Summary - See attachment for report.
Foreword by Neil McIvor, Chief Data Officer, DfE
Data plays a key role in our modern education system by providing opportunities to
monitor effectively the progress of learners, enabling robust evaluation of methods,
promoting evidence-based practice, and providing opportunities for huge efficiency
improvements in school operations.
The use of data across our sector and beyond has developed significantly in recent
years. It is therefore right that the law, processes and capabilities required for effective
custodianship of children’s data were updated to meet the growing demands imposed by
modern data protection challenges.
The new data protection legislation that came into effect in May 2018 provides both
challenges and opportunities. Understanding, aligning and complying with the new law is
a challenge for all organisations, big or small. It does, however, provide an opportunity to
refresh our policies and procedures relating to the safe stewardship of data. The new
legislation is generating momentum around auditing where organisations are, identifying
risks, and developing coherent plans to manage them down. It also places a firm
emphasis on citizens being informed on the use of data and their associated rights. If our
sector is to be entrusted to hold sensitive data about children across the country and
exploit the benefits modern data technologies enable us, then the new challenges are to
In aiming to support schools with the changes, it is clear that there is no one voice or
lens in our sector who could have written an excellent guidance document in isolation.
That is why I am delighted to see the high degree of collaboration among schools, local
authorities (LAs), multi-academy trusts (MATs), and the supplier community who have
helped develop this working document.
We would really value your comments and feedback going forward so that we can
continue to work with users to iterate and improve it.
Neil McIvor, Chief Data Officer, Department for Education
Step 1: Raising awareness
1. Raise awareness across all staff within the school who come into contact with personal data (noting that personal data can relate to pupils, staff, parents and potentially others). Making the link between data protection and child protection can be an effective way to ‘make it real’ for staff, although data protection is much broader than that.
2. Ensure that a broad range of staff across the school community are engaged with the work, to articulate and demonstrate the totality of personal data that is processed (as defined by DPA 2018) by the school, and to be engaged in the risk management. This includes an awareness that risks to personal data security can come from online threats like a cyber-attack.
3. Governors and trustees are aware that responsibility for compliance with data protection legislation lies with them and that they are kept informed about all key issues arising for the schools from the legislative changes and understand how to effectively monitor and review compliance working closely with the appointed DPO.
4. The language associated with data protection, and the enhanced legislation, is demystified.
How to approach this step:
Within a school, there are all sorts of job roles that utilise personal data for a variety of reasons. Some staff will be responsible for ensuring they simply use it responsibly, others will be making significant decisions about what data is used, how it is processed and stored and who it is shared with and how. As such, it is likely that a ‘one size fits all’ approach to staff training will not work.
From talking with schools, we believe an effective approach is to think about 3 levels of raising awareness:
1. All staff should be aware of what personal data actually is, what ‘processing’ means in the broadest form, and what their duties in handling personal information are. They should be aware of the processes by which they are permitted to use that information, and be clear of the scope of the permitted usage of that data. They should be engaged with the risks around data getting into the wrong hands, and their responsibilities regarding responding to a data breach. The job roles that might warrant this level of training include catering staff, welfare supervisors, library staff, cleaners, first aiders etc
2. Those who can influence how data is used, processed and secured. By this, we mean any staff in school who may have the authority to create and store data, enter data into applications/software or decide if/when they will process certain data. They may also have responsibilities for how paper documents are handledwithin the school environment. This likely covers all teaching staff as a minimum.
As well as the awareness work, they should have the chance to review the high level data maps suggested in step 2, and be given an opportunity to contribute the different perspectives that they offer compared with senior leaders or data leads. They should also be engaged with things like ensuring there is a
legitimate lawful basis and, if relevant, a condition for processing the information they utilise, and that storage of data is minimised to that required to perform the necessary tasks. They should be engaged in discussions about identification and mitigation of risks, and know the governance arrangements
that oversees the management of risks. In addition, as more schools process and
store personal data by electronic means, schools will want to produce userfriendly security policies and staff training to help reduce the risk of a data breach.
The job roles that warrant this level of training may include, but are not limited to, higher level teaching assistants, teaching staff, office staff, site administrators, information and communications technology (ICT) staff and technical support staff. Everyone can help prevent data loss by following basic cyber security steps.
3. Senior leaders and executive level, and those who manage the ‘data ecosystem’. By this, we mean those in school who are responsible and accountable for making choices around the use of technology and its security, deciding on what and how the data is shared, and setting school policies around the use of data and technology. As well as the senior leadership team (SLT), it may well be network managers or business managers. These people need to be sufficiently aware of the content of GDPR and the Data Protection Act, so that they can assure governors that the school has the right things in place to be compliant. As a data controller the school has a responsibility to ensure that there is accountability, and transparency throughout the whole data ecosystem and that the principles of data minimisation and privacy by design are adhered to by all parties, and that any contracts with data processors cover the relevant areas of data protection. This level of training is aimed at those who are accountable for those responsibilities on a day-to-day basis.
Job roles warranting this level of training include, but may not be limited to, all SLT members, curriculum leads, business managers, ICT leads and data managers and MAT executive teams.
In addition to staff training, awareness for governors and MAT trustees should focus on the following areas:
• That the ultimate responsibility and accountability for compliance sits with governors and trustees. Data Protection will, on an ongoing basis, require resourcing and governors/trustees will be an important support mechanism for the DPO in performing his or her role
• Making sure their school has good network security to keep the personal data they hold protected. This should also include having a business continuity plan in place that has cyber resilience as a consideration.
• That the new legislation moves schools from being required to ‘comply’ with data protection, to being required to ‘demonstrate’ compliance with legislation.
• To actively demonstrate compliance, schools need to document all their assets containing personal data and ensure they are being appropriately managed and secure.
• Appraising and scrutinising the performance of the school leadership/executive in the area of data protection
• Preparation requires a thorough ‘audit’ or ‘housekeeping’ exercise on current data processes that should already be in place in relation to the Data Protection Act. In particular, it is likely that data retention policies need more consideration.
• Following the data audit, an assessment of risks to data protection that will be considered by the school to be high or medium should be maintained. Schools should clearly identify what these risks are and how they are being addressed. This could include identifying any shortcomings in the school’s network security infrastructure and keeping IT security policies up to date. This should be documented as evidence towards compliance.
• Schools need to review how they communicate their use of data with pupils/parents, and the rights of data subjects, with clear explanations regarding the strengthened rights (including Subject Access Requests (SARs)). Schools need to have agreed procedures for dealing with SARs.
• A need to appoint a Data Protection Officer who has the ear of governors (and vice versa) and is somewhat independent from but can work closely with the management structure that develops and maintains data policies. (Step 7 has more information).
• A review of data protection policies in light of any changes to procedures and processes arising from the data audit and risk management.
• Reviewing data protection is an ongoing process requiring the whole school to be continually mindful of their responsibilities. Formally scheduling an annual review of current practice through an internal or external audit may be something schools wish to consider.
• Link data protection to safeguarding children (and child protection) when trying to get people engaged. In this way, all staff see that data protection matters in the context of pupil welfare. However, the rights of individuals are also key and start people thinking about gaps in current practice.
• Once SLT have developed a high-level data map (as described in step 2), test and iterate it during training with staff. They will identify new things and it will help entrench a sense of ownership.
• In training, it may be useful to use ‘real life’ case studies to explore how your
school ensures that its personal data is safe. “School CCTV hacked” or
“Children’s Services Data Breach” are 2 search terms that might find articles that
provide food for thought and help make training/risk management feel real.