View by

The Optimus blog

The blog that inspires leaders in the UK education sector

The Optimus blog

The blog that inspires leaders in the UK education sector

Caroline Collins
14 March 2018

GDPR: progress so far and next steps

Not long now until the GDPR comes into force. What progress have we made and how ready are we?

In my last post I talked about the work I’ve been doing in school to help us prepare for the GDPR. It feels a little like my life has been taken over by data protection and the GDPR but I confess, quietly, that I have been enjoying it.

When I wrote my previous post, I had just finished putting together my compliance document and information audit. I sent the audit to the leadership team because there were areas that I simply couldn’t answer because I don’t know what data teachers process themselves. I haven’t had any comments back yet so am now on a mission to chase for them. I can’t finalise the information audit without their input.

Progress so far

I’ve been working on the action plan I created from the self-assessment questionnaire and information audit. I’ve achieved a fair amount but it is hard to juggle that with the day job. I’ve been dealing with the financial year end, inducting a new site manager and a new administrator, undertaking health and safety audits, issuing contracts to new staff, finalising support staff contractual hours and moving over to a new payroll system. Finding additional time for GDPR readiness has been rather challenging. 

Policies

I finally went through the policies that the GDPR might impact and added them to the action plan. I also managed to review some of these. It’s easy to think that all we need to do is review our data protection policy but the GDPR is going to impact on several other policies.  
 
The policies I’ve identified so far have included:
  • CCTV
  • data management and ICT security
  • taking photos in school
  • subject access requests and procedures
  • individual rights
  • generic fair processing.

Privacy noti​ces

The DfE has updated their privacy notices to be GDPR compliant. To save time I downloaded these for parents and staff, adapted them to suit our school, issued them and uploaded them to our website. These will need to be issued for other data processing we do in the future, but for now, at least I know I have covered the basics. 
 
I now need to print those privacy notices so that they can be displayed in the main school office and in the staff room… but I haven’t yet found a spare two minutes to do it.

Staff training

I have written and delivered two sessions of staff training recently, one for teaching staff and one for support staff on an introduction to the GDPR. Unfortunately, I scheduled a date when about six of the support staff members were out on trips so I have to rerun it towards the end of March.
 
I got good feedback from staff, with some not really understanding what the GDPR was before the training and others having not realised how much it might impact on the school. The teachers’ biggest concern was around taking data off site and having a clear desk policy while support staff spent a great deal of time discussing the idea that a 13-year old is mature enough to decide whether or not to consent.

Data protection officer

I’m waiting for our HR team to send me a job description that would suit our school. The governors and headteacher have decided that they want my current job description to be reviewed so that it can accommodate the DPO role. As the SBM many will balk at the idea but we think we’ve come up with a valid justification for me doing it.

Our theory is that the idea that a SBM can’t be the DPO is based on decision-making around data processing. As a maintained school I don’t decide what data we collect, why we collect it or how we collect it. We are told by the DfE and the local authority what data we’re required to collect, how and why. 

I read an article that gave a good example of this: a school wants to change its management information system and a person in school makes the decision of which one to purchase – that person cannot be the DPO.

If the DPO is in place and is asked to make the decision they would need to refuse. Again, in maintained schools this isn’t such a big issue because those kinds of decisions are ultimately taken by the governing body. So, the question of the SBM being a DPO depends really on the context of the role and the school type.

Gover​nors

I have done a report to the governing body on the GDPR but the agenda was so jam-packed they have asked me to do a longer presentation at the next meeting. At least they are aware of what’s happening.

Challen​ges

The biggest challenge has been finding the time to do it all because it’s in addition to looking after the school finances, HR, health and safety and attendance. My next priorities are to draw up the rest of the policies and make sure they’re embedded into our school life.
 
I hope that by the time my next blog comes out I will have a job description for the DPO and, who knows, we might even have recruited.

GDPR for Schools

Our GDPR for Schools conference will be providing more information and guidance on the new ePR, as well as an update from the ICO.

Taking place in London on 27 November and Manchester on 24 January 2019, you can secure your place now.

 

Categories: 
School performance and accountability
Tags: 
GDPR
data
Online privacy
Staff

Similar Posts

Caroline Collins
16 November 2023

Managing and investigating complaints

When it comes to complaints, it's essential to take prompt action to maintain positive relationships with parents and prevent damage to your school's reputation. Caroline Collins advises how to manage the complaints process and communicate outcomes openly. */ Nobody wants to receive a complaint but...
Read more...
Lisa Griffin
19 July 2023

Five ways to make your MAT more sustainable

Looking for ways to go greener in your multi-academy trust? Use these ideas to inspire you to creating a more sustainable and environmentally friendly trust. More and more schools are adopting environmental sustainability as a core value and raising awareness of it among staff, pupils, and parents...
Read more...
Elizabeth Holmes
21 June 2023

Eight ways to simplicity – small steps towards clarity

Discover the transformative power of simplicity in education. Elizabeth Holmes explores practical steps to declutter and focus on fostering wellbeing and renewed purpose as an educator. I remember sitting in a colleague’s office several years ago waiting for a meeting to start and watching while he...
Read more...
Privacy statement Terms & Conditions