#18 GDPR – Over and Out

All the excitement (if that’s the right word) about GDPR seems to have moved on now so we thought we it was time to conclude our blog and reflect a little on what we have put in place, what we might do differently and what we still want/need to do (as GDPR certainly hasn’t gone away!).

Well, the world hasn’t collapsed following the introduction of GDPR and I’m not aware of any school prosecutions yet, in spite of all the warnings and horror stories from companies trying to get our business. Overall, from our perspective, apart from taking up some time it feels as though the process that we went through has been a good thing: we have tightened up our practice; put training in place for everyone so there are clearer expectations of staff; given more thought to what and where our sensitive data goes to, how it is processed and who it is shared with.

On reflection we’re not sure what we would do differently and this isn’t because we think we’re perfect, but we have stumbled our way through the issues and nobody has said we’re doing anything wrong and there aren’t any prosecutions pending! I know I’m pleased that we didn’t shell out lots of money to a third party to ‘do’ GDPR for us, although I know some headteachers have told us they felt it was money well spent. Having our school business manager as the DPO seems to work as there is appropriate separation given the role of our governors with oversight.

So, we seem to have things in place now: policy, privacy notice, training, roles. But we still think there is more we can do: constant vigilance and monitoring of practice is one as well as building training into our induction programme and regular annual updates. We are also continuing to pursue the idea of a significant overhaul of our website to allow greater interactivity for parents with personalised accounts so they can update their personal details as well as access assessment and attendance information.

Anyway, this is us signing off! We hope you have found our ‘warts and all’ blog helpful.

#17 Data Breach?!

We had an ‘incident’! OK, here’s the story …

In July we hold Meet the Teacher meetings for parents to meet the new staff team and hear about the next academic year. One of our staff was holding a class list with first names with some asterisked (although there was no key indicating what the symbol indicated). A parent managed to take a photo of it with their smartphone and then posted it on social media, a bit like when some photographers have managed to take sneaky photos of team lists being held by football managers. A parent then let us know this had happened so we needed to make a few decisions.

Was this a data breach? Yes.

Did we feel it was seriously compromising and reportable to the ISO? No.

What other action should we take if any? We decided to write a general letter to parents making them aware of the matter. The incident was also shared with the governing body.

Well, that was exciting! Because of GDPR at least we now have protocols for us to refer to when an incident like this occurs.

#16 Chase Bridge Home/School Agreement

Although there is no longer a statutory requirement for home/school agreement we still maintain our at Chase Bridge. We think it’s a good way of reminding ourselves of our shared values and ways that different sections of the school community work together, as well as inducting new staff and families.

So, why is a home/school agreement part of a GDPR blog?!  Our document has been updated to include reference to data, privacy, sharing of information – all the GDPR things that we have been trying to address – for parents, staff, children and governors. It is just a way we have found of systematising and communicating our practice, trying to ensure universal coverage where no one gets missed out. Hope you find it useful.

#15 Getting a Response

If you’ve been following our blog you’ll know that we decided we would only need to ask for consent in relation to the use of photos and videos by the school. We’ve sent out a letter with a link to a Google Form we’ve set up (click on the link to have a look https://goo.gl/forms/9DPCFnlJu43e3eQw1 ). So far we’ve had 83% of parents responding – which still leaves 17% (we’re good at maths at Chase Bridge!) – trying to get a response from all parents is always a challenge but we have found the Google form an effective way of doing this.

The question now is how to follow up on the slow responders. Is it OK for us to say something like “please respond by such-and-such a date otherwise we will assume that your consent has been given”? I don’t know: we’ll need to do some more thinking on that one …

#14 Don’t Leave

Like everyone else we’ve been bombarded with requests to say signed up for various services in the run up to the brave new world of GDPR, tomorrow 25th May – most of which I wasn’t even aware! We have taken great pleasure in deleting most of them (although I must admit I still retained the Pizza Express link – one of my weaknesses).

We have been debating the best way of getting parents to give their consent and have explored some on-line services that cost (not keen) and then the simple paper and pencil alternative, but we don’t like having to spend money unnecessarily and the paper option is a bit of a nightmare bureaucratically.

We have been exploring Google Forms as an alternative and we think this should do the job for us well. If you don’t know this useful tool, have a look https://www.google.co.uk/forms/about/

As promised our Data Protection Policy and Privacy notices are on our website if you would like to have a look.

Andrew King

#13 GDPR Nirvana – goal or process?!

We’ve nearly got the final drafts of our GDPR policy and privacy notices ready to go (we will share them with you for download next week) and I think we will be compliant! Nevertheless, as we have gone through the process it has quite helpfully sparked other ideas, that won’t necessarily make us any more compliant but will help make our organisation and processing of data a little better. Here’s a couple we will be pursuing over the next year …

Governors’ emails – I’m sure this is something many of you do already and we are behind the times but in the future we are thinking of issuing a school governor email address upon appointment which is then easy for us to manage and remove when they have finished their term of office.

Overhaul of our website – our website isn’t too bad (but please be the judge of that yourself and have a look! http://www.chasebridge.richmond.sch.uk/ ) however, it has grown organically over the years and needs a serious tidy up to make sure that key information is more obviously and easily accessible – including our privacy notice when we finally post it. We are also investigating logins for parents so that they will be able to see much of the information that we hold on families and their children, for example, attendance, assessments, contact details so that they can edit where appropriate.

And now our grand philosophical thought for the day … it’s become clear to us that the whole GDPR thing isn’t so much about the goal of getting to 25th May and being compliant or not compliant, it will be an on-going process where we continue to refine and improve our systems and organisation – pretty much like everything else really!

#12 Is it Legal?

Another part of the ICO/DfE presentation that we thought was particularly useful was the ‘legal basis’ on which we process personal data. We’ve been concerned we’d need to actively seek consent for just about everything from parents which could be hugely time consuming and bureaucratic – as we know there are always a handful of parents where it seems impossible to get a response. They made it clear that some schools were seeking consent for things where this is simply not required – parents don’t have an option!

In practice the ICO presenter seemed to be saying that almost everything we do in schools will fall under categories where we must comply with an existing ‘legal obligation’ such as collecting attendance data or teaching the National Curriculum, as well as to ‘ensure the vital interests of the individual’ such as for safeguarding purposes.

We have come to the conclusion that the only thing where we will be actively seeking consent for GDPR purposes at Chase Bridge will be for the use of photos and video that we use in school documents, displays and on-line.

The ICO also said that when consent is being asked for the reasons must be put in a way that can be clearly understood and comprehensible – they have seen some letters going out that are written in two pages of legal-ese which is not only unhelpful but not in the spirit of how GDPR should be applied.

Permission for trips and visits doesn’t seem to us to be a GDPR issue as such. We will continue to seek permission but this will be assumed unless we are told otherwise by the parents. We will let parents know about visits and what is happening (and obviously include details such as times, dates, places, information about lunches, coats, all the usual …) but not be seeking their consent for every occasion.

If you are interested in looking at the draft letter we have produced for parents please feel free to download from here.

Hope it’s useful.

# 11 URGENT! FINES! DEADLINES! 25th May!!

Perhaps the title for this post attracted your attention and induced panic … or perhaps, probably like me, you have been bombarded with so many emails/spam/adverts that you have become inured to these messages and, with a momentarily and mildly irritated mental shrug of the shoulders, you press delete and into the trash it goes. Nevertheless, with the GDPR deadline round the corner you would probably be unusual if there wasn’t a tiny element of subliminal anxiety induced by these offers of advice, warnings, help and services that will solve all your data processing problems … for a price!

I would  like to re-iterate again, we are no experts in the field and these are our own stumblings towards finding a solution to the GDPR challenges at our school, so I’m issuing another disclaimer here (please seek legal advice, etc) but nevertheless I don’t see any need for panic as we move towards the deadline even though I’m not sure we’ll have absolutely everything in place by the 25th. I say this as I was re-assured by a joint presentation from the ICO and DfE that I attended a recently. The first slide flashed up ‘GDPR WILL LEAD TO HUGE FINES’ which was then labelled by the ICO presenter and Senior Policy Officer, Victoria Cetinkaya, as ‘Fake News’. The general gist of what I took from what she said was that the most important thing was for schools to be addressing the legal changes, trying to work towards the new requirements and within the spirit of the law. The ICO will not be pro-actively hunting down schools to fine them and Victoria said the most likely worst case scenario would be if there was a complaint to them, from a parent for example, which they would then investigate and if there was a problem the ICO would make suggestions for changes in practice to the school.

It’s great that the DfE and ICO are working together on providing advice and guidance. There is now a plethora of GDPR toolkits out there, but nevertheless if you haven’t seen it, it is definitely worth a look. The advice given certainly now feels more relevant to the education sector – it’s just a shame it’s come along so late in the day (DfE published this on-line on 23rd April)! We have decided to mainly adapt their template documents as they seem the most straightforward for us to use. However, our schools come in many different shapes and sizes and it is clear to me that we are all likely to adopt slightly different practices that will meet the new requirements depending on various circumstances.

The link to the ICO education/GDPR site can be found here and click here for the the DfE GDPR toolkit.

#10 Staff Training and ‘Pseudonymisation’

If nothing else GDPR is helping to broaden my vocabulary – and now I’ve learnt what ‘pseudonymisation’ is I wish I’d included it in our staff training!

Backtracking a little, our previous post was about staff training. We completed this at the start of term and have, of course kept a register to make sure we have covered all staff. I’m pleased to say it was all quite straightforward and nothing came up that caused any surprises although there was some interesting discussion about what constitutes a data breach.

Going through the presentation made me realise how many parallels there are with how we treat staff training for safeguarding, which always concludes here at Chase Bridge with ‘if in doubt record it and report it’. The same can be said in some respects with reporting any data breaches: ‘if in doubt, report it’. The other parallel being with the role of the DPO and Designated Safeguarding Officer – it’s important everyone in the organisation knows who this is and what they do.

One aspect we missed out of the training was ‘pseudonymisation’. There are some technical definitions to this but simply it is where partial information is shared about individuals or groups. Schools and education services are used to doing this already, sometimes just giving a child’s initials in an email or leaving out other personal identifiers such as date of birth. ‘Anonymisation’ would mean that the recipient cannot find out who the message is referring to whereas ‘pseudonymisation’ means that the receiver can identify the person in question. This is something I will be encouraging all staff to do in future (although most understand this already) – in most communications it is not necessary to give all identifying information and in doing so could increase the risk.

A. King

#9 GDPR Staff Training

Our GDPR to-do list has Staff Training. With the summer INSET day programme on our first day back we thought this would be a good opportunity to brief all staff on their responsibilities.
Having given it a little thought we have come to the conclusion that for the vast majority of teachers and teaching assistants the training doesn’t need to be over-elaborate. Obviously senior staff and relevant governor(s) will need different more specific training linked to their roles. We have timed it to about 10 minutes. It is going to cover the following:
  • What GDPR is and a little bit of the context – we’re going to use a couple of minutes from the DfE video (but no more!)
  • In summary help staff to understand the responsibilities of the school leaders – governors, headteacher, the DPO – and the obligation to provide staff training
  • What GDPR means for all staff – when it comes to reporting a breach the message will be: if in doubt, report it
  • Finally a review of the key messages
  • … and that’s it!
At Chase Bridge all key policies and procedures go into our school handbook, which forms part of our induction procedure for all new staff and is published annually with updates on our school website, so the GDPR policy and protocols will eventually find its way into that document. All staff are reminded of its contents annually and receive updates on any additions or amendments.
The PowerPoint being used on our INSET day is available here for download – hope you find it helpful.
Happy training!