For anyone involved in school leadership, data protection is a key part of your safeguarding role. With this in mind, all schools need to be aware of the General Data Protection Regulation (GDPR) and the implications it has for the ways in which schools use, manage and secure personal data.
On 25th May 2018, the GDPR replaced the old Data Protection Act, introducing a whole new framework for personal data management and protection. In areas such as data governance and reporting, it introduced new obligations for school leaders and other staff to get to grips with.
The GDPR also expanded the rights of individuals in areas such as consent and access to information; something that has implications for your relationships with staff, parents and pupils alike.
Here, we’ll take a closer look at some of the most significant implications of the GDPR for educators, and show how compliance, better data management and a more positive learning environment are all closely linked.
Approaching GDPR: obligations and opportunities for schools
Especially where resources and budgets are stretched, a big data protection shakeup can seem like a daunting challenge; something that your leadership team and IT support staff could do without.
It’s true that the GDPR marked some big changes – and you can find out more about individual elements of the new law in our GDPR resources pages.
That said, we’ve seen more than a little GDPR scaremongering, so as you seek to establish what changes are needed in your school, it’s worth keeping a sense of perspective. The Information Commissioner has made it clear that the GDPR is not designed to trip up organisations. For those schools and academy trusts who already follow ICO and DfEE guidelines, getting to grips with the GDPR should be more of a step change than a complete overhaul.
What’s more, rather than being seen as a purely backroom data governance matter, there are potential opportunities to be had from GDPR compliance that can have a direct positive impact in the classroom and beyond. These include the following:
- Greater transparency. At its heart, the GDPR aims to prevent data subjects from being in the dark about what happens to their personal data. If schools embrace the rules in areas such as easier-to-understand privacy notices and access to records, the net result should be better informed parents and pupils, helping to give students a better understanding of what you’re trying to achieve, and how.
- A streamlined data ecosystem. Being GDPR compliant involves a thorough audit of your existing data estate. This can often be an opportunity to identify better, more efficient ways of managing and storing that data, ditching legacy systems and helping you make better use of your resources.
- A safer environment. A big part of the GDPR involves assessing possible risks to the rights and freedoms of data subjects (e.g. pupils and staff) and addressing those risks. By doing this (and especially through explaining to pupils and parents the safeguards you have in place), it can help increase their confidence in your ability to provide a safe environment.
Areas for schools to focus on
For educators already familiar with the workings of the old Data Protection Act, our DPA vs GDPR guide gives a useful overview of the differences between the old and new framework.
For schools, some of the most significant areas to focus on include the following:
The need for a data protection officer
GDPR makes the appointment of a data protection officer (DPO) compulsory in the case of public authorities and public bodies. This effectively makes the appointment of a DPO mandatory in the case of local authority-maintained schools. The governing bodies of academy and independent schools might also consider it prudent to appoint DPOs, too.
The DPO oversees all aspects of GDPR compliance, including audits and training – as well as acting as the go-to point of contact between the organisation and the data regulator. The job is as much to do with communication and internal insight as “tech”, so schools should consider carefully who should take on DPO duties (hint: this will usually involve looking beyond your IT department).
Data protection impact assessments
From online learning apps for students through to staff development tools, it’s important to assess and address any privacy and security risks that arise through new technologies and processes.
As part of this, privacy data protection impact assessments (DPIAs) have always been part of good practice, but the GDPR makes DPIAs a formal requirement. An assessment should be carried out in all instances where new initiatives are introduced and where there’s a “high risk” to the rights and freedoms of individuals.
Building security and privacy awareness
The law requires you to have appropriate measures in place to address data security risks. And while technical measures (e.g. firewalls and filters) are part of this, it’s important not to overlook the human element.
Do some of your staff routinely use USB sticks to transfer assessment data between home and school? Do they download and use apps on school machines that haven’t been cleared by IT?
In areas such as lesson planning and workflows, it’s normal for staff to develop their own preferred ways of working and tools for the job. While the GDPR shouldn’t be seen as a barrier to this autonomy, all of your people should be aware of their personal obligations when it comes to data security.
Pupils, parents and data: what difference does the GDPR make?
Transparency is one of the most important elements of the GDPR. Schools need to be able to explain to students and parents what’s happening with their personal data and how they can exercise their rights. DfEE guidance on GDPR-compliant privacy notices is a useful starting point here.
At what age can pupils be consulted over their data processing?
In the UK, children can give their consent to data processing when they’re 13. Schools will need to get consent from whoever holds parental responsibility for the child if they’re under this age. Privacy notices for services aimed at children should be clearly written so they’re able to understand what will happen to their personal data and what rights they have.
What happens if a school breaches the GDPR?
If it’s a data breach then read our article on When and how to notify a data breach. If it is another breach that is discovered, then put it right!
Next steps
The initial stage of compliance for any school involves a thorough data audit; an assessment of what data you control, its purpose, where it resides and how it flows through the organisation.
From CCTV surveillance footage through to very sensitive personal records, a school’s data estate can be complex. Fortunately, our experts have already thought this through and created the Privacy Compliance Hub effectively taking the stress and complexity out of data privacy compliance. We have put together a complete product to help you get to grips with your data and to get GDPR compliance right. To find out more, take a look at our demo – or speak to us today.