GDPR Guidance for Schools


I’m Iain Bradley, head of Data
Modernisation Division in the Department for Education. This short film is
intended to help schools with their own preparations for GDPR. General Data
Protection Regulation replaces the Data Protection Act. Much of it is similar in
that it covers the safe processing and usage of personal data. There is a
stronger focus on demonstrating compliance with the regulation though
and GDPR also has special categories of personal data things like ethnicity
and religion many of which we use within the education sector so we need to be
really careful about how we use and process that personal level data. So the
personal data ecosystem is a term we use for understanding where you store
personal data and in particular how those systems might interlink.
Within education there’s loads of different types of systems where this might be.
Within the ecosystem you’ve got your core management information system,
you’ve got curriculum tools, you’ve got payment systems and you’ve got virtual learning environments, which is one set of systems that people will be quite
familiar with, particularly senior leaders, but you’ve also got things
like catering management, safeguarding, communication tools that you might use
for parent communications, the school transport and school trips, you’ve also
got to think about where you might store data within school uniform systems and
school photographs, things like that. Schools might also use identity
management systems or things that contain biometric data, which are a key
part of the the new regulation, but also think about where your office
documents are stored and your core IT infrastructure. Finally when trying to
create that ecosystem think about where you actually send data to and so that
might be interactions with health or social care, it might be sending data up
to a multi-academy trust or the local authority or it might be sending
data to the Department itself. And finally, that all covers personal data
about pupils and potentially parents but also think about your workforce. So
there’s three things to think of – people who apply for jobs and what data you
hold about people who’ve applied for jobs, your current employees who are
working with you at present, and people who perhaps left the organization as
well. You have personal data about all of those people, probably, and that all needs
to be in scope. In order to map your ecosystem, start with those headings we’ve just described up around the room. Note
down every single system or datastore that might be relevant under those
headings. Ideally, you can also draw the data flows between systems then you’ve
got a really good illustration of your own data ecosystem. Once you’ve got that you can then start to focus on the six key questions that you need to
understand about those systems or data stores in order to be able to
demonstrate GDPR compliance. Scope: which personal and special category data items are contained within that system? Sharing: does any personal data flow from that system on to anywhere else? Retention: what is the system’s data
retention policy? Does it align to the data retention policies needed to
fulfill your duties as a school and is this clear within your contract with the
supplier? Access: how would you get the information for a subject access request out of that system? Security: how does the system ensure security of the personal data held? what recognized standards are in place? And finally, own readiness: is this system supplier confident that they will be GDPR
compliant by May 2018? How will they demonstrate that to you? You may know
that information already. You may need to look on the supplier’s websites. They
might be communicating this to you directly or you may need to ask them.
There are also some commercial or non-commercial organizations who are
starting to aggregate this information for schools as well. Once you’ve got that
information together you can put it together into a clearly structured table.
In making sure that table is complete, where are the risks? There’s two top tips
that schools have been telling me about. Firstly, check for software that’s not on
the SLT’s radar, for example, subject-specific software. The key here is to involve all staff
in the development and checking of that ecosystem diagram, and
secondly, think again about onward flow from systems. Do you have any software
that sits on an MIS and shares data with other systems? Do you know what they all
are and what data goes where? Do these systems store data and if so do you know
where that is? The data protection officer needs to be highly knowledgeable
about data protection and GDPR. They need to understand the school’s
operations and policies. It’s their job to promote a strong culture
about protection of data. They also need to be aware of compliance,
obligations, promote the training and processing and conducting of internal
audits. They need to be able to report directly to the board and conduct data
protection impact assessments and determine when they’re necessary. All in
all perhaps crucially under GDPR, the head of IT or the headteacher
probably has a slight conflict of interest in that if they’re setting up the
ecosystem and assessing it they’re kind of marking their own homework. So, what
might some solutions be? You could realign responsibilities within your
current team, creating the DPO role within your team that is sufficiently
removed from those making technology or processing decisions. You could
collaborate – share the DPO function between a group of schools or share
expertise by being the DPO for each other’s school. You could contract – it is
possible to buy in the DPO function for your school or for a group of schools.
Finally, seeking volunteers from experts that may exist in the wider school
community is an option. It is possible but note that as a volunteer their
statutory responsibilities remain at the same expectation as a paid DPO.
It would be a reasonably big commitment for that volunteer and they would need
to be able to influence senior managers decision-making in exactly the same way
as a paid DPO. In drawing, understanding and documenting the data ecosystem as
well as exploring the DPO role, we’ve started to get the foundations right for
GDPR compliance. In our next communication we’ll be talking about how
you start to communicate that to parents and pupils the conditions, that you can
rely on for processing within education, as well as a hot topic that we know
about data retention periods. you

15 thoughts on “GDPR Guidance for Schools”

  1. Will you be providing guidance on all of the GDPR as this is only a very small subset. What about all 12 requirements from the ICO on the GDPR?

  2. Thanks for the video Iain.
    I'm really disappointed by the lack of info coming from the DfE re GDPR.
    Schools should have be provided with school specific compliance toolkits (data audit spreadsheet, data retention advice, policy & procedure templates etc.)
    There are a lot of companies making a lot of money providing advice to schools at the moment.
    This is money which is not being used to educate.

  3. With my Governor Hat.. Iain, thanks for the video …with my day job hat on, happy to give you a quote on making more of these information videos! πŸ˜‰ terry at navigator productions.

  4. Thanks for the vid! One Team Logic will be running a webinar on the 15th and 22nd Feb which will outline schools' responsibilities for GDPR, specifically in relation to Safeguarding and record keeping. Register for free here https://register.gotowebinar.com/rt/8769675444320327683

  5. A useful start but the DfE still needs to give a strong steer & some reassurance on child protection & safeguarding – 'experts' out there are telling schools that they will no longer be able to keep CP files or undertake criminal checks. Disappointing that GDPR isn't included in the draft KCSiE 2018. Also, could you tackle the sample letters provided by DfE for schools to send to employees, pupils & parents which are incomplete and have errors πŸ™

  6. At 4.10 there is talk of onward flow of data from the MIS (SIMS etc). This is something schools currently do far more than parents & pupils realise.

    In reality, once pupil data from SIMS etc. leaves the school premises, there is no way of knowing where it is being stored, how it is being processed, who has accesses to it (are they background checked?), where it is backed up to, who else it is shared with again, whether a breach has occurred, or how long it is retained. Even the school has no way of finding out such things, let alone the parents or pupils.

    Each case of pupil data sharing requires a lawful basis which must balance the rights of the data subject (pupil) with the data processing – see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/.

    Where there is no legal requirement to share data, such as cases where pupil data is shared with a for-profit company providing value-added results/performance analysis processing, schools must state the lawful basis for the activity rather than use the current approach of 'everyone else uses X so we can as well'. School's have been very free and easy with downstream sharing of MIS data with 'value-added' providers thus far.

    As public authorities (which includes academies), schools can't use the 'legitimate interests' lawful basis for such sharing of MIS data. It has also been established that consent can't be freely given by a minor, which seems to rule out that option.

    Come GDPR in May it will be interesting to see how schools justify the hitherto 'implied/assumed consent' for such processing.

  7. thanks for making this video, the youtube world seems devoid of any #GDPR videos for schools, I'm looking forward to watching your next series of videos on this topic #GDPRintSchools

  8. Seems slanted to larger, more administratively complex bodies – secondary schools and English multi academy trusts. The suggestion that a school might buy in a service provider to exercise the DPO function says a lot about where this is coming from, and it is not a small primary school angle. This business about a "personal data ecosystem" and the complexity of mapping it is all very well from a data geek perspective but quite frankly the clip reveals the planners behind this are deeply unrealistic about the time and expertise schools have to address the new duties. Quite how the DfE think schools might have the budget to buy in from external providers also reveals the sophistication of their thinking on this! Back of a fag packet anyone? I'm afraid watching the film just makes me groan at more expectations (however laudable robust data protection is) that drain organisational time and energy away from supporting/developing excellence in teaching.

  9. [email protected]…The best ..if you have any problem with your school result, and want to see question before exam comes…for every department in high school, courses in university,and degrees result upgrade to A mathematics,English language, philosophy,law and so many course and have good grade of A in your result. I can help you with any lost gmail account and recover your lost password, and any social media account you can mail me here [email protected] and get your job done as quick in a day and have your result back mail [email protected] for help now

  10. There's a primary school head teacher near me says that pupils' exercise books contain personal data, and that therefore teachers will no longer be allowed to take exercise books home for marking. This seems extreme to me. Does anyone have a differing view?

  11. We're almost a year in since the GDPR.

    Why do academies have more rights to ignore data requests from parents and students than main state schools? I ask because I have made a data request to a local academy and there's no response. Why do academies have too much power ?

Leave a Reply

Your email address will not be published. Required fields are marked *