Interestingly, because a great deal of the data used by schools falls under the legal category of ‘public interest,’ specific consent is not always needed. That said, GDPR still ensures that all students’ data is protected and instead places greater accountability on the schools to keep this secure. However, consent must be given when the collected information doesn’t fall within normal school practice, particularly if the data will be handled or seen by a third party.
This might all feel like a lot to take in, particularly if you’re relatively new to the world of GDPR. So if you’re unsure whether your school meets all the requirements or you’d like to know more about becoming a GDPR complaint, this guide can help. Below is a checklist of six things you can do to ensure your school is accountable and complies with the new legislation.
- Are your staff educated about GDPR and personal data?
An essential part of ensuring that your school is GDPR compliant is educating all staff, especially senior team members, on the subject. Ensure everyone has a basic understanding of what GDPR means, what constitutes personal data, and their role in handling this data. One good way to hit it home is to explain data protection as a form of child protection, something very important to all educational professionals.
What’s more, everyone handling data in any form should be trained on how to recognize and report a breach of security, even if reporting it to the appropriate staff member. This is because the new legislation gives just 72 hours to report any problems and begin tackling these. It’s also important that staff understand when they do and don’t need to get formal consent from parents regarding their children’s information.
- Do you know how to locate this data?
To better understand and comply with GDPR, it helps to be able to know the information your school uses, where it’s stored, and if it ever changes locations. You can do this by creating what is known as a data map, which helps you get to grips with the range of personal data within the school.
Start by making a list of all the places that personal data is stored. This can be data from pupils, parents, and teachers; personal data is anything that can identify any living individual. Once you have this list, you can speak to other members of staff that deal with data and ask them to check it over, noting any gaps. Now you’ve got a comprehensive list of where all personal data is stored; it can be helpful to create a physical ‘map’ or image that helps everyone understand.
This is important because all staff working with personal data need to locate this quickly if they’re asked to. In addition, they could be requested by a parent or official because an essential part of GDPR means citizens have the right to access their data whenever they want. Not only this, but understanding the storage and flow of data means your school can put better security measures in place.
- Do you understand why you process data and when you need to get consent?
You need to understand why your school stores and processes this personal data, and you also need to be aware of the lawful basis for processing this data. So, for example, while you may not need consent from existing pupils due to the public interest aspect, if you store any data from past pupils or employees and plan to use this in the future, you may need to get consent. By understanding why you store and process the data you do and the legalities around what you do and don’t need to get consent for, you will be better equipped to ensure the school complies with GDPR.
- Do you have effective security measures in place?
From the school’s data map and the team’s growing knowledge of GDPR, you can run a risk assessment. For example, knowing where and how personal data is stored will help identify if this data is at risk from a breach or from being seen and handled by unauthorized people. If you notice any gaps or potential threats, solutions must be implemented to mitigate this. Moreover, any software or hardware containing sensitive information must be safeguarded with security measures, and any physical data such as filing cabinets full of reports must be kept safely stored and locked away.
- Have you informed parents?
Once you have a solid understanding of what data the school collects and processes, you can reach out to the parents to let them know about GDPR and any changes the school will implement. While you may not have to ask for direct consent to hold most of this information as it falls within the confines of a school’s business, it’s essential to let them know how you will be using pupil’s data and what measures you have in place to keep this safe and secure. This can help give parents better peace of mind regarding their child’s privacy and is also good practice for the school, showing that staff is taking a mature and authoritative approach to GDPR.
- Have you appointed a Data Protection Officer (DPO)
While your school might have done everything above to ensure you’re ticking all the right boxes, employees are not authorized to say they’re GDPR compliant and have everyone take their word for it. So instead, a Data Protection Officer (DPO) needs to be appointed. This can be a member of your staff, a DPO from another school, or a volunteer. Whoever is selected must understand the role and responsibilities of a Data Protection Officer and act as the point of contact with the Information Commissioners Office (ICO).