#18 GDPR – Over and Out

All the excitement (if that’s the right word) about GDPR seems to have moved on now so we thought we it was time to conclude our blog and reflect a little on what we have put in place, what we might do differently and what we still want/need to do (as GDPR certainly hasn’t gone away!).

Well, the world hasn’t collapsed following the introduction of GDPR and I’m not aware of any school prosecutions yet, in spite of all the warnings and horror stories from companies trying to get our business. Overall, from our perspective, apart from taking up some time it feels as though the process that we went through has been a good thing: we have tightened up our practice; put training in place for everyone so there are clearer expectations of staff; given more thought to what and where our sensitive data goes to, how it is processed and who it is shared with.

On reflection we’re not sure what we would do differently and this isn’t because we think we’re perfect, but we have stumbled our way through the issues and nobody has said we’re doing anything wrong and there aren’t any prosecutions pending! I know I’m pleased that we didn’t shell out lots of money to a third party to ‘do’ GDPR for us, although I know some headteachers have told us they felt it was money well spent. Having our school business manager as the DPO seems to work as there is appropriate separation given the role of our governors with oversight.

So, we seem to have things in place now: policy, privacy notice, training, roles. But we still think there is more we can do: constant vigilance and monitoring of practice is one as well as building training into our induction programme and regular annual updates. We are also continuing to pursue the idea of a significant overhaul of our website to allow greater interactivity for parents with personalised accounts so they can update their personal details as well as access assessment and attendance information.

Anyway, this is us signing off! We hope you have found our ‘warts and all’ blog helpful.

#17 Data Breach?!

We had an ‘incident’! OK, here’s the story …

In July we hold Meet the Teacher meetings for parents to meet the new staff team and hear about the next academic year. One of our staff was holding a class list with first names with some asterisked (although there was no key indicating what the symbol indicated). A parent managed to take a photo of it with their smartphone and then posted it on social media, a bit like when some photographers have managed to take sneaky photos of team lists being held by football managers. A parent then let us know this had happened so we needed to make a few decisions.

Was this a data breach? Yes.

Did we feel it was seriously compromising and reportable to the ISO? No.

What other action should we take if any? We decided to write a general letter to parents making them aware of the matter. The incident was also shared with the governing body.

Well, that was exciting! Because of GDPR at least we now have protocols for us to refer to when an incident like this occurs.

#16 Chase Bridge Home/School Agreement

Although there is no longer a statutory requirement for home/school agreement we still maintain our at Chase Bridge. We think it’s a good way of reminding ourselves of our shared values and ways that different sections of the school community work together, as well as inducting new staff and families.

So, why is a home/school agreement part of a GDPR blog?!  Our document has been updated to include reference to data, privacy, sharing of information – all the GDPR things that we have been trying to address – for parents, staff, children and governors. It is just a way we have found of systematising and communicating our practice, trying to ensure universal coverage where no one gets missed out. Hope you find it useful.

#10 Staff Training and ‘Pseudonymisation’

If nothing else GDPR is helping to broaden my vocabulary – and now I’ve learnt what ‘pseudonymisation’ is I wish I’d included it in our staff training!

Backtracking a little, our previous post was about staff training. We completed this at the start of term and have, of course kept a register to make sure we have covered all staff. I’m pleased to say it was all quite straightforward and nothing came up that caused any surprises although there was some interesting discussion about what constitutes a data breach.

Going through the presentation made me realise how many parallels there are with how we treat staff training for safeguarding, which always concludes here at Chase Bridge with ‘if in doubt record it and report it’. The same can be said in some respects with reporting any data breaches: ‘if in doubt, report it’. The other parallel being with the role of the DPO and Designated Safeguarding Officer – it’s important everyone in the organisation knows who this is and what they do.

One aspect we missed out of the training was ‘pseudonymisation’. There are some technical definitions to this but simply it is where partial information is shared about individuals or groups. Schools and education services are used to doing this already, sometimes just giving a child’s initials in an email or leaving out other personal identifiers such as date of birth. ‘Anonymisation’ would mean that the recipient cannot find out who the message is referring to whereas ‘pseudonymisation’ means that the receiver can identify the person in question. This is something I will be encouraging all staff to do in future (although most understand this already) – in most communications it is not necessary to give all identifying information and in doing so could increase the risk.

A. King

#9 GDPR Staff Training

Our GDPR to-do list has Staff Training. With the summer INSET day programme on our first day back we thought this would be a good opportunity to brief all staff on their responsibilities.
Having given it a little thought we have come to the conclusion that for the vast majority of teachers and teaching assistants the training doesn’t need to be over-elaborate. Obviously senior staff and relevant governor(s) will need different more specific training linked to their roles. We have timed it to about 10 minutes. It is going to cover the following:
  • What GDPR is and a little bit of the context – we’re going to use a couple of minutes from the DfE video (but no more!)
  • In summary help staff to understand the responsibilities of the school leaders – governors, headteacher, the DPO – and the obligation to provide staff training
  • What GDPR means for all staff – when it comes to reporting a breach the message will be: if in doubt, report it
  • Finally a review of the key messages
  • … and that’s it!
At Chase Bridge all key policies and procedures go into our school handbook, which forms part of our induction procedure for all new staff and is published annually with updates on our school website, so the GDPR policy and protocols will eventually find its way into that document. All staff are reminded of its contents annually and receive updates on any additions or amendments.
The PowerPoint being used on our INSET day is available here for download – hope you find it helpful.
Happy training! 

#8 Safeguarding vs access to information

Now we understand what a Subject Access Request is we started to think about aspects of our audit and the sensitive child protection information we hold – will GDPR result in conflict between the right of access to information and safeguarding practice? Parents can request to see CP information held on their child, but, as safeguarding guru Andrew Hall points out (really worth looking up his website for all things CP www.safeguardinginschools.co.uk/andrew-hall/ ) there shouldn’t be any need to change existing practice about decisions to refuse access to parents where there are safeguarding concerns if it might result in putting a child at risk. He helpfully points us to page 11 of the Information sharing advice for safeguarding practitioners (DfE, 2015) for further information.

#6 Why an information audit is necessary

Carrying out an information audit is a good way to start the GDPR process.  The audit helped us to identify what personal data we hold, where it came from and why we hold it.  It also highlighted if we had the individual’s explicit consent to hold and share their information which is one of the key areas within GDPR.

There are many information audit templates available from the internet but our version has been tailored to operations here at Chase Bridge.  We hope you will find it useful.

#5 DfE, GDPR & DPOs

Now we’ve uploaded a few posts we’ve developed a little cabin fever: we are playing a game with each other to see if we can create sentences that are filled entirely with acronyms and abbreviations. Yes, GDPR has driven us to that, hence the heading for this post.

The DfE post is definitely worth viewing as either an introduction to GDPR (perhaps with a group of relevant staff or governors) or even if you have some understanding of the issues. What’s helpful is that it does give a more school based slant on regulations, but it still smacks a bit of someone that doesn’t actually work in a school and for someone that works at … errr … the DfE. Nevertheless, it is good at outlining the breadth of things that need to be considered in the school and key questions that need to be considered.

The video covers the DPO issue at the end, which we have addressed in previous posts, and potential conflicts of interest that could arise. For us, we still think we can solve this through re-aligning responsibilities within the team and the use of a linked governor. We are of the view that some of the suggestions mentioned are unnecessarily elaborate and in some cases might result in additional expenditure which, in the current climate, few of us can afford!

Very excitingly the DfE are promising us an episode 2 – I wonder if Netflix have bought up the rights yet?

Happy viewing!

#4 DPO: ‘conflict of interest’, debates and decision?!

We’ve had lots more thoughts on the DPO role over the last couple of days – we never thought we could become so interested in something so obscure!

The two documents from ICO and LGfL were indeed helpful and we think we have found a way forward that works for Chase Bridge.

To summarise the DPO’s minimum tasks are:

  • To inform and advise the organisationand its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliancewith the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contactfor supervisory authorities and for individuals whose data is processed (employees, customers etc).

You must ensure that:

  • The DPO reports to the highest management levelof your organisation – i.e. board level.
  • The DPO operates independentlyand is not dismissed or penalised for performing their task.
  • Adequate resources are provided to enable DPOs to meet their GDPR obligations.

In the Chase Bridge context we have decided we will be tagging these operational responsibilities to the SBM role and our governor will be involved in monitoring compliance with GDPR and reporting on this to the GB. But … we began to see that there could be a conflict of interest (the LGfL document is particularly helpful with this). But we think the conflict of interest can be avoided.

So, assuming the officially named DPO is the SBM. The issue with the conflict centres round the DPO also being in the position to  decide ‘what personal data to collect, why and how as part of their core role.’ This element can be part of the DPO link governor’s remit as part of the policy in the school. This wouldn’t be a hands-on operational matter that the governor or governing body would be involved with – they are making the decision about the scope of what data to collect and the reasoning why. Governors also have the statutory powers already to enforce this. The practical ‘how this is done’ could be decided upon by the headteacher with the SBM/school employee to get on with the operational role of making it all happen. The crucial thing is that the employee is not making the decision about what data and how and why that data is collected.

We think this is all about carefully outlining what is in the employee’s JD and the GB (and the named DPO/GDPR linked governor) being clear about their responsibilities which would be defined within the school’s policy. Given the school context with implementing GDPR; trying to keep things as simple as possible; manageable; building on existing school structures and eliminating additional costs of possibly employing someone to do the job (which we are sure many large organisations might do); our view is that this is a reasonable, manageable and proportionate way forward for schools and ideally what we would like to pursue at Chase Bridge.

How are you approaching the DPO role? We would love to hear your views.

#3 DPO dilemmas

We had our update meeting this morning and covered a wide range of topics and one thing that has become clear to us is that there isn’t going to be a ‘one size fits all’ solution for all schools. We think it’s pretty clear now that there could be a number of options for us and everyone else that will depend on size of school, existing practice, expertise, governance … etc.

One conclusion we have come to is that as a general principle our approach should be to make use of our existing systems, build on them and adapt where possible rather than do something radically different and unwieldy – unless we have to!

We still need to find out more about the DPO role: our preference is to make it part of  governance at Chase Bridge, but we have heard some opinion that it shouldn’t be part of their role. One of the reasons given is that the DPO function is best not undertaken as part of a voluntary role – nevertheless, governors already have considerable statutory responsibility and can, for example, hire and fire headteachers. Something we need to explore in greater depth. Other DPO options we have thought about are making it part of an existing employee’s job description (SBM?) or appointing someone specifically to carry out this task – perhaps jointly commissioned with other schools. Another thought would be to have a reciprocal arrangement with another school where an employee at Chase Bridge would be the DPO for them and vice-versa – but we saw some problems with this and discounted it. For example, what would happen if our school was fine and GDPR was all sorted but the school with the reciprocal arrangement had problems. This could result in an imbalance of work. To make a decision we have decided we need to be clearer about the skills/knowledge needed by the DPO and the actual job that needs to be done – almost a person spec. and job description. We have found this document on the ICO website that is next on the to-do list to explore. And, stop press, the LGfL document about DPO FAQs for schools is very helpful too.