EduCare is the UK’s leading provider of essential duty of care and safeguarding training. Here they share some information on the upcoming GDPR and how you can ensure your school is ready.
As the enforcement date of 25th May 2018 approaches, your school should be promoting a strong culture of protecting data ahead of the General Data Protection Regulation (GDPR) being implemented. As the deadline for this gets ever closer; everyone that deals with personal data will be responsible for ensuring they comply with the GDPR.
How does the new General Data Protection Regulation apply to schools?
GDPR encompasses any personal data that is stored and processed using computers, as well as any data that is stored on paper in any manual filing system. Whether it is on a standalone computer, a network server, in the cloud or as hand written notes.
For example, in an educational setting that means all, and any, personal data held on students, parents, staff and governors.
Organisations must be able to demonstrate how they are actually doing this in practice – not just produce a series of policies or protocols that are compliant.
Below, we detail the three key steps to get ahead before 25th May.
1) Produce a data map
In the example of a school, the setting needs to identify all categories of data that are held about students and staff, the purpose for which it is held and how it is being processed. By doing this the organisation will become familiar with the personal data ecosystem within the school.
This information can then be used to run an audit. To help do this the ICO has an audit tool that RAG rates* your current practice and gives a clear indication of where your strengths and areas for improvement are. The result can then be printed off. As you progress you can go back and conduct the audit as many times as you want to measure progress; this provides a useful framework for planning as well as good evidence of action taken.
Red: not implemented or planned
Amber: partially implemented or planned
Green: successfully implemented
2) Promote good practice
Your organisation should already be promoting a strong culture of protecting data. In preparing for the GDPR you should:
- Appoint a data protection officer
- Train staff
- Carry out an information audit
- Update and review policies and procedures
- Tell people why the data is being collected
3) Ask questions
In addition to a clear description of the data, the following questions should be asked of those people that are responsible for collating personal data.
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- How long will you keep it for?
- How will it be kept secure?
- What process is it needed for? (e.g. admissions, recruitment)
- How is security maintained?
- Who has access to the information?
- Who manages the data?
- Who are the data subjects?
- What is the source of the data?
- What software is used? (if any)
- Where does the data go inside the organisation?
- How is the data stored?
- Does the data leave the organisation?
- Does data flow outside of borders? (that is national borders to areas not covered by GDPR).
Test your GDPR strength against these three potential data issues
To identify how prepared you and your organisation are for the GDPR’s enforcement date of 25th May 2018, we have put together three questions relating to potential data problems for you to resolve. Answer these below:
Issue 1: Governors
Confidential papers are being distributed to governors using personal email addresses. They may contain sensitive personal information about staff. When a governor’s term of office finishes you have no control over the deletion or destruction of confidential documents kept digitally. How would you resolve this?
Issue 2: Cashless pay system
The establishment where you work has introduced a new cashless catering system, which involves both collecting new data for a new purpose and using existing data for a new purpose. What should be conducted?
Issue 3: Holding data externally
Staff are holding student data on personal USB drives and using them to take student data offsite to work at home. This means that staff may have several USBs with student data on them, and some may have transferred the data to home equipment. What should you do?
Find out more
These three scenarios are answered in the latest GDPR training course that has been launched by EduCare: ‘A Practical Guide to the GDPR for Education’. The course gives real-world scenarios and sample solutions to help schools and settings prepare for 25th May 2018 and is available individually or as an addition to EduCare for Education, EduCare’s complete safeguarding and duty of care training service.