DfE Publishes GDPR Toolkit for Schools

If you work in a school and have not heard of the General Data Protection Regulation (GDPR); you must have been living on another planet!
Yesterday the DfE published a GDPR Toolkit for Schools – guidance which will help schools to develop policies and processes in preparation for the GDPR coming into force.
The new GDPR legislation is enforceable from 25 May 18 – only one month away – and schools are gearing up to make sure they are compliant, because breaking the rules can be costly to the school’s budget, and more importantly, their reputation. GDPR isn’t normal ‘day-to-day’ business for schools, so they will have to adapt to make it commonplace, alongside all of the regular teaching and learning commitments that go on.
Data Protection Officer (DPO) – you will need to appoint a DPO, who will have overall responsibility for all data handling in your school. The regulations around data handling are very detailed, so your DPO will need to be aware of the requirements, as well as being responsible for reporting any breaches within 72 hours.
Have an e-safety policy in place – Having a robust e-safety policy in place will make sure that all stakeholders linked to your school (both internally and externally) know how to stay GDPR compliant. This will protect not only your staff and students, but it will keep safe, all the data that is held on the systems in your school. (don’t forget, a cyber attack on your school’s IT network, viruses that infect your IT systems, or even the way your school’s IT hardware is disposed of, can all affect your GDPR compliance!)
Who within the School needs to think about GDPR?
Senior leadership – Just as safeguarding is a school-wide priority (normally led by one of the senior leadership team), it is recommended that GDPR follows the same approach. Someone within the senior team who has adequate resources and understanding to implement the legislation across the school.
All staff – GDPR could never be just the remit of one person – it’s important that the whole school is on board when it comes to data protection. All staff should know about, and be trained in the GDPR so they understand the implications of their activity around the collection of personal data (e.g. even class teachers taking the class register)
- Reporting a data breach: teachers must understand what constitutes a breach and, if they suspect a breach has occurred, report it to their DPO.
- Introducing new systems: if teachers want to introduce a new piece of subject-specific software or use any new processing system there needs to be a clear process in place to inform the DPO and ensure it is done compliantly.
Data Protection Officer (DPO) – Under the new law schools must appoint a DPO; however, groups of schools or MATS are allowed to share a DPO. Either way, whether the DPO is appointed internally or externally, they will need enough knowledge about the school to be able to properly advise.
External third parties – Any third party suppliers who handle a school’s data (e.g. messaging or payments providers) will have to have processing agreements in place.
What will happen on 25 May 2018?
Subject Access Requests (SAR) – From 25 May, any data subject (that’s someone whose data the school holds) can exercise certain rights with regards to their data. This means that a parent could ask for a school to produce all data it currently holds on their child, or a job applicant could ask you to erase all their details. Schools are legally obliged to carry out these requests within 28 days of the request being given.
Reporting a breach – From 25 May, if schools are informed of a breach to someone’s personal data, they may be required to inform the ICO. Under serious circumstances schools may be required to inform the individuals whose data has been put at risk.
Fines/Penalties – The maximum fine for failing to comply with the new GDPR is €20m (around £17.7m) or 4 per cent of the organisation’s annual turnover (whichever is greater). Under the previous regulations, organisations such as the NHS and TalkTalk have received six-figure fines, although the consensus suggests schools will need to be seriously negligent to receive similar penalties.