If you’ve been following our blog you’ll know that we decided we would only need to ask for consent in relation to the use of photos and videos by the school. We’ve sent out a letter with a link to a Google Form we’ve set up (click on the link to have a look https://goo.gl/forms/9DPCFnlJu43e3eQw1 ). So far we’ve had 83% of parents responding – which still leaves 17% (we’re good at maths at Chase Bridge!) – trying to get a response from all parents is always a challenge but we have found the Google form an effective way of doing this.

The question now is how to follow up on the slow responders. Is it OK for us to say something like “please respond by such-and-such a date otherwise we will assume that your consent has been given”? I don’t know: we’ll need to do some more thinking on that one …

Like everyone else we’ve been bombarded with requests to say signed up for various services in the run up to the brave new world of GDPR, tomorrow 25^th May – most of which I wasn’t even aware! We have taken great pleasure in deleting most of them (although I must admit I still retained the Pizza Express link – one of my weaknesses).

We have been debating the best way of getting parents to give their consent and have explored some on-line services that cost (not keen) and then the simple paper and pencil alternative, but we don’t like having to spend money unnecessarily and the paper option is a bit of a nightmare bureaucratically.

We have been exploring Google Forms as an alternative and we think this should do the job for us well. If you don’t know this useful tool, have a look https://www.google.co.uk/forms/about/

As promised our Data Protection Policy and Privacy notices are on our website if you would like to have a look.

Andrew King

We’ve nearly got the final drafts of our GDPR policy and privacy notices ready to go (we will share them with you for download next week) and I think we will be compliant! Nevertheless, as we have gone through the process it has quite helpfully sparked other ideas, that won’t necessarily make us any more compliant but will help make our organisation and processing of data a little better. Here’s a couple we will be pursuing over the next year …

Governors’ emails – I’m sure this is something many of you do already and we are behind the times but in the future we are thinking of issuing a school governor email address upon appointment which is then easy for us to manage and remove when they have finished their term of office.

Overhaul of our website – our website isn’t too bad (but please be the judge of that yourself and have a look! http://www.chasebridge.richmond.sch.uk/ ) however, it has grown organically over the years and needs a serious tidy up to make sure that key information is more obviously and easily accessible – including our privacy notice when we finally post it. We are also investigating logins for parents so that they will be able to see much of the information that we hold on families and their children, for example, attendance, assessments, contact details so that they can edit where appropriate.

And now our grand philosophical thought for the day … it’s become clear to us that the whole GDPR thing isn’t so much about the goal of getting to 25^th May and being compliant or not compliant, it will be an on-going process where we continue to refine and improve our systems and organisation – pretty much like everything else really!

Another part of the ICO/DfE presentation that we thought was particularly useful was the ‘legal basis’ on which we process personal data. We’ve been concerned we’d need to actively seek consent for just about everything from parents which could be hugely time consuming and bureaucratic – as we know there are always a handful of parents where it seems impossible to get a response. They made it clear that some schools were seeking consent for things where this is simply not required – parents don’t have an option!

In practice the ICO presenter seemed to be saying that almost everything we do in schools will fall under categories where we must comply with an existing ‘legal obligation’ such as collecting attendance data or teaching the National Curriculum, as well as to ‘ensure the vital interests of the individual’ such as for safeguarding purposes.

We have come to the conclusion that the only thing where we will be actively seeking consent for GDPR purposes at Chase Bridge will be for the use of photos and video that we use in school documents, displays and on-line.

The ICO also said that when consent is being asked for the reasons must be put in a way that can be clearly understood and comprehensible – they have seen some letters going out that are written in two pages of legal-ese which is not only unhelpful but not in the spirit of how GDPR should be applied.

Permission for trips and visits doesn’t seem to us to be a GDPR issue as such. We will continue to seek permission but this will be assumed unless we are told otherwise by the parents. We will let parents know about visits and what is happening (and obviously include details such as times, dates, places, information about lunches, coats, all the usual …) but not be seeking their consent for every occasion.

If you are interested in looking at the draft letter we have produced for parents please feel free to download from here.

Hope it’s useful.

Perhaps the title for this post attracted your attention and induced panic … or perhaps, probably like me, you have been bombarded with so many emails/spam/adverts that you have become inured to these messages and, with a momentarily and mildly irritated mental shrug of the shoulders, you press delete and into the trash it goes. Nevertheless, with the GDPR deadline round the corner you would probably be unusual if there wasn’t a tiny element of subliminal anxiety induced by these offers of advice, warnings, help and services that will solve all your data processing problems … for a price!

I would  like to re-iterate again, we are no experts in the field and these are our own stumblings towards finding a solution to the GDPR challenges at our school, so I’m issuing another disclaimer here (please seek legal advice, etc) but nevertheless I don’t see any need for panic as we move towards the deadline even though I’m not sure we’ll have absolutely everything in place by the 25^th. I say this as I was re-assured by a joint presentation from the ICO and DfE that I attended a recently. The first slide flashed up ‘GDPR WILL LEAD TO HUGE FINES’ which was then labelled by the ICO presenter and Senior Policy Officer, Victoria Cetinkaya, as ‘Fake News’. The general gist of what I took from what she said was that the most important thing was for schools to be addressing the legal changes, trying to work towards the new requirements and within the spirit of the law. The ICO will not be pro-actively hunting down schools to fine them and Victoria said the most likely worst case scenario would be if there was a complaint to them, from a parent for example, which they would then investigate and if there was a problem the ICO would make suggestions for changes in practice to the school.

It’s great that the DfE and ICO are working together on providing advice and guidance. There is now a plethora of GDPR toolkits out there, but nevertheless if you haven’t seen it, it is definitely worth a look. The advice given certainly now feels more relevant to the education sector – it’s just a shame it’s come along so late in the day (DfE published this on-line on 23^rd April)! We have decided to mainly adapt their template documents as they seem the most straightforward for us to use. However, our schools come in many different shapes and sizes and it is clear to me that we are all likely to adopt slightly different practices that will meet the new requirements depending on various circumstances.

The link to the ICO education/GDPR site can be found here and click here for the the DfE GDPR toolkit.