Welcome to this month’s newsletter. There is a lot to get through so we are going to get straight to it!

The main topic this month focuses on reducing the risk of legal claims against your school as a result of data protection breaches and other data protection incidents. There is also:

  • guidance on reducing data protection risk when using Teams;
  • an update on Covid testing in primary schools including the privacy notice template required;
  • a previously asked question about including teacher names within SAR data issued to pupils and/or parents;
  • a reminder that we have extended our budget saving referral discount for 2021-22;
  • a reminder of our new confidential waste disposal service; and
  • the latest on the new and updated resources in Global Documents this month.

If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools are accepting visitors, please get in touch via GDPR@schoolpro.uk. And don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.

Stay safe and healthy!

Reducing the Risk of Legal Claims

Since October, we have worked with two separate schools that have received letters from ‘no win no fee’ solicitor firms regarding data protection breaches. Both of these breaches were relatively minor and did not involve a risk that warranted a report to the ICO. However, dealing with these claims takes time and resource away from other priorities within the school and we are still unable to confirm the outcome of either. The best advice we can give to you is how to best reduce your risk of breach and therefore your risk of also receiving a similar claim:

 

Training and Awareness

The most important action you can take is to reduce the risk of data protection breaches occurring in the first place. The main cause of data breach is human error so training staff and ensuring that they are aware of possible data protection risks is the key route to reducing your risk as an organisation.

We strongly recommend that staff receive training annually and will provide this service for you as your DPO. Many of you will already have completed training using our online training platform but, if your school hasn’t, we encourage this to be made an urgent priority. This training should be conducted by staff throughout your organisation including governors, senior and middle leaders, administration and office staff, teachers and TAs, site staff, cleaners, and any other roles that may handle data.

Each claim letter that has come through has asked the school to identify when the staff members involved in the breach had last received training. Whilst this shouldn’t be the sole reason for conducting staff training, it is important nonetheless.

There are also other methods of raising awareness that should also be considered including posters and infographics in key work spaces and online staff shared areas, as well as reminders through staff briefings, newsletters, and CPD sessions. Global Documents contains examples of resources you can use for this. Or speak to us if you need something bespoke.

 

 
Other Actions to Take as an Organisation
Whilst training is the most important action in the first place, there are a number of others you should take to further reduce your risk. You will no doubt be already working through this with us and this list is by no means exhaustive. You should ensure that:
  • you have recently had a data protection audit from us as your DPO;
  • governance has oversight of data protection across the organisation and that it is a standing agenda item at Governor and/or Trustees meetings;
  • data mapping is completed and up to date;
  • your suppliers (processors) are compliance checked, data processing agreements are in place if required, and you know if data is being transferred internationally (and, if so, it is being done using appropriate safeguards);
  • your policies and privacy notices are up to date and available where necessary;
  • you have risk/impact assessments (DPIAs) in place for high risk and large scale processing activities; and
  • you speak to us as your DPO as part of your procurement process for new suppliers to ensure the appropriate checks and mapping updates are carried out prior to use.
We are here to support you with all of these points so please contact us if you need to clarify any of them. We will also be in touch to discuss what we consider to be your areas of priority.

Reducing Risk Using Teams for Video Conferencing

A common data breach that occurs in schools involves the unauthorised disclosure of personal data – in other words, sharing personal data with the wrong people or organisations!

We see this most often currently where emails are sent to groups of individuals outside of an organisation and the mailing list is setup in such a way that all of the email addresses are visible to all recipients. This is classed as an unauthorised disclosure and therefore a data breach. We are also seeing this a lot where schools are using video conferencing tools such as MS Teams and inviting individuals outside of their organisation to video meetings. Setting up a meeting for a group of parents, for example, can end up sharing email addresses with all participants accidentally. To avoid this kind of breach, it is important that the meetings are setup and configured appropriately.

Teams is primarily designed as an internal organisation collaboration tool so there is no direct way to hide email addresses in Team invites. Along with Cloud Happi (CloudHappi – For Better Education, Look To The Cloud), we have identified a number of ways to prevent this risk from occurring. Although we recommend you test these before you try them on a group!

Option 1

  • In Outlook, open the Calendar and click on the menu icon “New Teams Meeting” and create your meeting.
  • For the invitees, click on the word\button REQUIRED or OPTIONAL (both get you to the same place).
  • In the dialogue box at the bottom, enter all the invitees’ email addresses in the resources box.
  • Click OK.
  • It may ask if you wish to update the location – click NO.
  • Ensure the LOCATION box has something in it such as “Team Meeting” and NOT the email addresses.
  • Send the invite, and each user will get an invite with no sight of any other invitees.
Option 2
  • Log into the online / web version of Outlook.
  • Create a new event as a Teams event and then select ‘Hide attendee list’ from the ‘Response Options’ dropdown tab:

Option 3

  • Create a meeting in Teams without attendees.
  • Copy the meeting link into an email and send to all attendees using the Bcc field for the attendees’ email addresses.
  • Ensure that the meeting lobby is monitored during the meeting as anyone with the link can attempt to enter the meeting. This can cause a security concern if not monitored rigorously.
Option 4
  • If you are using Microsoft School Data Sync (SDS) to sync your organisation structure with Office365 and Teams, you may be able to use the new Parent and Guardian Sync feature to add these external contact details to the system. This is described here: Parent and Guardian Sync – School Data Sync | Microsoft Docs.

Data Protection & Covid Testing in Schools

In January, we sent out the latest template privacy notice for primary school staff and the new Covid testing programme, which has been updated for you with our details as DPO.

If you missed that communication, the document is linked below and simply needs the school details added as well as a contact at the school. The document is also available in the Global Documents section of our data protection portal. There is also the link to the latest DfE guidance and the Google folder for Primary Schools Document Sharing.

Coronavirus (COVID-19) asymptomatic testing in schools and colleges – GOV.UK (www.gov.uk)

Primary Schools Document Sharing Platform – Google Drive

Privacy Notice – Covid-19 Testing of Staff in Primary Schools

For those looking for it, the Google Drive folder for secondary schools can still be found in our last newsletter which is elsewhere on our blog here:
Happy New Year from SchoolPro! – Newsletter 17 – January ’21

Previously Asked Question

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on the website for these and all of our answers are published there. You can find this on the Data Protection page of the website or in the blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:

Should teacher names be disclosed in information contained in a Subject Access Request (SAR) by a parent or pupil?

The overall guidance regarding the Right of Access which covers SARs is as follows:

Right of access | ICO

The specific areas we want in this case includes the guidance on Education Data:

Education data | ICO

In this guidance, it states, for example: “Parents can only submit a SAR for information about their child if the child is not competent to act on their own behalf or has given their consent.” This then links to further guidance (How do we recognise a subject access request (SAR)? | ICO) which clarifies how to make the decision around competency.

The guidance also states “if an educational record contains personal data relating to someone other than the requester (such as a family member), you must consider the rules about third-party data before disclosing it to the requester. However, you should not normally withhold information that identifies a teacher.”

On a side note, you also shouldn’t provide information that has been “supplied in a report or given as evidence to the court in the case of proceedings” or if “certain specific statutory rules apply to those [court] proceedings that allow the withholding of the data from the individual it relates to.” And you also shouldn’t provide information if you feel that disclosure could cause serious harm (“cause serious harm to the physical or mental health of any individual”).

The final piece of guidance which is of use in this case is this:

What should we do if the request involves information about other individuals? | ICO

In here, it states the following about an education worker: “it is reasonable to disclose information about them without their consent, as long as the disclosure meets the appropriate ‘test’.”

The test being the following in the case of most of the education establishments we work with:

“For education workers, it meets the ‘education data test’ if the other individual is a teacher or other employee at a voluntary aided, foundation or foundation special school, an Academy school, an alternate provision Academy, an independent school or a non-maintained special school in England or Wales, and the information relates to, or was supplied by, the other individual in their capacity as an employee of an education authority.”

So it is unlikely that teacher names would be redacted from a SAR about a student except in exceptional circumstances.

Next month – we are going to look at what to do if you have concerns that data produced as part of a SAR, including teacher names, might be posted on social media or similar.

Referral Discount – Deadline Extended!

We have mentioned previously about our budget saving triple referral discount deal because we know that budgets are tight. A number of schools have taken advantage of the offer and we want to remind that this is still available and we have extended the deadline for the offer.

We are offering you a triple referral discount for any new school that you refer to us and signs up to our DPO service between now and the end of February 2021. We have extended the offer to allow more schools to benefit and save money. Our usual referral discount is 10% per school referred so this means you would get a discount of 30% off your school’s* subscription for 2021.

If you were to refer 3 schools to us by the end of February 2021 who all signed up to our DPO service, you would receive 90% off your school’s* subscription fee for 2021! Refer 4 or more schools and it will be free*!

Please note – maximum referral discount is 100% which would apply if 4 or more schools were successfully referred.
*Referral discount applies to annual fee for 2021-22 only.
*Referral discount applies differently to MATS. To discuss how this would apply to your MAT, please contact your DPO directly.

Confidential Waste Disposal Service

We would like to take the chance to remind you of our discounted secure confidential waste disposal service that we recently launched. This will have the added bonus of being fully documented and compliance checked by us as your Data Protection Officer.

Click on the button below and complete our short 30-second survey to register your interest and request a quote:

New & Updated Resources on the Portal

This month we have three new and one updated document resources for you in Global Documents.

We would also like to note that in the original Privacy Notice for Covid-19 Testing of Staff in Primary Schools document that we circulated, we made an error in one of the section headings. The heading “Who We Share Staff Data With” had the word “Pupil” in place of “Staff”. If you are using the template from that email, you will need to change that text. The version in Global Documents and linked to our blog post, correctly uses the word “Staff”. Apologies for the inconvenience!

New Documents

  • DPIA for the Implementation and Use of Wonde
  • Privacy Notice for Covid-19 Testing of Staff in Primary Schools
  • DPIA for the Implementation and Use of Tapestry

Updated Document

  • Template consent form
    • Updated to include explicit listing of specific social media and other online platforms that the organisation may use to share images of pupils/students

Note – As a consequence of Brexit, organisations based within the UK are now subject to the UK GDPR which has replaced the GDPR. We are in the process of updating our key document templates to reflect this change. These documents will be uploaded to Global Documents over the coming weeks and we will notify you exactly which documents this is relevant to in March’s newsletter.

Data Protection in the News

Mandatory WhatsApp Privacy Policy Update Allows User Data to be Shared With Facebook | MacRumors

Tech Tip – How To Unsend’ An Email With Gmail – Cheltenham IT Support Specialists | Reform IT

Capitol rioters’ breach of government computers is cybersecurity ‘worst case scenario’, says expert | The Independent

Unauthorised RAC staffer harvested customer details then sold them to accident claims management company | The Register

WhatsApp To Share Users’ Personal Info – Cheltenham IT Support Specialists | Reform IT

Brexit – Temporary Data Adequacy Granted to the UK – Cheltenham IT Support Specialists | Reform IT

What’s up with WhatsApp’s privacy policy? – Malwarebytes Labs | Malwarebytes Labs

Labour Party urges UK data watchdog to update its Code of Employment Practices to tackle workplace snooping | The Register

Featured Article – Data About You Held By UK Government – Cheltenham IT Support Specialists | Reform IT

Laptops given to British schools came preloaded with remote-access worm | The Register

Privacy complaint targets European parliament’s COVID-19 test-booking site | TechCrunch

WhatsApp facing up to €50M privacy fine | POLITICO

Microsoft Edge goes homomorphic: Nobody will see your credentials… but you’ll need to sign in to use it | The Register

Man arrested after UK school finds wiped hard drives on devices connected to network | The Register

Showering malware-laced laptops on UK schools is the wrong way to teach them about cybersecurity | The Register

WhatsApp responds to concerns over privacy policy update | CNET

WhatsApp Fueled A Global Misinformation Crisis. Now, It’s Stuck In One. | buzzfeednews.com

Conservative Party ‘illegally collected ethnicity data on 10 million voters’ | The Independent

Grindr fined £8.6m in Norway over sharing personal information | Technology | The Guardian

European Commission redacts AstraZeneca vaccine contract – but forgets to wipe the bookmarks tab | The Register

Coronavirus: How does Covid-19 test-and-trace work? | BBC News

Why your face could be set to replace your bank card | BBC News

​Please contact us if you do have further questions at GDPR@schoolpro.uk.

 

SchoolPro TLC Ltd (2021)
SchoolPro TLC is not responsible for the content of external websites.