In this article we will be reviewing our GDPR for schools checklist.
We will be discussing your requirements for meeting GDPR standards, including guidance stipulated by the UK Department for Education.
It is important to remember that GDPR has no ‘One size fits all’ legislation. Given the wide range of institutions that gather and use personal data today, it is expected that you should understand the best data protection practices for your business or institute.
However, there are clear instructions on processing personal data, in Article 5 of the UK General Data Protection Regulation (retained Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data)
“Personal data shall be:
|
With these points in mind, let’s take a look at the GDPR for Schools Checklist:
7-Step GDPR Schools Checklist
1. Appoint a Data Protection Officer
Appointing a Data Protection Officer (DPO) is a legal requirement for any public authority, and should be the first step to attain GDPR compliance.
Find out more about DPO’s in our guide: Who needs a Data Protection Officer, and what does a DPO do?
The DPO will be able to advise and assist you on all matters related to data protection, and should work independently of additional duties within your school. This is to ensure their responsibilities as the DPO are not hindered by other work commitments, however, your appointed Data Protection Officer can be shared between different schools if you are part of a multi-academy trust. Nonetheless, constant collaboration with other departments of the school (including the management level) is a key factor determining the success of implementing proper data protection programs.
Discover more about our comprehensive outsourced data protection services for schools on our DPO as a Service page.
2. Update your privacy policy
Your school must update its privacy policy in order to accurately reflect:
- How data is gathered, used, stored and disclosed.
- The purpose of gathering data.
- Whose data can be accessed and for what purpose.
This is a legal requirement that covers the data of every child, parent, guardian and teacher.
3. Process personal data securely
Your school or institute must ensure all data is processed in a manner that ensures it is secured against unlawful processing and accidental loss, destruction or damage.
4. Understand what to do in the event of a data breach
A data breach is any instance of personal data becoming lost, corrupted, unlawfully accessed, disclosed or altered. This can happen for many reasons, with the most common being a security failure in the institutes’ internal systems.
Any personal data breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours. The data subject must also be informed of any breaches immediately.
Further information on data breaches can be found on the ICO website.
5. Know how to deal with a Subject Access Request
A Data Subject Access Request (DSAR) is a request to access personal data by the individual the data relates to.
This used to be a service that was only offered at the institution or schools discretion, and would generally require a fee to process the request. However, this is no longer the case, and an individual is now entitled to access the personal data you hold on them, at no cost, unless the request is manifestly unfounded or excessive.
If you receive an DSAR request, you should expect to provide the following:
- Confirmation of how their data is being processed.
- A copy of their personal data.
- Any other related information outlined in your data privacy policy.
Read the ICO guide on Rights of Access here.
Find out how we remove the administrative burden and opportunity cost of responding to DSAR requests under the GDPR on our DSAR as a Service page.
6. Have signed contracts with your third-party data handlers
This point requires an understanding of which data a third-party company can access through your school or institution, no matter how small it may seem.
A third party company could be anything from:
- Website developers (if your website is handled externally).
- School photographer.
- Trainers or speakers engaged from external organisations that collect or use, in any way, the data of students participating in training or conferences.
- External institutes who may have taken record of your students, for instance on a school trip.
There are many examples of third-party companies who will have access to personal data, and in every case it is a requirement to have a Data Processor Agreement (DPA) between yourselves and the external company.
This document should explain how and why data will be processed between both parties, as well as outline the responsibilities of both parties handling the data.
7. Publish a compliance statement for your institution
Finally, we have your school’s statement of compliance, which should outline how you are processing, storing and handling personal data. This declaration should be clear and visible on your website.
If you require expert advice on achieving GDPR compliance then JSIG has you covered. Contact one of our expert team today.
