#14 Don’t Leave

Like everyone else we’ve been bombarded with requests to say signed up for various services in the run up to the brave new world of GDPR, tomorrow 25th May – most of which I wasn’t even aware! We have taken great pleasure in deleting most of them (although I must admit I still retained the Pizza Express link – one of my weaknesses).

We have been debating the best way of getting parents to give their consent and have explored some on-line services that cost (not keen) and then the simple paper and pencil alternative, but we don’t like having to spend money unnecessarily and the paper option is a bit of a nightmare bureaucratically.

We have been exploring Google Forms as an alternative and we think this should do the job for us well. If you don’t know this useful tool, have a look https://www.google.co.uk/forms/about/

As promised our Data Protection Policy and Privacy notices are on our website if you would like to have a look.

Andrew King

#13 GDPR Nirvana – goal or process?!

We’ve nearly got the final drafts of our GDPR policy and privacy notices ready to go (we will share them with you for download next week) and I think we will be compliant! Nevertheless, as we have gone through the process it has quite helpfully sparked other ideas, that won’t necessarily make us any more compliant but will help make our organisation and processing of data a little better. Here’s a couple we will be pursuing over the next year …

Governors’ emails – I’m sure this is something many of you do already and we are behind the times but in the future we are thinking of issuing a school governor email address upon appointment which is then easy for us to manage and remove when they have finished their term of office.

Overhaul of our website – our website isn’t too bad (but please be the judge of that yourself and have a look! http://www.chasebridge.richmond.sch.uk/ ) however, it has grown organically over the years and needs a serious tidy up to make sure that key information is more obviously and easily accessible – including our privacy notice when we finally post it. We are also investigating logins for parents so that they will be able to see much of the information that we hold on families and their children, for example, attendance, assessments, contact details so that they can edit where appropriate.

And now our grand philosophical thought for the day … it’s become clear to us that the whole GDPR thing isn’t so much about the goal of getting to 25th May and being compliant or not compliant, it will be an on-going process where we continue to refine and improve our systems and organisation – pretty much like everything else really!

#12 Is it Legal?

Another part of the ICO/DfE presentation that we thought was particularly useful was the ‘legal basis’ on which we process personal data. We’ve been concerned we’d need to actively seek consent for just about everything from parents which could be hugely time consuming and bureaucratic – as we know there are always a handful of parents where it seems impossible to get a response. They made it clear that some schools were seeking consent for things where this is simply not required – parents don’t have an option!

In practice the ICO presenter seemed to be saying that almost everything we do in schools will fall under categories where we must comply with an existing ‘legal obligation’ such as collecting attendance data or teaching the National Curriculum, as well as to ‘ensure the vital interests of the individual’ such as for safeguarding purposes.

We have come to the conclusion that the only thing where we will be actively seeking consent for GDPR purposes at Chase Bridge will be for the use of photos and video that we use in school documents, displays and on-line.

The ICO also said that when consent is being asked for the reasons must be put in a way that can be clearly understood and comprehensible – they have seen some letters going out that are written in two pages of legal-ese which is not only unhelpful but not in the spirit of how GDPR should be applied.

Permission for trips and visits doesn’t seem to us to be a GDPR issue as such. We will continue to seek permission but this will be assumed unless we are told otherwise by the parents. We will let parents know about visits and what is happening (and obviously include details such as times, dates, places, information about lunches, coats, all the usual …) but not be seeking their consent for every occasion.

If you are interested in looking at the draft letter we have produced for parents please feel free to download from here.

Hope it’s useful.

# 11 URGENT! FINES! DEADLINES! 25th May!!

Perhaps the title for this post attracted your attention and induced panic … or perhaps, probably like me, you have been bombarded with so many emails/spam/adverts that you have become inured to these messages and, with a momentarily and mildly irritated mental shrug of the shoulders, you press delete and into the trash it goes. Nevertheless, with the GDPR deadline round the corner you would probably be unusual if there wasn’t a tiny element of subliminal anxiety induced by these offers of advice, warnings, help and services that will solve all your data processing problems … for a price!

I would  like to re-iterate again, we are no experts in the field and these are our own stumblings towards finding a solution to the GDPR challenges at our school, so I’m issuing another disclaimer here (please seek legal advice, etc) but nevertheless I don’t see any need for panic as we move towards the deadline even though I’m not sure we’ll have absolutely everything in place by the 25th. I say this as I was re-assured by a joint presentation from the ICO and DfE that I attended a recently. The first slide flashed up ‘GDPR WILL LEAD TO HUGE FINES’ which was then labelled by the ICO presenter and Senior Policy Officer, Victoria Cetinkaya, as ‘Fake News’. The general gist of what I took from what she said was that the most important thing was for schools to be addressing the legal changes, trying to work towards the new requirements and within the spirit of the law. The ICO will not be pro-actively hunting down schools to fine them and Victoria said the most likely worst case scenario would be if there was a complaint to them, from a parent for example, which they would then investigate and if there was a problem the ICO would make suggestions for changes in practice to the school.

It’s great that the DfE and ICO are working together on providing advice and guidance. There is now a plethora of GDPR toolkits out there, but nevertheless if you haven’t seen it, it is definitely worth a look. The advice given certainly now feels more relevant to the education sector – it’s just a shame it’s come along so late in the day (DfE published this on-line on 23rd April)! We have decided to mainly adapt their template documents as they seem the most straightforward for us to use. However, our schools come in many different shapes and sizes and it is clear to me that we are all likely to adopt slightly different practices that will meet the new requirements depending on various circumstances.

The link to the ICO education/GDPR site can be found here and click here for the the DfE GDPR toolkit.

#10 Staff Training and ‘Pseudonymisation’

If nothing else GDPR is helping to broaden my vocabulary – and now I’ve learnt what ‘pseudonymisation’ is I wish I’d included it in our staff training!

Backtracking a little, our previous post was about staff training. We completed this at the start of term and have, of course kept a register to make sure we have covered all staff. I’m pleased to say it was all quite straightforward and nothing came up that caused any surprises although there was some interesting discussion about what constitutes a data breach.

Going through the presentation made me realise how many parallels there are with how we treat staff training for safeguarding, which always concludes here at Chase Bridge with ‘if in doubt record it and report it’. The same can be said in some respects with reporting any data breaches: ‘if in doubt, report it’. The other parallel being with the role of the DPO and Designated Safeguarding Officer – it’s important everyone in the organisation knows who this is and what they do.

One aspect we missed out of the training was ‘pseudonymisation’. There are some technical definitions to this but simply it is where partial information is shared about individuals or groups. Schools and education services are used to doing this already, sometimes just giving a child’s initials in an email or leaving out other personal identifiers such as date of birth. ‘Anonymisation’ would mean that the recipient cannot find out who the message is referring to whereas ‘pseudonymisation’ means that the receiver can identify the person in question. This is something I will be encouraging all staff to do in future (although most understand this already) – in most communications it is not necessary to give all identifying information and in doing so could increase the risk.

A. King

#9 GDPR Staff Training

Our GDPR to-do list has Staff Training. With the summer INSET day programme on our first day back we thought this would be a good opportunity to brief all staff on their responsibilities.
Having given it a little thought we have come to the conclusion that for the vast majority of teachers and teaching assistants the training doesn’t need to be over-elaborate. Obviously senior staff and relevant governor(s) will need different more specific training linked to their roles. We have timed it to about 10 minutes. It is going to cover the following:
  • What GDPR is and a little bit of the context – we’re going to use a couple of minutes from the DfE video (but no more!)
  • In summary help staff to understand the responsibilities of the school leaders – governors, headteacher, the DPO – and the obligation to provide staff training
  • What GDPR means for all staff – when it comes to reporting a breach the message will be: if in doubt, report it
  • Finally a review of the key messages
  • … and that’s it!
At Chase Bridge all key policies and procedures go into our school handbook, which forms part of our induction procedure for all new staff and is published annually with updates on our school website, so the GDPR policy and protocols will eventually find its way into that document. All staff are reminded of its contents annually and receive updates on any additions or amendments.
The PowerPoint being used on our INSET day is available here for download – hope you find it helpful.
Happy training!