#5 DfE, GDPR & DPOs

Now we’ve uploaded a few posts we’ve developed a little cabin fever: we are playing a game with each other to see if we can create sentences that are filled entirely with acronyms and abbreviations. Yes, GDPR has driven us to that, hence the heading for this post.

The DfE post is definitely worth viewing as either an introduction to GDPR (perhaps with a group of relevant staff or governors) or even if you have some understanding of the issues. What’s helpful is that it does give a more school based slant on regulations, but it still smacks a bit of someone that doesn’t actually work in a school and for someone that works at … errr … the DfE. Nevertheless, it is good at outlining the breadth of things that need to be considered in the school and key questions that need to be considered.

The video covers the DPO issue at the end, which we have addressed in previous posts, and potential conflicts of interest that could arise. For us, we still think we can solve this through re-aligning responsibilities within the team and the use of a linked governor. We are of the view that some of the suggestions mentioned are unnecessarily elaborate and in some cases might result in additional expenditure which, in the current climate, few of us can afford!

Very excitingly the DfE are promising us an episode 2 – I wonder if Netflix have bought up the rights yet?

Happy viewing!

#4 DPO: ‘conflict of interest’, debates and decision?!

We’ve had lots more thoughts on the DPO role over the last couple of days – we never thought we could become so interested in something so obscure!

The two documents from ICO and LGfL were indeed helpful and we think we have found a way forward that works for Chase Bridge.

To summarise the DPO’s minimum tasks are:

  • To inform and advise the organisationand its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliancewith the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contactfor supervisory authorities and for individuals whose data is processed (employees, customers etc).

You must ensure that:

  • The DPO reports to the highest management levelof your organisation – i.e. board level.
  • The DPO operates independentlyand is not dismissed or penalised for performing their task.
  • Adequate resources are provided to enable DPOs to meet their GDPR obligations.

In the Chase Bridge context we have decided we will be tagging these operational responsibilities to the SBM role and our governor will be involved in monitoring compliance with GDPR and reporting on this to the GB. But … we began to see that there could be a conflict of interest (the LGfL document is particularly helpful with this). But we think the conflict of interest can be avoided.

So, assuming the officially named DPO is the SBM. The issue with the conflict centres round the DPO also being in the position to  decide ‘what personal data to collect, why and how as part of their core role.’ This element can be part of the DPO link governor’s remit as part of the policy in the school. This wouldn’t be a hands-on operational matter that the governor or governing body would be involved with – they are making the decision about the scope of what data to collect and the reasoning why. Governors also have the statutory powers already to enforce this. The practical ‘how this is done’ could be decided upon by the headteacher with the SBM/school employee to get on with the operational role of making it all happen. The crucial thing is that the employee is not making the decision about what data and how and why that data is collected.

We think this is all about carefully outlining what is in the employee’s JD and the GB (and the named DPO/GDPR linked governor) being clear about their responsibilities which would be defined within the school’s policy. Given the school context with implementing GDPR; trying to keep things as simple as possible; manageable; building on existing school structures and eliminating additional costs of possibly employing someone to do the job (which we are sure many large organisations might do); our view is that this is a reasonable, manageable and proportionate way forward for schools and ideally what we would like to pursue at Chase Bridge.

How are you approaching the DPO role? We would love to hear your views.

#3 DPO dilemmas

We had our update meeting this morning and covered a wide range of topics and one thing that has become clear to us is that there isn’t going to be a ‘one size fits all’ solution for all schools. We think it’s pretty clear now that there could be a number of options for us and everyone else that will depend on size of school, existing practice, expertise, governance … etc.

One conclusion we have come to is that as a general principle our approach should be to make use of our existing systems, build on them and adapt where possible rather than do something radically different and unwieldy – unless we have to!

We still need to find out more about the DPO role: our preference is to make it part of  governance at Chase Bridge, but we have heard some opinion that it shouldn’t be part of their role. One of the reasons given is that the DPO function is best not undertaken as part of a voluntary role – nevertheless, governors already have considerable statutory responsibility and can, for example, hire and fire headteachers. Something we need to explore in greater depth. Other DPO options we have thought about are making it part of an existing employee’s job description (SBM?) or appointing someone specifically to carry out this task – perhaps jointly commissioned with other schools. Another thought would be to have a reciprocal arrangement with another school where an employee at Chase Bridge would be the DPO for them and vice-versa – but we saw some problems with this and discounted it. For example, what would happen if our school was fine and GDPR was all sorted but the school with the reciprocal arrangement had problems. This could result in an imbalance of work. To make a decision we have decided we need to be clearer about the skills/knowledge needed by the DPO and the actual job that needs to be done – almost a person spec. and job description. We have found this document on the ICO website that is next on the to-do list to explore. And, stop press, the LGfL document about DPO FAQs for schools is very helpful too.