Presentation is loading. Please wait.

Presentation is loading. Please wait.

The GDPR & Schools - A Guide for Governors and Trustees -

Published byIivari Niemi Modified over 5 years ago

Similar presentations

Presentation on theme: "The GDPR & Schools - A Guide for Governors and Trustees -"— Presentation transcript:

1 The GDPR & Schools - A Guide for Governors and Trustees -

2 The Outline … What is the GDPR How it relates to schools
The nine data rights Key terminology 10 Steps to implementation The key players Specific expectations of governors Expectations of staff Questions you should ask How ready are you ? Finally

3 What Is The GDPR ?

4 What is The GDPR The GDPR is the ‘General Data Protection Register’
It supercedes the Data Protection Act It comes into effect on the 25th May 2018 ANY organisation that holds data will need to comply Those found not to be compliant can be subject to a fine of 4% of their annual school budget Headteacher is the liable person – but Governors share responsibility

5 What is The GDPR (Cont’d…)
Brexit – change or no change ? The role of the courts ‘Learning’ from implementation The main thrust is ‘risk analysis’ and the belief that the data is not yours

6 How It Relates To Schools ?

7 Data In Schools … Admission Forms School Holidays Contracts
Attendance Contracts Publications e.g. Prospectus FSM / Ever 6 Free Meals Application Referrals Exclusion Staff CPD Medical Websites Text / Message Services Behaviour Records SEN Status CCTV Test / StatutoryData ?

8

9 The Key Aspects Penalties Data Processors Suppliers Data Breaches
It will be mandatory to report data breaches within 72 hours to the ICO Fines up to €20 million or 4% of your annual school budget for non-compliance as well as your  Ofsted ratings being impacted if policies and processes are not in place It is the schools responsibility to ensure 3rd party suppliers that  process data for you also comply with GDPR GDPR demands a formal contract/SLA with all  suppliers,  including how data is stored and processed

10 GDPR gives more control to individuals,
Accountability Individual Rights Data Officers Evidence GDPR gives more control to  individuals,  including the right to redact data It will be  mandatory for schools to appoint a Data Protection Officer (DPO) Schools must be able to  demonstrate  compliance Schools must get it right now, in 2018 and beyond

11 The Nine Data Rights

12 The 9 Rights The GDPR outlines nine ‘rights’ that permeate the legislation. These are : Access Individuals have the right to obtain from you confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to that personal data. Rectification Individuals have the right to obtain from you the rectification of inaccurate personal data and the right to provide additional personal data to complete any incomplete personal data. Erasure In certain cases, individuals have the right to obtain from you the erasure of their personal data. Processing Individuals have the right to obtain from you restriction of processing, applicable for a certain period and/or for certain situations.

13 Portability Individuals have the right to receive from you in a structured format their personal data and they have the right to (let) transmit such personal data to another controller. Object In certain cases, individuals have the right to object to processing of their personal data, including with regards to profiling. They have the right to object at further processing of their personal data in so far as they have been collected for direct marketing purposes. Automation Individuals have the right to not be subject to a decision based solely on automated processing. Complaints Individuals have the right to file complaints about your processing of their personal data with the relevant data protection authorities. Damages In case you breach applicable legislation on processing of (their) personal data, individuals have the right to claim damages from you for any damages such breach may have caused with them.

14 Vocabulary : Pseudonymisation
This new term refers to the technique of processing personal data in such a way that it can no longer be attributed to a particular data subject without cross referencing it with other further information. The further information must be kept separate and subject to technical and organisational security measures so as to ensure that the data subject cannot be identified. Pseudonomised information is still a form of personal data but the GDPR promotes its usage in certain circumstances in order to enhance privacy and contribute to overall compliance. E.g. GDPR may expect pseudonymisation to be considered when personal data is processed in a way which is “incompatible” with the purposes for which it was originally obtained. Alternatively, the technique could be appropriate for schools wishing to use pupil data for historical or statistical purposes.

15 Vocabulary : PIA’s Privacy Impact Assessments (PIA) are not new but what is new is that the GDPR will expect them to be undertaken in certain cases. PIA’s will need to be carried out when you are planning a new initiative which involves “high risk” data processing activities i.e. where there is a high risk that an individual’s right to privacy may be infringed such as monitoring individuals, systematic evaluations or processing special categories of personal data, especially if those initiatives involve large numbers of individuals or new technologies such as biometrics. The idea behind a PIA is to identify and minimise non-compliance risks.

16 Vocabulary : DPA’s Data Protection Audits : Schools should review and document the personal data they hold, identify the source and who it is shared with. This exercise is commonly called a data protection audit and can be deployed across the entire school or confined to distinct areas within the school. Unless you know what personal data you hold and how it is being processed, it will be difficult to comply with the GDPR’s accountability principles which require you to be able to demonstrate how the school complies with the data protection principles in practice. Another critical benefit of a data protection audit is that it map flows of personal data into and out of the school and can be used to measure the degree to which the school complies with the law and identify “red flags” which require urgent attention.

17 Vocabulary : DPPR’s The GDPR is likely to require all schools to review their policies, particularly those relating to data protection. Data protection policies for pupils and parents are used to explain an individual’s legal rights and how those rights can be exercised. Because the GDPR amends those rights, your policies will also have to be amended. Any policies also intended to be read by children will have to be explained in clear non – technical language and in a way that can be readily understood by the intended audience. You should ensure that your policies are easily accessible and not “buried” on your website.

18 Vocabulary : Training Schools will continue to be subject to an obligation to take organisational steps to keep personal data secure and the deployment of staff data protection training will continue to be expected. New starters should receive data protection training before they have access to personal data and existing staff should receive regular and refresher training. Schools that breach the GDPR (or the current DPA), will be criticised if they have failed to ensure that all staff that handle personal data have received data protection training. This is because, staff training is a simple organisational measure that an organisation can take to reduce the likelihood of data losses.

19 Getting Ready To Implement

20 The Ten Steps To Implementation
1. Raise Awareness Understand the requirements, communicate what is coming to relevant parties e.g. staff, parents, governors 2. Accountability & Data Governance How will you demonstrate compliance to relevant parties ? 3. Communicate The need to tell individuals how you will use their data – how will you achieve this ? 4. Legal Grounds Ensuring that any data collected or held is within the law e.g. held with permission or on legal grounds 5. Consent The need to review how you seek consent and who you allow to give that consent

21 7. Right of Subject Access
6. Individual Rights How will these be communicated and protected e.g. the process for amending or changing data 7. Right of Subject Access The right to view any data held – how will this be managed ? No fee can be charged now. 8. Data Breaches The procedure for managing and informing and communicating. Plus, how breaches are used to improve practice. 9. Children Children now seen as ‘vulnerable’ and requiring ‘special consideration’. Can children approve / amend their own data ? 10. International Issues Does the school transfer data between itself and overseas ? Will the process comply with the GDPR requirements ?

22 Step 1 : Raise Awareness Governors ? Information governance committee ? Key staff ? E.g. admin, SENCO, visit organisers Identify resource implications Appoint at DPO

23 Step 2 : Accountability Simply complying is not enough – you will need to evidence it : Privacy Impact Assessments Data Protection Audits Policy Statements Activity Records Appointment of a DPO Training – basic and advanced

24 Step 3 : Communicating Currently we provide a ‘data processing’ statement online Expectations will increase significantly Change of data use from that which was originally intended Privacy Statement : Purpose Who you share with Retention periods Legal rights associated with the data

25 Step 4 : Legal Grounds Data provided with consent can be deleted if the right to that information is withdrawn Three key areas for legality : Processed with consent Where it is necessary for a contract For compliance with a legal obligation

26 Step 5 : Consent How does the school record consent currently ?
It must now be easy to withdraw consent previously given Processing requests must be separate – NOT a long list that is signed off as one ‘bulk consent’ Clarity about what they are consenting to and their rights to withdraw You must be able to demonstrate that consent has been given No such thing as ‘if you don’t reply we will presmue that …..”

27 Step 6 : Individual Rights
They are broadly similar to current DPA arrangements - but have been enhanced and amended in some cases Broadly : Right to subject access Have inaccuracies corrected Have information erased (right to be ‘forgotten’) Prevent direct marketing To prevent automated decision making and profiling Data portability – MUST provide information in an electronic / machine readable format

28 Step 7 : Subject Access Still able to request a copy of the records held on them (now known as SAR : Subject Access Request) Now FREE in most cases – unfounded or excessive requests can charge Now must be provided within 1 Month (previously 40 calendar days) If you wish to refuse an SAR you will need to have clear criteria, policies and procedures

29 Step 8 : Data Breaches Internal procedures for detecting, reporting and investigating Mandatory notification within 72 hours to supervisory authority (ICO or other) – and to individuals affected Not to notify will potentially incur a 2% fine

30 Step 9 : Children GDPR identifies children as ’vulnerable individuals’ deserving of ‘special attention’ It is expected that further guidance and ‘codes of conduct’ will be published in relation to children No prescribed age for a child Under 16’s – need parental consent for processing personal data (CAN be reduced to 13 by individual nations in the EU) SOME exceptions exist e.g. medical reasons

31 Step 10 : International Very similar to the DPA
Need to identify if the receiving authority complies with the GDPR US Safe Harbor system is no longer acceptable Some variations to places not in GDPR compliance regions – for contractual necessity and explicit consent

32 Key Players …

33 Data Protection Officer
All schools must appoint a DPO They must not have any other duties / roles that could be seen to be a ‘conflict of interest’ e.g. Network Manager, safeguarding officer Is responsible for compliance – but senior management and Governors are equally liable Must have the requisite skills to undertake the role e.g. to investigate, audit, monitor, challenge Needs to be supported (financially) to ensure compliance

34 Teaching & Support Staff - Expectations Of
Awareness of the act, the scope it brings, the rights inherent within it Review their own practice E-safety and data security Minimising risk – how ? Risk of non-compliance Understand the nature of their role places them in the ‘high risk’ category

35 Governors – Expectations Of
Accountable – but not liable Responsibility lies within the necessity of ensuring it happens Essential that you are aware of your duties and expectations Training is essential Clarity of roles and responsibilities Ensuring key policies are regularly reviewed and that audits are responded to in a timely manner Ensuring that the right level of funding is available to meet the expectations

36 Questions Governors Should Ask Of their Schools …

37 Refer Or Not To…. Likelihood of Return / Distribution ? Scale Content
Potential Reputational Risk What Would The Risk Be In NOT Referring ? How Many ? Nature of Content ? Identifiability ?

38 Data Breaches…. Example 1 … Example 2 …
Mr Jones has all his class records (incl assessment, medical) on a spreadsheet he has created himself. He keeps it on a USB stick so he can use it at home or in school. On his way home he calls into the pub and accidentally leaves his coat there containing his USB pen. He retrieves his coat the next day, but the USB pen has gone. Example 2 … The school has a contract with a small local company to provide a text messaging service. They store all the data on their own servers – and back-up on a separate server, which is also held by them. Their premises are broken into and one of their servers is stolen.

39 And Now For Something Else About GDPR Prep …

40 Phase 1 Implementation Steps
Awareness Raising 2 DPO Appointed 3 Implementation Plan Agreed 4 Key Policies Agreed & Shared 5 Training for All

41 6 Scoping Exercise Undertaken 7 Initial Audit Undertaken 8 Phase 1 Implementation (Parents, web etc) 9 Review (Incl Govs ‘Readiness Check’) 10 Next Steps …..

42 The School Readiness Assessment Framework Should Be Used To Identify Areas of Strength and Weakness In Your School

43 Now For The Good Stuff …

44 The Nine Rights : Responding….
Information Is Essential – It Helps Reduce Possible Challenges …

45 The Nine Rights : Responding….
The Process For Making Amendments / Deletions …

46 Parental Information….
A Sample of The Kind Of Initial Data Collection Form …

47 Data Breaches…. A Simple and Clear Process For Managing Data Breaches …

48 And Finally….

49 To Support You …..

50 The GDPR & Schools - A Guide for Governors and Trustees -

Download ppt "The GDPR & Schools - A Guide for Governors and Trustees -"

Similar presentations

Data Protection Recruitment Process

Data Protection Recruitment Process
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Information Governance Support Information Governance Services

Information Governance Support Information Governance Services
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Key changes with the GDPR

Key changes with the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
General Data Protection Regulation (GDPR

General Data Protection Regulation (GDPR
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
The EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR)

Similar presentations

Ads by Google