Now we understand what a Subject Access Request is we started to think about aspects of our audit and the sensitive child protection information we hold – will GDPR result in conflict between the right of access to information and safeguarding practice? Parents can request to see CP information held on their child, but, as safeguarding guru Andrew Hall points out (really worth looking up his website for all things CP www.safeguardinginschools.co.uk/andrew-hall/ ) there shouldn’t be any need to change existing practice about decisions to refuse access to parents where there are safeguarding concerns if it might result in putting a child at risk. He helpfully points us to page 11 of the Information sharing advice for safeguarding practitioners (DfE, 2015) for further information.
Author Archives: wpadmin
#7 Subject Access Request – what’s that then?
Just a short post today, but hopefully a useful one to help get to grips with some of the jargon. We keep reading this phrase in a variety of documents about GDPR – and it’s never explained! Anyway, this is what it is …
Individuals have a right to get a copy of the information that is held about them. This is known as a subject access request. This right of subject access means that you can make a request under the Data Protection Act to any organisation processing your personal data. So, now you know!
For more detailed information on Subject Access Requests the ICO (Information Commissioner’s Office) click on this link to their site.
#6 Why an information audit is necessary
Carrying out an information audit is a good way to start the GDPR process. The audit helped us to identify what personal data we hold, where it came from and why we hold it. It also highlighted if we had the individual’s explicit consent to hold and share their information which is one of the key areas within GDPR.
There are many information audit templates available from the internet but our version has been tailored to operations here at Chase Bridge. We hope you will find it useful.
#5 DfE, GDPR & DPOs
Now we’ve uploaded a few posts we’ve developed a little cabin fever: we are playing a game with each other to see if we can create sentences that are filled entirely with acronyms and abbreviations. Yes, GDPR has driven us to that, hence the heading for this post.
The DfE post is definitely worth viewing as either an introduction to GDPR (perhaps with a group of relevant staff or governors) or even if you have some understanding of the issues. What’s helpful is that it does give a more school based slant on regulations, but it still smacks a bit of someone that doesn’t actually work in a school and for someone that works at … errr … the DfE. Nevertheless, it is good at outlining the breadth of things that need to be considered in the school and key questions that need to be considered.
The video covers the DPO issue at the end, which we have addressed in previous posts, and potential conflicts of interest that could arise. For us, we still think we can solve this through re-aligning responsibilities within the team and the use of a linked governor. We are of the view that some of the suggestions mentioned are unnecessarily elaborate and in some cases might result in additional expenditure which, in the current climate, few of us can afford!
Very excitingly the DfE are promising us an episode 2 – I wonder if Netflix have bought up the rights yet?
Happy viewing!
#4 DPO: ‘conflict of interest’, debates and decision?!
We’ve had lots more thoughts on the DPO role over the last couple of days – we never thought we could become so interested in something so obscure!
The two documents from ICO and LGfL were indeed helpful and we think we have found a way forward that works for Chase Bridge.
To summarise the DPO’s minimum tasks are:
- To inform and advise the organisationand its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliancewith the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contactfor supervisory authorities and for individuals whose data is processed (employees, customers etc).
You must ensure that:
- The DPO reports to the highest management levelof your organisation – i.e. board level.
- The DPO operates independentlyand is not dismissed or penalised for performing their task.
- Adequate resources are provided to enable DPOs to meet their GDPR obligations.
In the Chase Bridge context we have decided we will be tagging these operational responsibilities to the SBM role and our governor will be involved in monitoring compliance with GDPR and reporting on this to the GB. But … we began to see that there could be a conflict of interest (the LGfL document is particularly helpful with this). But we think the conflict of interest can be avoided.
So, assuming the officially named DPO is the SBM. The issue with the conflict centres round the DPO also being in the position to decide ‘what personal data to collect, why and how as part of their core role.’ This element can be part of the DPO link governor’s remit as part of the policy in the school. This wouldn’t be a hands-on operational matter that the governor or governing body would be involved with – they are making the decision about the scope of what data to collect and the reasoning why. Governors also have the statutory powers already to enforce this. The practical ‘how this is done’ could be decided upon by the headteacher with the SBM/school employee to get on with the operational role of making it all happen. The crucial thing is that the employee is not making the decision about what data and how and why that data is collected.
We think this is all about carefully outlining what is in the employee’s JD and the GB (and the named DPO/GDPR linked governor) being clear about their responsibilities which would be defined within the school’s policy. Given the school context with implementing GDPR; trying to keep things as simple as possible; manageable; building on existing school structures and eliminating additional costs of possibly employing someone to do the job (which we are sure many large organisations might do); our view is that this is a reasonable, manageable and proportionate way forward for schools and ideally what we would like to pursue at Chase Bridge.
How are you approaching the DPO role? We would love to hear your views.
#3 DPO dilemmas
We had our update meeting this morning and covered a wide range of topics and one thing that has become clear to us is that there isn’t going to be a ‘one size fits all’ solution for all schools. We think it’s pretty clear now that there could be a number of options for us and everyone else that will depend on size of school, existing practice, expertise, governance … etc.
One conclusion we have come to is that as a general principle our approach should be to make use of our existing systems, build on them and adapt where possible rather than do something radically different and unwieldy – unless we have to!
We still need to find out more about the DPO role: our preference is to make it part of governance at Chase Bridge, but we have heard some opinion that it shouldn’t be part of their role. One of the reasons given is that the DPO function is best not undertaken as part of a voluntary role – nevertheless, governors already have considerable statutory responsibility and can, for example, hire and fire headteachers. Something we need to explore in greater depth. Other DPO options we have thought about are making it part of an existing employee’s job description (SBM?) or appointing someone specifically to carry out this task – perhaps jointly commissioned with other schools. Another thought would be to have a reciprocal arrangement with another school where an employee at Chase Bridge would be the DPO for them and vice-versa – but we saw some problems with this and discounted it. For example, what would happen if our school was fine and GDPR was all sorted but the school with the reciprocal arrangement had problems. This could result in an imbalance of work. To make a decision we have decided we need to be clearer about the skills/knowledge needed by the DPO and the actual job that needs to be done – almost a person spec. and job description. We have found this document on the ICO website that is next on the to-do list to explore. And, stop press, the LGfL document about DPO FAQs for schools is very helpful too.
#2 Next step
Watching the GDPR video together was helpful as it helped clarify some of the key jobs to do and questions that needed to be considered.
The first few actions were to download a model policy (we looked at one from the NAHT and from The Key):
- Start to put together an internal asset audit
- Download some model privacy notices.
We also started to note down some of the questions we had that needed some more thought and might need to be taken to governors or discussed more widely with staff. The first things that occurred to us were:
- Who would be the most appropriate person to be the Data Protection Officer? A senior member of staff, SBM, governor, someone external to the school?
- How to we make sure that all parents are giving informed consent? At present our standard ‘permissions’ letter going out at the start of each year to parents operates as a negative preference i.e. a parent needs to deliberately opt out otherwise consent is assumed.
#1 Are we GDPR ready?
To be honest until recently I wouldn’t have even been able to tell you what the letters stood for let alone what I should be doing about it. But as time has rolled on and I have received yet more unsolicited emails about the General Data Protection Regulation (yes, that’s what it is) the well of anxiety has now reached the level where I thought we should do something.
But, this week is different. I found the easy way in and watched Peter Cowley’s video. This is a good starting place and I recommend you watch it together with a couple of key staff who will help you to take it forward. In my case this is Lisa, a key member of the admin team and Mei-Ling, our IT teaching assistant (who has excellent project management skills from a previous life!).
We will be keeping a diary over the next few weeks of how we get on with tackling GDPR and hopefully, by the end of the process, create something that is statutorily compliant and manageable. We will also share the documents we create as well as the questions we need to tackle whilst taking this very broad piece of legislation and making it relevant to our school – a three form entry primary in Twickenham.
We hope you find it helpful.
Andrew King – Headteacher