Dr Richard Harrold (Data Protection Officer at ACS International Schools) outlines the most effective methods to meet GDPR regulations
One year on from the introduction of the General Data Protection Regulations (GDPR), compliance remains one of the greatest challenges for schools in the UK. An ongoing task at ACS International Schools, data protection brings its own set of challenges for international school administrators.
A 2018 survey for RM revealed that 75% of schools and colleges regard their staff as the biggest source of data breach risk. But this can be reduced and managed. ACS, which handles the data of over 3,700 students from 100 different countries, across three schools in the UK and one in Qatar offers these top tips for helping other organisations achieve compliance:
- Download the Department for Education’s Data Protection Toolkit for Schools, and check your internal data management framework against its guidelines. I recommend building a data map (the DfE talks of a data asset register) that capture’s the organisation’s entire sweep of data processing tasks (including the use of third parties) in one central and secure location. Fore retention guidelines, I recommend the services of the Information and Records Management Society (IRMS). Both the IRMS and the DfE publish useful advice and examples, including information on how long different types of information need to be retained
- When you’re talking to your staff, link data protection to safeguarding and child protection. Seeing the direct connection between information sharing and student welfare is more likely to get your team engaged and on board
- When testing to see if your staff understand their training, and whether your systems are in place correctly consider ‘real life’ situations to role play. Try online searches for “school data breach” for examples of successes and failures.
- Every school has data breaches, so set up an amnesty to promote a culture of trust and openness. We count breaches and record them to learn from them. Often a breach is the result of simple carelessness, like leaving a clipboard with students’ names and addresses on a bus after a field trip, or losing a memory stick with report card data on it. An amnesty can encourage the prompt reporting of common breaches such as these. Obviously, there should be consequences for persistent negligence or deliberate breaching of personal data.
- Although it’s not an official requirement in all settings, consider appointing a Data Protection Officer – an independent and neutral connection between the school body and governing body, who can work closely with the school senior management team to develop and maintain data policies and procedures, lead training and handle communications between the school and the community, and between the school and the regulator.
The Information Commissioner’s Office (ICO) has been at pains to point out that as the country’s formal regulator of data protection and data privacy it is seeking to help schools navigate today’s new data protection landscape. The ICO is not looking to make life deliberately harder for schools. It is simply trying to ensure we are all protected and managing the personal data entrusted to us in a responsible and professional way. This should be a reassurance to our communities that schools are taking their data protection duties seriously. Who could argue that that is anything other than a positive development?