A message from Matt Dunkley CBE:
28 March 2018 weekly update
28 March 2018
This week, Matt introduces the General Data Protection Regulation (GDPR) and what it means for schools.
Thank you to those who attended the recent headteacher meetings, it was good to see so many of you there and I hope that you thought they were informative. Please find the Spring 2018 Headteacher Meeting slides (PDF, 1.4 MB) that were shown and as promised, I will follow up after Easter with the actions relating to High Need Funding.
General Data Protection Regulation (GDPR)
GDPR comes into force on 25 May this year. All organisations are working hard to be ready for GDPR, and it can be all too easy to panic.
However, whilst there are legal changes under GDPR, if you have rigorous policies and processes in place currently under the Data Protection Act, then you are in a good position already, and should find it relatively straightforward to plan for, and demonstrate, GDPR compliance.
There are a number of key areas to consider under GDPR, which I will go through in turn, as well as explaining how KCC is supporting schools in preparing for GDPR.
Privacy Notices and KCC Support
Under GDPR privacy notices need to be clearer about the lawful basis for information sharing, and the reasons for holding information, and who we share it with and why. KCC is currently reviewing all its privacy notices and in April will be providing updated templates for schools to use with parents and staff (the one for parents has already been updated but some further additions are currently being agreed, and will be finalised after Easter). They are all being written in a similar style, and will all be accessible on KELSI and kent.gov.uk. We are also writing a model policy for schools to use, a model process for dealing with Subject Access Requests, are working with partners to write a new Kent and Medway Information Sharing Agreement, and have been running GDPR training sessions for schools.
Data Protection Officer role
A key concern for schools is around who is best placed to fulfil the statutory Data Protection Officer (DPO) role. If this role is given to an existing staff member, this needs to be someone who sits on the Senior Leadership Team, who can provide challenge and scrutiny around information governance and data protection, and test GDPR compliance. They should also be independent from setting the policies and processes around GDPR, which will exclude the headteacher and the IT manager.
There are several options for filling this role: Buy-in DPO resource from another organisation; Share a DPO between a group of schools; Pair up with another school and provide each other’s DPO service; or Give the role to an existing member of your SLT, but use your existing school collaboration groups to establish a DPO Partnership Group, where DPOs can learn from each other and share best practice, and use their pooled expertise to plan and carry out audits and reviews. You will need to consider which option will work best in your school. You can always trial one method and change your mind if it doesn’t work in your situation.
It is important to have a clear and detailed understanding of what information you hold in school, what it is used for, how it is stored, and who it is shared with. You should consider both software systems and paper files. The DfE has produced a useful video to help you undertake this mapping which is available on the Information Commissioner’s Office (ICO) website. This mapping will help you identify any particular risks that need further follow-up.
Are your retention schedules up to date and are they applied to your different sets of information? They should be reviewed to ensure they are up to date and fit for purpose.
Suppliers may already be getting in touch with you about GDPR. However, you need to collate a full list of contracts you manage in school, and contact those suppliers to update the terms of the contract to reflect GDPR compliance, to receive and collate signed agreements to these changes, and to ask them for further details about how they can or will demonstrate GDPR compliance. These responses can be used to identify any risky contracts from a GDPR perspective. KCC is reviewing its own contracts in line with guidance provided by Crown Commercial Services.
Much of the information you collect, store and share does not require consent as it fulfils a number of statutory purposes (which will be outlined in the privacy notice). However, where consent is required, e.g. around taking and use of photos and videos of children, consent statements should be very clear, and multiple issues requiring consent should not be bundled into one consent statement.
Keeping Information Accurate
Review the frequency with which you ask parents to review the information you hold about them and their children. This needs to be accurate both on your systems but also for when it is shared with the local authority and the DfE. Focus on areas where parents may forget to update you e.g. change of address (this is easily overlooked now most communication is via email or text).
Information Security and Information Sharing Processes
As well as an overarching Information governance and data protection policy, you will need to ensure you have clearly defined processes in place for how staff use personal data. These should govern when and how staff take information away from the school e.g. to work on at home, where and how information is displayed, used and stored within the school e.g. locked cabinets, wall displays of emergency contact or allergy information, and how technology can support data security e.g. do all staff have an encrypted memory stick, are your laptops encrypted?
You should have an information sharing log to record any information sharing that takes place outside of the main documented processes and agreements. This is important both for transparency purposes, but also in the event of any challenge around information sharing, it enables efficient follow-up.
You will need to update your procedures for dealing with a request for access to personal information (Subject Access Request (SAR)) to reflect the changes under GDPR in respect of the timescale for compliance (now 1 month and no longer 40 calendar days) and the fact that you can no longer charge for a SAR (currently under DPA can charge £10) unless the request is manifestly unfounded or excessive.
You will also need to establish a clear process in school for the reporting of breaches, as under GDPR all breaches must be reported to the ICO within 72 hours.
The ICO website is an excellent source of information on GDPR, and is being added to on a weekly basis. KCC will be adding to the resources on KELSI to support schools further with GDPR. Please save a link to our GDPR page and check it regularly.
Additionally, there are KCC services that are providing traded services to schools to support with GDPR. Schools Personnel Service and Invicta Law have both developed packages of support that schools may wish to explore.
Can I wish you all a restful Easter break.
Matt Dunkley CBE
Children, Young People and Education