We had our update meeting this morning and covered a wide range of topics and one thing that has become clear to us is that there isn’t going to be a ‘one size fits all’ solution for all schools. We think it’s pretty clear now that there could be a number of options for us and everyone else that will depend on size of school, existing practice, expertise, governance … etc.
One conclusion we have come to is that as a general principle our approach should be to make use of our existing systems, build on them and adapt where possible rather than do something radically different and unwieldy – unless we have to!
We still need to find out more about the DPO role: our preference is to make it part of governance at Chase Bridge, but we have heard some opinion that it shouldn’t be part of their role. One of the reasons given is that the DPO function is best not undertaken as part of a voluntary role – nevertheless, governors already have considerable statutory responsibility and can, for example, hire and fire headteachers. Something we need to explore in greater depth. Other DPO options we have thought about are making it part of an existing employee’s job description (SBM?) or appointing someone specifically to carry out this task – perhaps jointly commissioned with other schools. Another thought would be to have a reciprocal arrangement with another school where an employee at Chase Bridge would be the DPO for them and vice-versa – but we saw some problems with this and discounted it. For example, what would happen if our school was fine and GDPR was all sorted but the school with the reciprocal arrangement had problems. This could result in an imbalance of work. To make a decision we have decided we need to be clearer about the skills/knowledge needed by the DPO and the actual job that needs to be done – almost a person spec. and job description. We have found this document on the ICO website that is next on the to-do list to explore. And, stop press, the LGfL document about DPO FAQs for schools is very helpful too.