Who can be my Data Protection Officer (DPO)?
This can be anyone who has no strategic or operational decision-making role with regards to data and data systems in your school. It doesn’t have to be a member of your own staff.
Examples of roles that are likely to not be able to be your DPO include the Headteacher, School Business Manager, Data Manager, IT Manager and most other senior leadership roles.
How We Can Help
As an education provider, you have a responsibility to protect your students, staﬀ and school. However, the responsibility isn’t just with protecting the physical form – it also comes down to the protection of any information or data you hold about said individuals and how it’s managed and controlled within your environment.
SchoolPro TLC provides the role of Data Protection Oﬃcer (DPO) as a service for schools to demonstrate an enhanced level of data protection compliance to the Information Commissioner’s Office. Our DPO Service is intended to assist schools and multi-academy trusts (MATs) in complying with the requirement to appointment such a role with the responsibilities set out in the Data Protection Act 2018.
Our staff are experienced school leaders so understand the data flows and need for data in different areas of the school. Our support as DPO includes a free online recording and reporting system for all relevant GDPR information, so you don’t have to pay additionally for another expensive system.
We also provide a great deal of functions compared to some other purchased services, including completed Data Privacy Impact Assessments and compliance checking of supplier data privacy agreements.
How It Works
Our delivery of the Data Protection Oﬃcer role shall include:
- Providing advice and guidance when required
- Supporting and monitoring the maintenance of data records
- Drafting data policies and procedures
- Providing training for employees
- Acting as the ﬁrst point of contact with authorities
- Supporting the management of Subject Access Requests and those under the Freedom of Information Act 2000
- Supporting the management, including investigation, reporting and review, of data breach incidents
- Conducting an internal audit of your data processes up to twice a year
- Providing you with access to our speciﬁcally designed Data Protection Portal
What are the advantages of outsourcing the DPO role for my school?
Access to high-levels of expertise and banks of resources. It also gives you an impartial view of your systems, processes and practice. In the event of a data protection incident, impact on the day-to-day running of the school will be minimal as school staff can continue to carry out their roles. It is likely that this will also be a more cost effective approach than using an existing member of staff when compared to additional non-contact time, training and, possibly, a TLR. The support is also available outside normal school working hours and during the school holidays.
A Cost Neutral Solution for GDPR in Schools
Our DPO service is cost-neutral compared to other, alternative solutions. For a school to appoint their own DPO, they will need to fund training for that individual and give them time to complete the role effectively. They will possibly also need to provide a financial incentive (such as a TLR) to them. Our experience and knowledge base (as well as economies of scale due to working with hundreds of schools) allow us to dramatically cut down these costs as well.
For example, a school senior leader earning £50k p.a. who is given an hour a week across the year to complete their DPO work is costing a school at least £2k which is less than our most expensive rate.
Data Protection Audits
One of our DPOs will carry out audits to provide an assessment of whether you and your school are following good data protection practice. The audits will look at whether they are following your policies and procedures and make recommendations for improvements, including any new guidance from the ICO. The audits can be undertaken alone or in conjunction with your DPO.
Data Protection Portal
In line with the Data Protection Act 2018 and in conjunction with the ICO published audit reports from MATs, we have designed a portal that enables schools and MATs to hold and log all relevant data protection information in one place. This includes all of our policy and document templates as well as the logging and reporting of data breaches, subject access requests and data decisions. All school-specific documents are hosted here including audit reports and all logs are also easily downloadable for review at governor or trustee level.
The portal is split into five distinct sections:
- Breaches – log and report on any data breaches that may occur in your schools.
- Subject Access Requests – log and report on any subject access requests that may occur in your schools.
- Data Decisions – log and report on any data decisions made where data is processed in such a way that could create risks to the rights and freedoms of individuals, or it involves special categories of data. It can also be used to log incidences of one-off data sharing.
- Global Documents – access and download all of our supporting material for data protection including policy templates, training resources, privacy notices, retention schedules and data protection impact assessments.
- School Documents – access and download any school-specific documents once completed such as audit reports and your data maps.
Our online tool is hosted and secured on servers located in the UK. Our systems and processes anonymise all data where possible so it is not personally identifiable and we have a regular routine for deletion of any identifiable information.
Data Protection Training / CPD
Aims of this session are to:
- Develop an understanding of the statutory responsibility to monitor and evaluate data processing within your setting
- Develop a greater awareness of the potential pitfalls
- Share good practice in relation to data protection using case studies from schools we currently work with
- Raise awareness of how data protection is everyone’s concern
All of our CPD sessions can be delivered to a whole staﬀ body or we offer bespoke sessions for different groups of staff, for example governors, senior leaders, admin, SENDCO, new starters, or as refresher training. Here is an example of our Data Protection Training for SENDCOs and DSLs.
The aim of the session is to:
- Develop an understanding of the statutory responsibility to monitor and evaluate data processing with speciﬁc focus on SEN and Child Protection (CP) pupils
- Develop a greater awareness of the potential pitfalls of processing SEN and CP data
- Share good practice in relation data protection using case studies from schools we currently work with
- Raise awareness of the retention schedules for SEN and CP data
Our CPD sessions are delivered on site with staff, so they can fully engage and ask questions that are directly relevant to school staff and their specific role. As we are experienced school leaders, we do understand the need for all roles in school, so our advice and guidance is education- and role-specific.
Whole staff sessions run for about an hour, other bespoke sessions can vary in length depending on need. Where INSET time does not allow for one of our sessions, we will provide materials for all content and keep you informed of any relevant updates.
As we don’t want to hold too much personal data, we do not hold lists of names of staff that attended courses but we will record when school training took place and the content delivered.
How often will you be onsite?
You can expect to see your DPO twice a year for routine visits (audits and training) but they will also be available whenever needed in the event of a data protection incident.
Will I get remote support when they are not onsite?
Yes, your DPO will be available via phone and email when not visiting your site. You will also have access to our online portal for reporting breaches and subject access requests, logging data decisions and downloading document templates.
What about school holidays?
Our DPOs will be available to provide support both during term-time and during the school holidays.
We provide all schools with a data sharing agreement to include necessary guarantees about data.