Merry Christmas!

It is approaching the end of the longest school term in human history and, as ever, you are continuing to do phenomenal work keeping your communities going and improving the life chances of young people. The capacity of schools in adversity never stops amazing us. It is very nearly time for a well deserved break! Even if Christmas is going to look a little different this year. Please remind staff to secure all personal data (hard copy or electronic) before leaving at the end of term and to enjoy the holiday! Don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to provide that support. 

The main update this month is regarding data protection and Brexit, what changes there may now be at the end of the transition period, and what precautions you can take to ensure a smooth flow of data. There is also:

  • an overview of best practice when it comes to data protection for remote Christmas events such as nativity plays and Christmas shows; 
  • a previously asked question about giving out lists of children’s names for Christmas card lists;
  • our budget saving referral discount for 2021-22;
  • a reminder of our new confidential waste disposal service; and
  • the latest on the new and updated resources in Global Documents this month.

If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools are accepting visitors, please get in touch via GDPR@schoolpro.uk.

Stay safe and healthy!

Data Protection and Brexit

With Brexit now three weeks away, we find ourselves in a situation where it is still not clear what our relationship with the EU is going to look like. Which makes robust preparation a challenge. The ICO does have guidance to prepare as best we can though and here are the key points.

What happens at the end of the transition period?

That depends on negotiations during the transition period. The GDPR will be brought into UK law as the ‘UK GDPR’, but there may be further developments about how we deal with particular issues such as UK-EU transfers. The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review.

Will the GDPR still apply when we leave the EU?

The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK data protection law. The government has said that it intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.

The GDPR will still apply to any organisations in Europe who send you data, so you may need to help them decide how to transfer personal data to the UK in line with the GDPR.

Can we still transfer data to and from Europe if we leave without a deal?

The government has said that transfers of data from the UK to the European Economic Area (EEA) will not be restricted. However, from the end of the transition period, unless the EU Commission makes an adequacy decision, GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what GDPR safeguards you can put in place to ensure that data can continue to flow into the UK.

As we currently interpret the situation, the biggest risk is with this third point. If you are using a system that holds data in the EEA, there is a slim possibility that you won’t be able to access that data after the 31st December 2020. Equally, if you work with a company based in the EEA – for example, a ski trip or student exchange provider – you may not be able to receive data from them as normal. Many companies have already put safeguards in place to maintain the flow of data such as transferring to UK data centres or putting in place standard contractual clauses for the data transfers. We also know that a number of school suppliers have been communicating directly with schools about the steps that have taken or are taking.

If you are concerned about any of the systems you use, please contact us, we can clarify the situation for you, and help you to mitigate the risk. 

For more information and the source of some of the material in this article, go to the ICO website and the following pages:

Information rights at the end of the transition period – Frequently Asked Questions | ICO

International data transfers | ICO

Christmas Events & Data Protection

Last year, we discussed the fact that at this time of year, every school around the country will be putting on Christmas performances of some kind, whether it is a traditional nativity play or something completely different. Clearly that will be different this year due to the pandemic and a number of you have asked for advice with regards to your data protection duties concerning the shows you will put on this year. The Global Documents section of the portal contains a DPIA that covers school shows that are conducted remotely which we advise you to download, review, and adopt as a school.

Here are some of the key points we have identified that are covered in that DPIA:
  • Electronic information comprising of potentially both audio and video of both staff and pupils, will be processed using school-controlled or -owned equipment only. It will be processed only with explicit knowledge of all involved and control of all video and audio streams will be given to the organising teacher. Processing will only occur as part of the agreed online learning and educational purpose. 
  • Access to data during online events should be restricted to those authorised to view, this will be generally limited to the pupils and appropriate staff members including those with line management or safeguarding responsibilities, or as invited by the organising teacher including families of those participating in the event. 
  • Only the approved system organised, overseen and monitored by the school can be used for this delivery. 
  • The organisation may record online events. Participants will be clearly notified of any recording before it commences. 
  • The recording will be stored electronically on the school network within the assigned secure area only or within the designated storage area for access by pupils. The information is to be retained as part of the online provision for <insert your retention period> as agreed with teaching staff and parents. Recordings of events maybe retained indefinitely as part of the historical archive of the school. This will be done securely in line with the school’s archive data storage and security protocols. 
  • RISK – Risk of compromise and unlawful access to image and audio during events, potential to lead to data breach with information shared on screen.
    MITIGATING ACTION – Clarify expectations around the oversight of remote events by those that are not invited to the event (for example, viewing the event in a public place) in relevant documentation such as Remote Learning/Events Code of Conduct and in remote event consent documentation. 
  • RISK – Risk of compromise and unlawful access to image and audio, potential to lead to data breach with recordings made available to unauthorized personnel or even made public due to sharing of live streams or event recordings.
    MITIGATING ACTION – Clarify expectations around the recording and sharing of remote events or onward sharing of live stream links to those not invited to the event in relevant documentation such as Remote Learning/Events Code of Conduct and in remote event consent documentation. Implement access restrictions such as passwords to prevent unauthorized users accessing the live stream. Implement technological solutions to prevent recording of streams where possible.

Further detail can be found in the DPIA template for online and live recorded lessons & events (remote learning & events) found in Global Documents on the portal.

Previously Asked Question

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on this website for these and all of our answers are published there. You can find this on the Data Protection page of this website or elsewhere in this blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:

Should we send out Christmas card lists to parents with names of the children in a class/group/bubble/year?

From a pure data protection point of view, giving out the names of the children within a class or year group to all of the parents is not a good idea if they haven’t given consent. Whilst a first name on its own might not seem like a lot of data (because it isn’t), it can then be matched to the year and class of the child and someone could start to build a picture (even if it is a very blurry one at this point). And it only takes one parent to complain that they didn’t want their child’s name given out for the school to have to answer some awkward questions. Here are some alternative ideas though:

  • Add a line on the consent form regarding sharing a first name only with other members of the class/group/bubble etc for the purposes of Christmas/Birthday lists when the child joins the school or at the start of the year. Not helpful at this point for the current cohorts we realise but useful for next year onwards. 
  • Ask consent at this point. This may not be practical depending on the size of the classes or the situation with the pandemic. It could be as simple as the class teacher asking parents that they are happy for their child’s name to be on the list as they pick their child up at the end of the day and ticking them off. Or, if the school is using online solutions for communication with parents, putting the question out on that or posting a poll for them to complete. 
  • Finally, the other thing a lot of schools are doing now, is they are getting the parents to collate the list between them. Then it is the parents that are giving each other the children’s names and not the school at all. Some parents have done this by creating a sign up sheet to go on the outside of the class door so parents add their child’s name at pick up time (maybe not practical during Covid) and then the list is circulated by one of the parents. Others have parents that setup WhatsApp or Fb groups for the other parents in their class and they share the children’s names that way.

Referral Discount – Deadline Extended!

We have mentioned previously about our budget saving triple referral discount deal because we know that budgets are tight. A number of schools have taken advantage of the offer and we want to remind that this is still available and we have extended the deadline for the offer.

We are offering you a triple referral discount for any new school that you refer to us and signs up to our DPO service between now and February half term 2021. We have extended the offer to allow more schools to benefit and save money. Our usual referral discount is 10% per school referred so this means you would get a discount of 30% off your school’s* subscription for 2021.

If you were to refer 3 schools to us by Christmas who all signed up to our DPO service, you would receive 90% off your school’s* subscription fee for 2021! Refer 4 or more schools and it will be free*!

Please note – maximum referral discount is 100% which would apply if 4 or more schools were successfully referred.
*Referral discount applies to annual fee for 2021-22 only.
*Referral discount applies differently to MATS. To discuss how this would apply to your MAT, please contact your DPO directly.

Confidential Waste Disposal Service

We would like to take the chance to remind you of our discounted secure confidential waste disposal service that we recently launched. This will have the added bonus of being fully documented and compliance checked by us as your Data Protection Officer.

Click on the button below and complete our short 30-second survey to register your interest and request a quote:

New & Updated Resources on the Portal

This month we have five new document resources for you in Global Documents and three updated documents:

New Documents

  • DPIA template for the implementation and use of Seesaw
  • DPIA template for online and live recorded lessons & events (remote learning & events)
  • Records Management Policy (also known as a Data Retention Policy) for Academies
  • DPIA for the implementation and use of InVentry (sign-in system)
  • Image Sharing Check and Record Log Template

Updated Documents

  • DPIA template for online and live recorded lessons (remote learning)
    • Minor corrections and amendments
  • Records Management Policy (Data Retention Policy) template for Schools
    • Updated to distinguish it from the new Records Management Policy template for Academies
  • Freedom of Information Policy template
    • Minor corrections and amendments
Data Protection in the News

Experian’s GDPR violation leaves companies scrambling to understand ‘legitimate interest’ | SC Media (scmagazine.com)

UK’s ICO faces legal action after closing adtech complaint with nothing to show for it | TechCrunch

Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak | Threatpost

Data breach at Mashable leaks users’ personal information online | The Daily Swig (portswigger.net)

Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped | The Register

DWP exposed 6,000 people’s data online for two years | IT PRO

Data breach potentially exposes details of millions of booking.com and Expedia customers | The Independent

Crown Prosecution Service guilty of ‘serious’ data breaches | Law | The Times

A breakdown of EDPB’s recommendations for data transfers post-‘Schrems II’ | IAPP (iapp.org)

Kids’ gaming website Animal Jam breached after miscreants spot private AWS key on pwned Slack channel | The Register

Brit Conservative Party used 10 million people’s names to derive their country of origin, ethnicity and religion according to ICO report | The Register

Privacy activists in EU file complaints over iPhone tracking |AP News (apnews.com)

Max Schrems is back… and he’s challenging Apple’s ‘secret iPhone advertising tracking cookies’ in Europe | The Register

Micropayments company Coil distributes new privacy policy with email that puts users’ addresses in the ‘To:’ field | The Register

Google Accused of ‘Stealing’ Android Data – Cheltenham IT Support Specialists | Reform IT

Apple accuses Facebook of ‘disregard for user privacy’ | Technology | The Guardian

Head thumping, heart racing? Here’s how not to panic when you’re under cyber attack | The Register

HMRC Self Assessment Scam Warning – Cheltenham IT Support Specialists | Reform IT

Privacy campaigner flags concerns about Microsoft’s creepy Productivity Score | The Register

Manchester United email servers remain offline amid what is being called a ‘ransomware’ attack | The Register

Guernsey law firm fined £10,000 for data security breach | BBC News

NHS data: Can web creator Sir Tim Berners-Lee fix it? | BBC News

Disabled children’s names revealed in Bristol City Council email | BBC News

NHS data breach involving 284 patients uncovered | BBC News

Your data and how it is used to gain your vote | BBC News

​Please contact us if you do have further questions at GDPR@schoolpro.uk.

 

SchoolPro TLC Ltd (2020)
SchoolPro TLC is not responsible for the content of external websites.