As part of a school auditing processes it is important that you build an Eco-system as described in the DfE ToolKit
To do this, a data mapping exercise needs to be carried out and where special category data is processed, a Data Protection Impact Assessment must also be carried out.
Here’s our Top 10 group of suppliers that should be on your list to audit as data processors:
- Management information, attendance, behaviour, admissions and safeguarding systems
- Payments, cashless, catering, out of hours care systems
- IT support services
- Trip management, events, open days and parent consultation systems
- Paper records
- Library, access control, CCTV systems
- HR, Payroll, Pension, Personal Insurance systems
Data maps are available for all major systems above within your GDPRiS account.
Systems 1-7 carry the biggest risk as they process special category data. It is important that you carryout a DPIA. Templates and support for DPIA are available in the GDPRiS user support site here.
- Messaging, parent engagement systems
- Curriculum, research and homework systems
- Leadership, governance, associations systems
The above system may not normally carry out processing of special category data and thus a DPIA is not mandatory however, as best practice, consider carrying out a DPIA to review how you process data and to improve what you do.