What is this and what does it mean for you?
The DfE released their ‘Data protection: a toolkit for schools’ in April 2018. The guidance aims to help schools develop policies and processes for data management, in line with the GDPR.
The DfE suggests there are nine steps that can help schools efficiently develop the culture, processes and documentation required to be compliant with the GDPR and effectively manage the risks associated with data management.
This guide summarises the DfE’s guidance, offering schools practical tips to ensure they are compliant with the GDPR.
NB. The DfE’s document and this 3-Minute Read do not constitute formal legal guidance.
Step 1 – raising awareness
Schools should raise awareness on three levels:
- All staff – make sure they know what personal data is, what processing means and what their duties are in relation to handling personal data; which processes they are allowed to use and how they are allowed to use data; and the risks posed by a data breach and their responsibilities if a breach occurs. Roles that might warrant this level of training include catering staff, cleaners etc.
- Staff who influence how data is managed – these staff should have a chance to review the high-level data map, be engaged in ensuring there is a lawful basis for processing the data they use and that the storage of data is minimised, and be engaged in discussions about risk management. Roles that might warrant this level of training include teaching staff, office staff, technical support staff etc.
- SLT, executive leaders and staff who manage the ‘data ecosystem’ – these are staff who are responsible and accountable for making choices around the use of technology, deciding on what and how data is shared, and setting school policies around data and technology. These staff need to be sufficiently aware of the GDPR and Data Protection Bill. Roles that might warrant this level of training include the SLT, curriculum leads, the SBM, ICT leads etc.
Awareness for governors and MAT trustees should focus on the following:
- That ultimate responsibility for data management compliance lies with governors and trustees
- Governors should ensure the school has good network security – including having a business continuity plan in place that considers cyber resilience
- The GDPR requires schools to demonstrate compliance rather than just comply
- All personal data assets need to be documented, be appropriately managed and secured
- Current data practices need to be audited to ensure compliance – following the audit, a risk assessment should be conducted
- The way the school communicates data use with pupils and parents, and their rights, needs to be reviewed – there needs to be an agreed procedure for dealing with subject access requests (SARs)
- Schools need to appoint a data protection officer (DPO)
- Data protection policies need to be reviewed in light of any changes to procedures
- Practices need to go through a process of ongoing review – an internal or external annual review should be considered
Step 2 – creating a high-level data map
Creating a high-level data map can be a step towards understanding the ‘data ecosystem’ of the school (i.e. an overview of all the places personal data is stored and used in the school).
To capture the information for the map, schools could first create a simple table that lists all the different categories of data a school records and uses, and then answer the following questions about each data category:
- Do we receive personal data?
- Do we create personal data?
- Do we send personal data?
- Do we destroy personal data?
Data categories include admissions, payment systems, safeguarding and statutory returns (a full list of data categories can be found on p.11-12 of the DfE’s ‘Data protection: a toolkit for schools’).
Invite a range of staff, not just the SLT and data managers, to document the data systems and stores associated with each data category.
Once the information has been collected in the table, convert it into a visual map – an example of this can be found on p.13 of the DfE’s toolkit.
Remember, creating a data map does not mean it is compliant. The action taken after the creation will build on knowledge to pinpoint areas of weakness and practices that need to change.
Management information systems (MIS) and third party suppliers
During the creation of the data map the data a school shares with their MIS and third party suppliers will be highlighted.
It is extremely important that schools know what information is being extracted from the MIS and how it is being used and/or shared – schools should ask their MIS provider if they do not know this.
Schools should also ensure they have up-to-date data processing agreements in place with all third party suppliers that they share personal data with.
Step 3 – turn your data map into a data asset register
In short, a data asset register (or information asset register) is a list of all the data assets in a school, with some supplementary information about each of them. A school’s data map can act as a starting point for the creation of a register and it is important that these documents remain in sync at all times.
The DfE recommends that schools create a spreadsheet that has a row for each data asset and that the following themes are covered in the column headings:
- Processing and role of the school
- Controlling access and use
- Data retention and destruction
- Communicating with data subjects and their rights
- Security and breach
- Automated profiling
- Offshore storage
For further details of what should be included in the register, see p.15-16 of the DfE’s toolkit.
Some information schools may require for the register will need to be obtained from suppliers. The DfE has encouraged suppliers to engage with schools so this task can be completed; however, schools may also wish to contact suppliers to obtain information on how their school’s data is used or stored – this could be done via a letter.
Spending time structuring the asset register will pay dividends in the long run in terms of staying organised. Having a full inventory of all the systems within a school can also help to improve data security.
Step 4 – documenting the reasons for processing data
Under the GDPR, schools must have a lawful basis for processing data – these are consent, contract, legal obligation, vital interest, public task and legitimate interest. Schools need to be familiar with the bases that are most relevant to their activity.
Before establishing a lawful basis for processing data, it is important to classify the data in the asset because items with different sensitivity require different processing conditions. The GDPR identifies two types of personal data:
- Special category personal data – this specifically means data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life.
- Personal data – this means all other data. For schools, this could be email addresses, exam results etc.
When establishing the lawful basis, the first question schools should ask is: Am I required by law to process this data? – e.g. schools are required by law to submit data returns to the DfE, such as the school census; therefore, schools have a legal obligation as their basis and the conditions for processing any special category data within that is processing necessary for reasons of substantial public interest.
If the answer to the above question is no, then the second question that should be asked is: Do I need to process this data to safely and effectively run my school? – if the answer is yes, then the lawful basis of public task may apply.
Remember – the law does not prevent data being shared with certain authorities if it is for the purpose of safeguarding.
If processing is not legally essential or needed to complete a public task, then it needs to be explored fully and have a lawful basis. Workforce data may be reliant on the contract basis and schools may need to obtain consent for other processing activities.
If consent is being relied on, schools must ensure it is voluntarily given, specific, informed and unambiguous, and make sure there is an alternative process on offer. It must also be easy for individuals to be able to withdraw their consent.
- On its own, justification for processing data does not provide compliance. Schools must also consider how they process the data responsibly, e.g. how many people have access to the data, how the security of the data is handled.
- Schools process some sensitive data about children that is not classified as special category personal data in the law – this includes FSM status, pupil premium eligibility and some SEND information. The DfE considers it best practice to treat this information in the same way as special category data.
- The law does not prevent information about pupils being shared with specific authorities if it is for the purpose of safeguarding.
- If a school relies on legal obligation as a basis for processing, they must think about what happens after that obligation is fulfilled – i.e. if pupil gender data is retained after the Summer census, the school will need another lawful basis to keep this data as the data has already been sent to the DfE and the obligation is no longer relevant.
- More than one lawful basis may apply to processing – if so, each process should be documented.
- Explicit consent should always be used for biometric data use, and genuine alternatives must be offered for those who do not consent.
Use of photographs
Photographs are used in schools for a variety of reasons – the different uses should be considered separately and potentially have different conditions for processing, for example:
- Photographs used in identity management may be essential for performing the public task of the school, but should be deleted once a pupil is no longer at the school.
- Photographs in school relative to providing education may fall under the public task basis; however, after the pupil has left the school, it may not be lawful to keep these photographs and permission to retain images beyond a pupil’s time at school should be sought.
- Photographs used in promotion or marketing material should seek specific, informed consent.
Step 5 – documenting how long you need to retain information
When creating a data retention policy, schools should focus on setting retention periods that are “necessary and proportionate”.
To establish retention periods for data, it is helpful to group the data into areas such as attainment, exclusions, medical information etc. Once the data is grouped, think about four periods of data retention:
- One month after the event about which you create data is active, in order to ensure any ‘loose ends’ are tied up.
- One year after the pupil to whom the data relates is at the school, in order to ensure a smooth handover if the pupil is passed to another school.
- For five years after a pupil has left the school, to support longer term analysis of progress, attainment, support for different pupil groups etc.
- Longer term, until the pupil is 25-years-old or older, for instances where detailed information about activities in school may form an important part of safeguarding that individual.
Schools should consider the following questions when creating their data retention policies:
- Why am I holding this data?
- Do I need to pass it on? Once data has been passed on, do I need to keep it? Do I need to still use it?
- What is the school’s actual responsibility and is long-term retention necessary?
- What might Ofsted expect from me in terms of the length of time I can perform detailed reporting?
- As time goes on, can I delete some of the data or de-personalise it?
Schools should determine their own retention policies that work for them and their particular context.
Reducing sensitivity over time
At some point in the pupil lifecycle, detailed personally identifiable data is needed. Before being able to delete the data completely, there is usually a period where names or full addresses may not be needed, but individual-level data still is. There also may be a period after this where summary data is needed.
As data becomes older, e.g. when a pupil leaves a school, schools may be able to take steps to remove some risks around the personal data by de-personalising it – this means taking names and personal identifiers away, but retaining data at an individual level.
These ‘data minimisation’ techniques reduce risk, but do not negate the need for compliance with legislation.
Step 6 – reassurance and risks
The data asset register will identify high-level issues. The most important issues to look out for are the following:
- Any current activity that does not map to a lawful basis and conditions for processing
- Any uncertainty about onward sharing
- If there are not up-to-date data sharing agreements with organisations data is being shared with
- If ICT policies are up-to-date and all staff are aware of security policies and have received appropriate training
- If school systems allow the data retention policy to be implemented
- If staff know what the process for reacting to a data breach is
Minimisation is key to reducing risk – use the minimum amount of data needed to get the job done and only allow the minimum number of people possible access to this data.
The DfE toolkit contains a number of scenarios which focus on some known areas of risks common to schools – schools should familiarise themselves with these (these can be found on p.31-35 of the DfE’s toolkit).
Data protection impact assessments (DPIAs)
The asset register will not flag all issues; however, regular review and the involvement of the DPO will help, as will the completion of data protection impact assessments (DPIAs).
An effective DPIA will help schools identify risks and mitigate these at an early stage. There are certain circumstances where schools must conduct a DPIA, but they can also be a useful tool in other cases too.
Examples of when a DPIA needs to be conducted are when data concerning vulnerable data subjects is being processed, when using new technologies, and CCTV use.
DPIAs need to be frequently reviewed and kept up-to-date. Schools also need to review all uses of personal data regularly to assess whether processing activities require a DPIA.
A lot of data breaches occur due to an innocent mistake or human error – ensure processes are in place to mitigate these risks.
Targeted breaches can also occur – ensure IT security policies are regularly reviewed, software is regularly updated, and staff receive training on these types of breaches.
The initial step to take after a breach has occurred is to minimise and assess the impact.
It is good practice to record every data breach, no matter how small. If a system or process is identified as having regular, minor incidents, the DPO and school can mitigate the risk – this can only happen if schools employ a ‘report it always culture’.
If a school experiences a serious data breach, the DPO must report the breach to the ICO within 72 hours.
Step 7 – decide on the DPO role
Every school needs to appoint a DPO – the DPO can work exclusively for one school or be shared across a number of schools. The GDPR encourages a degree of separation between those in charge of the data ecosystem and the DPO role.
There are four options available to schools when appointing their DPO:
- Realign responsibilities within the current team
- Share a DPO
- Buy in the DPO
- Seek volunteers from experts
The DPO needs to be highly knowledgeable about data protection, the GDPR, and the school’s operations, technology and security, and be well placed to promote a data protection culture in school.
The DPO role involves advising the SLT and staff about their data obligations and monitoring compliance – they should be involved in all issues relating to the protection of personal data.
Step 8 – communicate with data subjects
A data subject’s right to be informed is a key aspect of the GDPR. There are a number of ways that schools can inform data subjects, including the following:
- When providing initial registration information upon joining the school
- When providing additional information at various points during the year
- Through the school website
- For staff – at various points in the lifecycle of their role, such as recruitment, signing a contact, annual appraisals
Schools should give privacy notices to their data subjects, including staff, pupils and their families, third parties, etc. These privacy notices should inform subjects of a number of things, including what data the school collects about them, why data is collected and how long the data is retained for.
Data subjects also have a right to access data – one way they can do this is through a SAR. Once they have seen the data, they may request it to be rectified if it is incorrect.
The timeframe for SARs to be completed has shortened under GDPR (to one month, with exceptions). Schools should make sure they include their willingness to help data subjects access their data in the privacy notice – explain that the school endeavours to complete SARs in a timely manner, but during the school holidays this may be more difficult.
If a school receives a SAR, they should:
- Have a conversation to see if the requestor is willing to clarify the scope of the data requested.
- Consider whether the SAR is complex – the deadline may be extended for complex requests.
- Check if the request is an Educational Record request – timescales for completing these may be shorter.
Schools should make sure they keep a log of all the SARs they receive.
Step 9 – operationalise data protection, and keep it living
- The data a school stores and the way data is managed will evolve over time – the key things that need to be living documents to ensure they keep up with changes are the data map, data asset register, DPIA and risk management activity plan.
- The DPO will have views on how best to ensure data protection principles outlined in school policies are embedded into school processes.
- Schools need to look across a wide number of their policies to ensure they are compliant with the GDPR – these include the data protection policy, privacy notices, IT policies, data breach policy (for a full list, see p.43-44 of the DfE’s toolkit).
- Read the DfE’s ‘Data protection: toolkit for schools’ here.
- Our GDPR Resource Pack contains policies, guidance and templates that can be used to help schools ensure they are compliant with the GDPR – some of the resources within the pack include the following:
- GDPR Data Protection Policy
- Data Security and Breach Prevention Management Plan
- Information Asset Register
- The DfE is looking for feedback from schools on the guidance, these responses will then be used to improve and update the advice. Any comments should be sent to firstname.lastname@example.org with the subject heading ‘GDPR toolkit feedback’ by 1 June 2018.