The new academic year is well under way now and autumn has truly arrived! On our recent visits to schools, it is clear to see the buzz and vibrancy in the classrooms, the passion and commitment of the staff, piles of leaves in the playground, and hats and scarves starting to appear!
This month’s newsletter focuses on a number of “housekeeping” items linked to maintaining your data protection compliance with a particular focus on staying up to date with tasks such as your ICO Registration, staff changes, data protection impact assessments, and data map changes.
If you have any further questions about the topics below, or if you would like to book a visit from us, please get in touch. Enjoy the rest of the term and we hope you are able to make the most of the season – autumnal walks through the leaves, flavoured coffees from your coffee house of choice, oh, and the small matter of the Rugby World Cup!
ICO Registrations
It is a requirement that Data Controllers are registered with the ICO and that includes schools and colleges. You should also have your Data Protection Officer named on the registration. The vast majority of our schools are registered but we have recently audited the ICO register and noted the following:
- A small number of you are not registered. This maybe because your previous registration has lapsed. It is vital that you renew your registration so that you are shown on the ICO register. You can check the ICO register here: https://ico.org.uk/ESDWebPages/Search
- A number of you are registered but do not have us named on the ICO Register as your Data Protection Officer. Please email the ICO with the subject header “Add a DPO” with your school name and ICO registration number, and our details (company name, address, phone number and email address) to dataprotectionfee@ico.org.uk. Full instructions can be found here: https://ico.org.uk/for-organisations/data-protection-fee/your-data-protection-officer-is/
Breach Logging
It has now been nearly a year and a half since the GDPR came into force. All organisations should be logging any breaches that they identify, whether they are ultimately reportable to the ICO or not. All of you have access to our Data Protection Portal – https://app.schoolpro.uk/ – where you are able to log your breaches and notify us in the event that we need to provide your with assistance.
A number of you have never logged a breach on the portal and we do urge you to keep track of all breaches and potential breaches that you identify within school. Organisations with completely blank breach logs may be interpreted as being either incredibly robust with their practice so that they never have a single breach, or that they are not taking their data protection duties seriously and are ignoring or simply not recording any breach instances.
Please stay vigilant with regards to breaches and remind staff to notify the central point of contact within your school if they have a concern or incident to report. If you are unsure whether you should be logging an incident or not, log it on the portal anyway and we can advise from there.
Data Accuracy: Keeping Up To Date
Principle 4 of the GDPR is “Accuracy”. Whilst working with schools so far this academic year, we have identified a number of areas where it is important to maintain data accuracy:
- Staffing – If you have made any staff changes that impact on who we communicate with directly at your school, please let us know so that our contact lists can be maintained and up to date.
- Data Maps – If you have or are planning to change suppliers or any processors of your data, please notify us so that we can update your data map. This will ensure that it is accurate at all times.
- Data Protection Impact Assessments (DPIAs) – We have been talking to schools about these on our latest round of visits but they are, in essence, risk assessments for your processing of data. If you are putting in place any new systems which involve personal data, a DPIA should be completed prior to implementation. There is a DPIA template on the portal but, equally, we are able to assist you in completing them if you require.
School Newsletters: Distribution by Email
Over the last week, a number of our schools have been seeking advice around one particular data protection subject: school newsletters. A question was raised as to whether or not schools need to seek consent from parents/carers for newsletters to be sent home either via pupil mail or email.
As your Data Protection Officer we ensure the advice we convey is accurate and have therefore ascertained definitive guidance through the Information Commissioners Office (ICO). As a result, we can confidently advise that schools DO NOT need to seek consent for newsletters to be communicated. However we do suggest the following steps:
- Ensure parents have provided you with their email address on data collection forms before you send anything via email.
- When sending the school newsletter via email, add an additional comment at the bottom of the email stating “if you do not wish to receive the school newsletter via email please contact the school office” or add an unsubscribe option on the email.
We are confident this is the news you would like to receive as it negates any additional work that you may have been concerned about.
GDPR in the News
Criticism of planning details hidden from the public ‘because of GDPR’ – CoventryLive
European court ruling spells end of pre-ticked cookie consent forms under GDPR – The Drum
Employee awarded damages for breach of the GDPR – Lexology
Please contact us if you do have further questions at GDPR@schoolpro.uk.