Tip 1: Keep data protection alive in your school. Use a variety of methods- don’t just rely on training. Talk about it in meetings, send regular reminders, praise staff who get data protection right. We were really excited to hear that one of our schools uses a card where staff can complete data protection challenges, When the card is full, they get a chocolate prize! (and the school gets evidence of the compliance work done).
When it comes to training, make it interesting! Our Data Protection Officers deliver live training to schools, where there can be discussion and debate and delegates can ask questions. Does your school give staff the opportunity to think more deeply about what their obligations are, or do you just ask them to complete ‘click-through’ training without any further support?
Tip 2: Think of Data Protection Impact Assessments (DPIAs) in the same way that you think of school trip risk assessments. You wouldn’t write the risk assessment for a trip once you’ve already got on the school bus, so why commit to sharing data before doing a DPIA? The earlier you can consider data protection risks in a new project then the safer for your students it is likely to be.
Tip 3: Read vendor documentation. It is really important that school staff read vendor documentation before sharing pupil personal data. If you are sharing personal data then you should consider if a Data Sharing or Processing Agreement is needed. This will help protect you and your data subjects if there are any problems later on.
Tip 4: Think of your Data Breach log in the same way that you think about the Pupil Accident book- you need to log all the data ‘slips and trips’ as well as the more serious incidents. In the same way that you could identify a problem with a trip hazard in school if lots of pupils have minor accidents in the same area, you may also identify some data protection risks through minor or near-miss data breaches.
Tip 5: Make sure you are working to improve Records Management in your school. Records Management has really changed in schools over the past few years, particularly as many ways of working and record-keeping have changed due to the Covid pandemic.
Good records management is your ‘friend’ in data protection- it will help you to respond to Subject Access Requests (or Pupil Educational Record requests) as well as help to ensure that you are processing data lawfully. Make your Retention Policy work for you- set out where you are storing data (it may be on paper, on the cloud, or even with a Edtech vendor), how long you are storing data for and use it as an annual data disposal checklist.
There’s no such thing as a daft question. If you have any queries relating to data protection please don’t hesitate to get in touch with the GDPR for Schools team