Equipping schools for the GDPR – four questions
Anyone with responsibility for personal data in a school or college should have the General Data Protection Regulation firmly in their sights by now.
How personal data on pupils, parents, staff, governors or alumni is collected, edited, stored and destroyed needs to be reviewed and steps taken to comply with the GDPR, well before 25 May 2018 when this new legal requirement comes into effect.
School staff, managers, governors and trustees need to familiarise themselves with the expectations of the GDPR, as per any other individuals who may collect, store or use personal data in a school.
1.Is it relevant to us?
Although the GDPR is being introduced by the EU, the government has already confirmed that the UK’s decision to leave the EU will not prevent its introduction in the UK next May.
Beyond that, educational establishments will be no more exempt than any other organisation. The Information Commissioner’s Office (ICO) says that any organisation’s failure to tackle the GDPR in time for it to take full effect could lead to significant consequences.
If an organisation experiences a data breach, the ICO will be able to impose fines based on a percentage of worldwide turnover or a fixed sum, whichever is higher. In some cases, this could be up to €20 million Euros, a steep increase from the current maximum fine of £500,000.
2. Where do we start?
Among the questions that schools need to consider, according to the ICO, are:
- Has the school reviewed its Data Protection Policy and identified the changes required to ensure compliance with the GDPR?
- Has the school created a record of what personal data is held, where it came from and who it is shared with, for any future information audit?
- Has a review been undertaken of the school’s privacy notices, and has a plan been developed to make any necessary amendments in time for the GDPR coming into effect?
- Have privacy notices within the school been reviewed to ensure that they are provided, where appropriate, in language that is accessible to children?
3. What about data on children?
One consideration is data on children. Schools hold data linked to pupils’ progress, SAT and exam results, which can be accessible on computers and tablets via third parties. Those responsible for this data will need to make sure that this complies with the GDPR.
Schools will also need to consider whether suitable consent has been provided for processing data on children and, in most cases, will need the clear consent of parents or guardians. As well as being able to give proof of this consent, schools will need to clarify their reasons for processing this data.
How do we equip ourselves?
Schools need to have the tools in place to safeguard data for the GDPR. Measures should include:
One of the issues people don’t always consider is ‘visual theft’. In other words, unauthorised individuals viewing data on a PC, laptop or smartphone screen, whether accidentally or otherwise.
In a busy school environment, the number of people in the vicinity of device screens, whether in the school office, classrooms or staff room, is significant. Those on site in a school at any one time can include parents, governors, inspectors, suppliers and staff.
Privacy filters protect devices by blocking the view of the screen to all but the user, allowing him or her to continue working securely.
Secure destruction of sensitive paperwork, once a school no longer needs it, is important. Cross cut shredders that can shred A4 sheets into hundreds of pieces should be in use in the school office, staff room, head’s office, and anywhere where confidential data may be held.
Many modern printers can scan, send and store potentially sensitive information. While this helps increase productivity, these features can make data vulnerable.
Printing and imaging devices need to be used so that individuals’ data is encrypted or regularly erased, to reduce the chance that confidential details will be accessed.
To make sure sensitive documents in output trays cannot be retrieved by any user, all printers should work on a pull printing requirement. Settings should be restricted to admin-only access to prevent anyone with access to printer settings from exploiting permissions.
With teachers and other staff working on iPads, desktops and other devices, it’s vital that all equipment is protected with strong passwords and that these passwords are regularly changed.
With Banner you can feel confident you have the right equipment to help your school or college be GDPR compliant.
To find out more, please email our education team on education@BannerUK.comDownload our B Guide to GDPR