Tony Sheppard Mobile Guardian GDPR and Schools www.mobileguardian.com

How the west was won Ray Mears : cc https://blog. raymears

“We all need to keep our foot firmly on the gas in the coming months to ensure that we are ready.” Jonathan Bamford, ICO, Westminster e-forum

This Town needs a sheriff CC BY 2.0 https://flic.kr/p/fj3xgz

What does it change? Storing Reporting data breaches now mandatory Processing Sharing Consent Remove and forget Reporting data breaches now mandatory Fines have increased drastically Must be sure you use 3rd parties which are GDPR compliant Must appoint or share a Data Protection Officer (DPO)

Getting Advice A lot of advice to sift through Very business orientated Discussions on technology, strategy, operation and accountability often not joined up Language is often not Public Sector relevant or is too full of jargon

Getting Advice ICO - https://ico.org.uk/for-organisations/data-protection-reform/ https://www.peerlyst.com/posts/the-gdpr-wiki-nicole-lamoureux https://www.itgovernance.co.uk/ http://gdpr.school/

The 12 steps in preparing for GDPR Awareness Children Information you hold Data Breaches Communicating privacy information Data Protection by design and Data Protection Impact Assessments Individual’s rights Data Protection Officers Subject access requests International Legal basis for processing data Consent

Awareness It is important that decision makers and key people in school are aware that the data protection law is changing to GDPR on 25th May 2018. This will include the head teacher or principal, governors or trustees and senior members of the administration team. They need to appreciate the impact GDPR will have within school.

Information you hold Document and consider all personal data that is used and stored. This will include data for students, all staff, parents, suppliers, governors or trustees, regular service staff and consultants. If any records are made of individual names or other details, the process you use should be included. You may need to organise an information audit.

Communicating Privacy Information Review current privacy notices and make any necessary changes in time for GDPR implementation. Please visit Department of Education where it is hoped the examples provided will be updated. Also review the ICO’s Privacy Notices Code of Practice

Individual’s Rights Check procedures to ensure they cover all individuals’ rights, including how to delete personal data. Remember much data in school will be regarded as stored under the public interest umbrella (6(1)(e)). Know how to provide data electronically in a commonly used format.

Individual’s Rights the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling.

Subject Access Requests Update procedures and plan how to handle requests within the new timescales for information stored on an individual. Remember there must be no charge.

Legal basis for processing data Most data processed in schools will come under the public interest umbrella (6(1)(e)). Identify which does not and document it. This is data which is lawfully processed and which is necessary to allow the school to function. Know what you have Know why you have it Know what you are doing with it Know who is doing things with it

Consent For data that is NOT processed under the public interest umbrella (6(1)(e)) carry out a review of how consent is sought, obtained and recorded. Check existing records to see whether new consent should be sought.

Children Schools already have systems in place to verify individuals’ ages. As standard, they gather parental or guardian consent for the data processing activity. Continue these processes. Identify any system where a student enters their name or other details online. Processes should be put in place when a student reaches 16. At this point school cannot share data with parents automatically without the student’s permission.

Data Breaches It is essential that the correct procedures are in place to detect, report and investigate a personal data breach. Familiarise all staff with these procedures. It is mandatory under GDPR that all data breaches are reported.

Data Protection by design and Data Protection Impact Assessments Become familiar with the ICO guidance on Privacy Impact Assessments (PIA). If, and when, new projects or processes are implemented use the PIA approach to assess risk and impact across the individuals affected. Talk to your suppliers about their approach to GDPR and how their product is compliant / will help you with compliance.

Data Protection Officers Schools are classed as a public authority and therefore MUST designate a Data Protection Officer, to take responsibility for data protection compliance. It is important to assess where this role will sit within school’s structure and governance arrangements. Schools may share a DPO with other schools unless it is very large. However, remember the school itself is still responsible and liable to comply to GDPR not the DPO

International If the school operates internationally, determine under which data protection supervisory authority applies to the you.

The 12 steps in preparing for GDPR Awareness Children Information you hold Data Breaches Communicating privacy information Data Protection by design and Data Protection Impact Assessments Individual’s rights Data Protection Officers Subject access requests International Legal basis for processing data Consent

Next steps Ensure someone takes ownership ASAP Keep Calm and Plan Communicate in plain English Audit and ensure you justify what is going on Talk with your suppliers Ensure that you keep an eye out for further guidance and advice.