Just like any business, schools and educational bodies must comply with the updates to the Data Protection Act coming in May.
What do schools and the education sector need to know about GDPR?
We know that the data protection laws, as we know them today, are changing. The General Data Protection Regulation (GDPR) comes into force on 25th May this year, and the vast majority of organisations, regardless of size, need to be ready for those changes.
Schools will process the personal data of teachers, students and their families. In many cases, they will utilise marketing to improve intake or to raise money. Schools have CCTV, use cloud software – all of the areas that the GDPR touches on.
So let’s take a look at some of the areas that schools will need to consider when satisfying the new regulations, and how you can get started.
The personal data ecosystem
The personal data ecosystem is a term used by the Department for Education, to describe how data is stored and the interlinking of systems that they use to store it in. These systems include:
- Core management information systems
- Curriculum tools
- Payment systems
- Virtual learning environments
- Catering systems
- Uniform ordering systems
- School transportation
- Parent communication tools
Schools will often be required to send that personal data to other agencies including Health and Social Care, local authorities and the Department for Education itself.
Looking at the data this way helps you to plan out any changes you need to make for the GDPR.
6 key GDPR questions for schools to answer
What is included in your scope?
So we mentioned earlier that it’s not just the personal data of pupils that you will be handling as a school – It can also be data of the parents or carers and anyone employed by you. This includes current and former employees as well as individuals who have applied for work at your organisation. Schools need to identify all of the personal and special category data that they hold.
Do you share personal data?
Refer back to the personal data ecosystem – Are you sharing data with other organisations?
How are you handling the retention of data?
Like most aspects of the GDPR, you will need policies put in place to describe how you will handle data. Here, you will need to look at your systems data retention policy and ask yourself if it aligns with your data retention policy. Does it allow you to fulfil your school duties and is it included in contracts with suppliers?
How would you handle a Subject Access Request?
If an individual asks to see what data you hold on them, you must provide this information. This is called a Subject Access Requests, or SAR. You need to be confident that you can access this information and be able to provide the Subject with this within the specified timeframe.
Is your security up to scratch?
Any system that you are storing the personal data in must be secure. You will be expected to describe the steps you have in place to protect it. Do you comply with any recognised standards, like ISO 27001 for information security management systems?
Will your suppliers be ready for GDPR?
Come the 25th May this year, are you confident that the supplier who provides your school with your systems will be ready for the changes to the Data Protection Act? Have they described and demonstrated their steps to GDPR?
Data Protection Officer
When appointing a Data Protection Officer, or DPO, the Department for Education recommends that you do not choose a Head of IT or the Head Teacher. They suggest an individual who has no involvement with making decisions around technology or processing.
It’s also worth noting that Data Protection Officers can work for a number of organisations. This means you can share a DPO with another school.
Further GDPR help for schools
The Information Commissioner‘s Office, along with the DfE will continue to update their guidance in the coming weeks. ISMS.online will keep you up to date.