they have robust data protection protocols and systems in place.
Data plays a key role in our modern education system. It provides opportunities to monitor progress, evaluate methods, promote evidence-based practice, and provide opportunities for huge efficiency improvements in school operations. However,the risk of data breaches are ever-present and the consequences grave Ultimately, the responsibility for overall compliance with data protection protocol and legislation sits with a school’s governors. Understandably, this can be a potentially daunting prospect – both for the school and its governors.
But knowledge brings understanding and understanding brings assurance. So, in this blog I’ll walk you through what you can do to ensure your school’s data is as secure as possible.
Understand Your School’s Data Protection Policies and Systems
You will likely have a fairly good understanding of GDPR and other linked regulations, but are you absolutely clear on how to apply them in the context of a school environment? Let’s take a look at some key considerations.
- The data you process. Only by everyone in the school having a firm grasp and knowledge of all of the types of data being processed – whether it relates to staff, suppliers, governors, parents, consultants, visitors or volunteers – can you take steps to protect it.
- IT systems used and security in place, including:
o How schools use certain systems and how safe they are – i.e., are they backed-up and encrypted?
o Be aware of which information management systems are used (SIMS and INTEGRIS being the two main ones used by schools). Especially those used for child protection and safeguarding concerns (Sleuth, CPOMS and Egress for secure mail, for example), and whether these are ISO 27001 or Cyber Essentials-certified.
o Take note of where data is processed, the UK and/or EEA, or elsewhere? (For more information, see: Online learning: how schools can keep children safe.)
- Teaching apps. Understand which apps are used, how they’re used, and how safe they are.
- Systems for recording data. Which system(s) does your school have in place for recording the data it processes (usually in the form of an information asset register)? How are contracts for data processors such as your IMS or email provider checked?
- Recording consent. Where required, understand the systems in place for recording and keeping up-to-date consent. This includes student and staff data, but also any time consent is required. For example, consents must be checked before any marketing material is published and/or sent to parents.
- Safety and compliance. Your school will need a process and/or system in place that keeps your students safe while also adhering to data protection requirements. For example, there is a balance to be struck between keeping medical information safe and allowing staff quick and easy when required (i.e. when staff need to check whether a student has any allergies).
- Systems and protocols for mobile data. This can include password protection, locking IT systems, and ensuring all systems have up-to-date software (to name just a few).
- Systems for data breaches and subject access requests. You’ll need to be aware of the system(s) in place for handling data breaches and subject access requests – and how they differ from a request by a parent for their child’s education record.
Assign a Dedicated Data Protection Link Governor
It’s recommended that you put in place a dedicated link governor responsible for data protection, similar to how a school does for safeguarding and SEND. This governor can then liaise with the operational lead for data in the school and the school’s data protection officer, and generally act as an effective conduit for communication between the school and board.
Achieve assurance by appointing a data protection officer (DPO)
Engaging the expertise of a DPO with the requisite expertise will give your governors peace of mind that you’re effectively fulfilling your data protection responsibilities. The DPO must not, however, have any conflict of interest.
They must have an in-depth understanding of – and experience working within – data protection law. It’s especially useful if this has been in the context of schools, specifically.
With that in mind, internal appointments are acceptable, but the person must not already be operationally responsible for data – i.e., it would not be suitable for a business manager, headteacher or someone responsible for the school’s IT to become a DPO.
The ideal appointment would be someone who is comfortable and competent answering challenging questions from parents, the local authority (LA), and information commissioner’s office (ICO). Drafting policies and procedures within the context of data law, schools, and general legal issues is also desirable, but not compulsory.
See below for a reminder of a DPO’s core responsibilities:
- Drafting and handling policies and procedures
- Directing and implementing training for staff and governors
- Offering audit and assurance for the school’s governing body
- Acting as main point of contact for the Information Commissioner’s Office (ICO) and helping with subject access requests (SARs)
Dedicate the attention data protection requires
Data protection should remain on the board’s agenda as a standing item and added to your school’s risk register. Doing so will allow the board to robustly demonstrate overarching responsibility for data, reassuring everyone that data protection is receiving the care and attention it requires. It will also give a clearer link to data in full governing board meetings.
Maintain regular training
Regular data protection training and briefings for your school’s staff should be mandatory. This will help ensure that staff understand and appreciate data protection best practice, as well as how to keep data safe. It will also reassure your governors that a robust system is in place. Incidentally, training for governors – although not strictly mandatory – is also important and highly recommended.
Annual / bi-annual data protection policy updates
Governors need to be aware of, understand and sign-off annual and/or bi-annual data protection policy updates. This is central to your data protection regime. It also provides valuable time to remind governors of data protection best practice and how the school is addressing all of its responsibilities, including how it is managing any data breaches and data subject rights.
Take the time to walk governors through your processes and privacy notices, perhaps by giving them a presentation tailored to your school’s individual arrangements. DPOs must also provide an independent audit to governors on a regular basis. In our experience, it’s best for governors to receive this type of information once a year.. Governors will be thankful for these updates and feel reassured by the robust protocols in place.