Implications of this were discussed in all Liaison Group meetings. There is concern that GDPR will impact greatly on all current systems. There has been a lot of scare-mongering and threats of fines. Heads would appreciate a steer from BCC and, if possible, training but appreciate that capacity is an issue. The range of questions are listed below:
Firstly thank you for your questions, I have attempted to answer them as best I can though I would stress that Data Protection is a ‘risk based’ piece of legislation and often there are not hard and fast rules around data use but an expectation that you must consider the risks to the ‘rights and freedoms’ of individuals when using their data and ensure you are following the Data Protection Principles.
As you will see in our answers below, this ‘risk based’ approach often means putting things in place to reduce the risk rather than stopping an activity. We appreciate that this does not provide immediate answers, but considering the data you hold and how it should be kept and used, will equip your school with the tools to understand risks around data use and ensure that people’s data (parents, pupils and staff) is protected.
Further information will continue to be made available as soon as we are able, but in the meantime, the previous school bulletin on this topic and the regulators website (ICO) are excellent sources of information to begin your GDPR journey.
Yes. The requirements for a Data Protection Officer (DPO) are that they must be in a position to advise on what to do in relation to data protection issues but not in a position to make strategic/management decisions about the data. A failure to do this would result in a conflict of interest and prevent the DPO from being independent. Further information about the DPO can be found here: Data Protection Officers
As a result it is strongly recommended that the DPO is not a decision maker around the use of data i.e. not Head-teacher or a Head of Governor’s. An example of a person who might be suited to being a DPO is a Business Manager/ Senior Administrator/Governor. Alternatively you could employ a new member of staff between several schools specifically as a DPO which could act as a shared resource.
This is under review. The likelihood is an E-Learning training provision could be made available and potentially in the future more tailored training might be offered.
This isn’t a mandatory requirement but would minimise the risk of a data breach through loss of data or inappropriate access by pupils/parents. As a minimum, sensitive personal data should be kept in a secure location. We would recommend reviewing current procedures and practices to ensure appropriate controls.
We are assuming that this refers to teacher lounge/ office in which case non-sensitive personal data would be ok but sensitive personal data should not be on display or accessible by pupils or parents. For boards in public hallways/classrooms, personal data not relating to pupils work or school activities should not be displayed.
By assessment data we take this to mean test results or teacher assessments of pupils. We would suggest that this is only shared outside of the school if under a statutory reason or by agreement with DFE or BCC. If a parent/pupil is making a request for their own data, this would be known as a subject access request (details here). This is not a new requirement (it has been a requirement since 1998) and a statutory code of practice for these types of request can be found here: Subject Access Code of Practice (Please note that from May 25th you can no longer charge for a subject access request)
This really depends on the type of pupil data. The school should have its own retention schedule, setting out how long they should keep specific bits of information. If you do not have one, we would recommend using the Council’s retention schedule which contains a section on school records.
USB sticks are only unsafe if they are unencrypted and as such are not typically supported or allowed by IT. The Cloud can be considered safer in some respects as you can’t ‘lose the cloud’ but there are other technical things to consider such as cloud providers access to the data, security of the cloud server and its encryption, where the data is held etc. It’s unfortunately not possible to give a definitive yes or no in regards to this and we would refer you to Technology Services.
The requirement is that information should not be shared/stored outside of the European Economic Area. Cloud service providers must be able to tell you where the data will be hosted. The European Economic Area is defined as follows.
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Information relating to criminal convictions/history are not defined as ‘sensitive personal data’ but should only be used in ways defined by law (safeguarding/DBS etc.)
Yes – details of the ‘right to be forgotten’ and other specific rights are included here
The PTA is a separate group (data controller) from the school as such responsible for their own data. Schools should not share personal data around pupils or staff with the PTA who do not have any specific legal right of access to this information. School Governors are different and act on behalf of the school and would be bound by the schools policies and governance requirements (confidentiality etc.).
Yes as long as information is kept secure when not being used. This information should not be left in cars etc. overnight.
A Multi-Academy Trust (MAT) would be considered a single legal entity and as such would be considered a single data controller. As such the MAT would be responsible for the DP actions in all of its schools (and therefore GDPR compliance). However, data protection/confidentiality should be a management responsibility for senior staff (and a professional standard for all staff) and as such day to day compliance remains the responsibility of staff in specific schools.
GDPR applies to all processing (use of) personal data. We would recommend a review of current practice to ensure post is delivered correctly, and to the right person. No GDPR requirement in addition to ‘normal’ DP practice.
We will be reviewing the BCC schools courier as part-of the BCC GDPR compliance activity but anticipate this will continue to remain secure.
Please consult the suggested retention schedule answer in the question above. You should specify when collecting consent for photographs to be used how long you intent to retain those images.
See our answer on retention schedules above. I would offer them to pupils in the first instance then if not collected; destroy them after the defined retention schedule.
We presume this relates to AnyComms. This system is encrypted to the required compliance level and will be reviewed as part of our GDPR project.