Secondary schools handle a lot of personal data – from the names, addresses and grades of students, to more sensitive health, behavioural and even criminal data. Schools also hold data about the parents of their students, and data on all their staff, temporary staff, and visitors and guests. In all, schools hold a lot of, often very sensitive, data - and with this comes a lot of responsibility.
So, who’s responsible? And, what are they responsible for?
Compliance with any new regulations is best done with a strong leadership team, and the GDPR is no exception. A secondary school’s senior leadership team needs to be ready for the new regulations, so they’ll need to first know what data they hold, what they do with it, and where it goes. Drawing up a data map is the best way of doing this, as it shows the lifecycle of data within a school, from the moment it’s taken, to the moment it’s deleted.
Remember, it’s not enough to just comply with the GDPR, you need to demonstrate that you’re complying. A data map not only helps you know where data is, it demonstrates to others that you’re on top of the data flow, and are in control of all processing activities. Secondary school senior leadership must also:
- Appoint a Data Protection Officer (DPO) – As a public authority, it’s a requirement that you appoint somebody with enough knowledge, experience and technical understanding to act as a data security expert within your school.
- Draw up Data Processing Agreements – If you use any third-parties to process data – which you probably do – you’ll need to have a legal agreement in place, guaranteeing that they’ll only use the data as you instruct and that their organisation is GDPR compliant.
- Have procedures in place for dealing with a breach – With all that sensitive data within the school, you need to prepare for the worst-case scenario. In the event of a breach, you need to make sure that you have procedures in place for letting the ICO, and anyone affected, know what’s happened.
- Train staff – Something that is often overlooked is staff training. People think – “I understand the regulations, there’s no point everyone else being trained too” – but this couldn't be more wrong. People who understand what the regulations are, understand that they need to be on the look-out for, what they need to do to keep the school compliant, and, most importantly, they understand why compliance is so important.
Responsibility for compliance falls to everyone, not just senior staff. All staff need the appropriate training to understand what they need to do to comply. Remember, teaching staff not only handle the register of student names, they also have health and behavioural data, grades, reports and many other pieces of sensitive personal data – as such, they need to understand how to keep that safe, and why it’s important to do so.
Teaching staff must also:
- Report data breaches – Handling so much sensitive data means that a breach might happen, so it’s important that teaching staff know exactly what to do if one occurs. If they suspect a breach has occurred they need to report it to their school’s DPO immediately.
- Liaise with the DPO – From time to time, teaching staff may want to introduce new software, schemes, programmes, or activities. It’s crucial that these all comply with the regulations. To make sure that they do, teaching staff should liaise with their school’s DPO before introducing them. Also, in general, if teaching staff are unsure about anything, or have any questions, or concerns, they should know who the DPO is, and where to find them.
Online GDPR Training
We have two GDPR related courses here at iHasco, our GDPR Essentials Training looks at fundamental requirements needed for GDPR compliance and our GDPR Training for Management is for those who are in charge of making decisions about collecting, storing, and using people’s personal data.
Both courses can be completed in under 40 minutes and you can get free trial access to both at any time!