GDPR support January 2018

GDPR – General Data Protection Regulations - come into force Context GDPR – General Data Protection Regulations - come into force 25th May 2018

Core foci GDPR marks a natural evolution from the DPA, it incorporates most of the same principles of lawful processing, but also: takes account of new ways of identifying an individual (biometric data; genetic material; location data; IP address and social media identity are all now included as personal data) regulates the use of personal data for commercial or campaigning purposes using profiling; targeted advertising; strengthens the law on unsolicited contact provides better protection for children under 13 when using websites and services

The role of the DPO The latest guidance from the ICO is that organisations should; designate a DPO ensure the DPO is appropriately qualified, effectively supported and has appropriate authority within the organisation decide where the DPO will fit within the organisation The DPO is not personally liable for data protection in the school – responsibility sits with the organisation. The DPO does not need to work at the school.

What is a DPO? A DPO is the Data Protection Officer for an organisation Every school and PVI needs to appoint a DPO as they handle significant amounts of sensitive, personal data A DPO can be a member of staff, but does not have to be There are no official, formal qualifications for DPOs, but they must have expert knowledge of data protection laws and practice

What does a DPO do? The DPO is required to: inform the organisation of its obligations under the GDPR monitor the impact and application of policies in relation to personal data be included in all issues raised by the processing of data - in particular by organising training and establishing a network of persons aware of data protection within the organisation act at the point of contact for and cooperate with the ICO be available for data subject queries – ‘easily accessible’ publish email/contact details, not necessarily a name (general email address e.g. dpo@) be consulted on any new processing or data collection which contains a significant element of risk to the individuals affected A DPO is responsible at a strategic level for data protection, but does not have to perform the administrative or operational functions related to data collection or access requests.

Who can be a DPO? A DPO should be: And Senior enough to inform strategy and practice Free from conflict of interest - without operational or decision making powers for data systems and management And Report directly to the most senior management body (i.e. a school trust/GB) Be able to act independently without being penalised for fulfilling their role

Roles with a potential conflict Headteachers – strategic responsibility for data protection IT / Network Managers – responsible for systems which manage data School Business Managers and COOs – responsible for systems and processes managing data Marketing/HR/Finance/Data leads – responsible for using and accessing data

Potential DPOs Governors Deputy and Assistant Heads / senior staff without conflict (i.e. not data lead) External agencies providing DPO services – although this will limit your ability to engage/involve staff and ensure day to day compliance

DPO skills and abilities expertise in data protection laws and practices including an in-depth understanding of the GDPR. understanding of the processing operations carried out at school understanding of information technologies and data security knowledge of the business sector and the organisation ability to promote a data protection culture within the organisation

Support for schools in Hertfordshire Training for: Headteachers – briefing via HfL Business Services DPOs - carrying out the role SBMs and office staff – GDPR overview / implications for schools Funded by the LA for maintained schools; traded to academies An online toolkit for schools/DPOs HfL will work with key suppliers (Capita; RM etc) to ensure compliance

Proposed online GDPR Toolkit Spring 2018 Including: Overview of the GDPR Guidance and reasons for undertaking an information audit Provision of sample privacy notices Provision of a GDPR compliant data protection policy Provision of a data retention guidance Clauses to add to supplier contracts Data breach response plan together with guidance on how to exercise discretion and template letters SARs - what to do, when to do it and template letters Key questions for governors An audit template

Whole staff training Available now Breaches historically are linked to poor individual practice – ensure that staff: are aware of the key role they play in data security Take reasonable steps to ensure that data is protected/held inline with school policy Identify where breaches could occur and learn how to prevent them

Further consideration – Summer term 2018 Servicedesk/support to seek guidance on delivering the role in schools/academies Remote DPO services

Next steps for schools Review what data is held where – is it necessary? Tighten passwords/access to databases/information Ensure staff are aware of the new focus on data security Consent – ensure that this is ‘opt in’ not ‘opt out’ Use online services which are clear about their data policies – storage within the EU ideally

This presentation was brought to you by Herts for Learning. To find out about other Herts for Learning training courses or events please visit: www.hertsforlearning.co.uk/booking Visit our online shop to order additional resources at shop.hertsforlearning.co.uk