GDPR Guidance for Schools
Vložit
- čas přidán 23. 07. 2024
- General Data Protection Regulation comes into effect in May 2018. Is your school ready? Iain Bradley from the DfE explains how you can review and improve your handling of personal data. Please leave a comment if you have any questions about GDPR or how you can prepare.
Thanks for the video Iain.
I'm really disappointed by the lack of info coming from the DfE re GDPR.
Schools should have be provided with school specific compliance toolkits (data audit spreadsheet, data retention advice, policy & procedure templates etc.)
There are a lot of companies making a lot of money providing advice to schools at the moment.
This is money which is not being used to educate.
Thanks for the feedback. Model privacy notices do exist, and we’re trying through our initial blog and these videos to move through this in logical steps for schools. You might find resources like www.edugeek.net/forums/data-protection-information-handling/ useful as a place where schools can collaborate and share such resources.
Couldn't agree more with Sat Singh.
With my Governor Hat.. Iain, thanks for the video ...with my day job hat on, happy to give you a quote on making more of these information videos! ;) terry at navigator productions.
Thank you for providing timely advice to enable my school to plan in advance.
I think this video should have come out in 2016!
thanks for making this video, the youtube world seems devoid of any #GDPR videos for schools, I'm looking forward to watching your next series of videos on this topic #GDPRintSchools
There's a primary school head teacher near me says that pupils' exercise books contain personal data, and that therefore teachers will no longer be allowed to take exercise books home for marking. This seems extreme to me. Does anyone have a differing view?
Will you be providing guidance on all of the GDPR as this is only a very small subset. What about all 12 requirements from the ICO on the GDPR?
This is a subset, but having a robust data map, getting the right information to hand about their suppliers, and thinking about how to embed the DPO were things our informal advisory group of sector colleagues identified as high priority issues. We’re hoping to cover how best to inform parents/data subjects, conditions for processing relevant to schools, and data retention in our next film. In the meantime, have you seen irms.org.uk/page/SchoolsToolkit when thinking about data retention? It seems quite helpful.
educationgovuk What about purposes of processing, lawful bases, written instructions to suppliers and alignment to the ICO Top 12 steps to GDPR? It’s crucial to align to the ICO guidance and ensure that people start the right journey?
I would like to know how a California school would need to be compliant, and specifially how it is onnected to the EU?
Do we know when part 2 is due out as referred to at the end of the video -thanks
Hi Conor. As we continued to talk with schools, we evolved our thinking into the written Data Protection Toolkit for Schools, which covers the intended ‘part 2’ content as well as plenty of other information to help schools with data protection.
Data Protection Toolkit: www.gov.uk/government/publications/data-protection-toolkit-for-schools
A useful start but the DfE still needs to give a strong steer & some reassurance on child protection & safeguarding - 'experts' out there are telling schools that they will no longer be able to keep CP files or undertake criminal checks. Disappointing that GDPR isn't included in the draft KCSiE 2018. Also, could you tackle the sample letters provided by DfE for schools to send to employees, pupils & parents which are incomplete and have errors :-(
Hi Wetherby6, we’ll be looking at our sample letters (privacy notices) fairly soon. In particular, we’d like to do some testing with parents to check for readability, interpretation etc. If you work in the sector and would be willing to help us with that, please let us know via: Iain.BRADLEY@education.gov.uk
For reference, we worked with the Information Commissioner's Office to ensure that the privacy notices were GDPR compliant. They are available here: www.gov.uk/government/publications/data-protection-and-privacy-privacy-notices
Thank you; I am well aware of the samples. They may be GDPR compliant but offer nothing to support schools in advising pupils, parents & staff of the data that is collected and shared (sometimes without consent) for the purposes of the Education Act 2002 s175, Children Act 1989 s47, compliance with KCSiE, etc and there is no mention of the processing of criminal information for the purposes of Safer Recruitment, the keeping of a single central record of vetting checks, referral to the LADO / police / DBS and/or NCTL. Then there is the issue of processing data about other people that staff live with (if they are working in childcare) and I think schools could do with some guidance on the retention of children's emergency contact details - currently, parents may provide schools with the number of a neighbour, grandparent or similar and probably no-one asks the neighbour for active consent. Sadly, I have advised all my clients not to use the sample privacy notices until we have greater clarity from DfE and / or proper legal advice. I will email Iain with these comments :-/
At 4.10 there is talk of onward flow of data from the MIS (SIMS etc). This is something schools currently do far more than parents & pupils realise.
In reality, once pupil data from SIMS etc. leaves the school premises, there is no way of knowing where it is being stored, how it is being processed, who has accesses to it (are they background checked?), where it is backed up to, who else it is shared with again, whether a breach has occurred, or how long it is retained. Even the school has no way of finding out such things, let alone the parents or pupils.
Each case of pupil data sharing requires a lawful basis which must balance the rights of the data subject (pupil) with the data processing - see ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/.
Where there is no legal requirement to share data, such as cases where pupil data is shared with a for-profit company providing value-added results/performance analysis processing, schools must state the lawful basis for the activity rather than use the current approach of 'everyone else uses X so we can as well'. School's have been *very* free and easy with downstream sharing of MIS data with 'value-added' providers thus far.
As public authorities (which includes academies), schools can't use the 'legitimate interests' lawful basis for such sharing of MIS data. It has also been established that consent can't be freely given by a minor, which seems to rule out that option.
Come GDPR in May it will be interesting to see how schools justify the hitherto 'implied/assumed consent' for such processing.
Whilst as a parent I share your concerns about what data is being shared on my child and with whom, as a School Administrator I am a little insulted by your assumption that data is shared without due consideration to necessity, security, location and means of storage etc. You are wrong in your assumption that such things cannot be checked upon although granted if organisations blatantly lie about this it is a little difficult for a school alone to police. As schools are legally required to operate assessment systems etc there is a lawful basis for this, provided such things are covered in the school's privacy notice. Sharing of data to any "optional" systems (parental online payments systems, lunch ordering systems etc) will still require specific parental consent and will not be allowed without such consent though. Whatever your perspective, this is an important piece of legislation but one that will be very expensive for schools to implement and prove compliance with. Yet another financial pressure on ailing budgets!
We're almost a year in since the GDPR.
Why do academies have more rights to ignore data requests from parents and students than main state schools? I ask because I have made a data request to a local academy and there's no response. Why do academies have too much power ?
They have no such "rights". If any data controller fails to respond to a data access request, you can complain to the Information Commissioner (ico.org.uk) and/or sue the data controller in court.
Anyone else notice him praying at 5:45????
GDRP come on DfE get it right.
Thank you for correcting your spelling mistake so quickly.