Department for Education data protection compliance toolkit: GDPR and our schools – what should we tell the staff?

It should come as no surprise that the toolkit begins with a section on raising awareness of GDPR within your organisation.

All staff must have a level of understanding of the imperative that is data protection. When undertaking workshops for schools, we were particularly impressed when our audience included even the caretaking staff at the school. Everyone, in one way or another, comes into contact with personal data – it is just as likely to be in a rubbish bin as in the MIS for the school.

An emerging area of thought in relation to how to impress upon staff most effectively the significance of data protection law is to link the compliance requirements to the already well-established understanding that exists around safeguarding and child protection issues.

Clearly there will be a number of questions raised by staff and also their trade unions about the way your school is setting about complying with GDPR and what support is available to staff when they have issues or want to better understand a particular technical aspect of the rules.

Here are Ward Hadaway’s top tips for dealing with the kind of issues that are likely to arise.

What training will be received?

In time, we can expect to see education-focused online training resources that will be an effective tool for both induction and refresher training of staff.

DfE has taken some steps to support GDPR familiarisation – the Ian Bradley blogs available here and a webinar available here provide some important introductory information about GDPR and schools, and more of these webinars are promised to follow.

Can I still keep my personal records?

Teachers will be concerned to understand that GDPR does not directly affect the ability of staff to keep their own personal records if this is important to them in the way they manage their teaching.

A personal record could range from a note that “Paula missed the last lesson and needs help to catch up” to “David’s father is an IT System Engineer and is willing to come in and talk to the class about his work at a later date”.

Records of this kind, be they in digital or paper form, will be subject to a subject access request if one arises. However the more important issue is deleting/destroying the information when it has served its purpose. Paula’s absence will be recorded centrally within the school and the teacher’s personal record becomes redundant once Paula has caught up. Persuading staff to reduce the quantity of personal information they have collected over time should be regarded as an important priority.

Can I still take work home?

This is a significant issue for teaching staff who feel that they want to carry on dealing with the marking of student papers, or the review of student work, at home in the evening rather than within working hours.

The DfE Toolkit is at pains to stress that the rules of GDPR do not prescribe how people should do their work when personal data is involved but overlays upon any working practice the imperative that personal data is protected. A look at the Information Commissioner’s Office website will disclose various incidents where personal data has been lost as a result of an employee removing the data from the immediate working environment.

Schools will have a role to play in helping staff feel that they can still be trusted to take information away from the school and that everything practical has been done to support the member of staff concerned in avoiding risks of losing the data.

So encryption of USB sticks and laptops becomes an imperative. Through staff policies it is important that a school sets out its expectations of staff when personal data is removed from the school for legitimate purposes. Encouraging staff to apply the highest possible security measures that the individual can achieve is an imperative. But these expectations should always be counterbalanced by the effort taken by the School to provide technological solutions to minimise risk – such as encryption software.

Can we take photographs during the normal school day?

The digital age that we now live in has generated many more opportunities to capture events and the outcome of teaching experiences in photographic form, with it now being necessary to understand just how data protection laws impact upon such an “easy to achieve” outcome.

Key is understanding the distinction between taking photographs for social/family purposes and any other circumstances – the latter being caught by data protection laws.

Schools do need to work through the issues carefully. Consent will frequently be required and this must of course be given freely under the stringent rules that surround the giving of consent and what constitutes freely-given consent. This is not easy when there is an educational relationship – parents may feel they have no option but to give consent when a request comes to have a photograph involving a child in the next Prospectus for the school!

The reality is that the school has to do everything possible to demonstrate that the consent was given freely and therefore it must highlight, in the most effective terms possible, the right to opt out from involvement.

At the same time staff will want to understand when there are circumstances where the taking of photographs is perfectly usual and actually part of the day to day conduct of the school, and therefore falling within the “tasks in the public interest” test. So taking a video of pupils conducting a scientific experiment for the purpose of reviewing the work done would seem to be perfectly acceptable.

We hope that these ideas will help you as you take forward GDPR preparation. Our next and final briefing will take a look at the relationships you may have with providers of education technology be it learning platforms or apps that support the learning experience.

If you have urgent questions at this stage please contact Frank Suttie.