GDPR for schools: a guide for leaders

It will fall to school leaders to implement and maintain changes required for compliance with GDPR. Here is our essential guide to what you need to do

Jamie Stinson

A GDPR Guide For School Leaders

The General Data Protection Regulation (GDPR) will require changes to be made in every school, and heads and senior leadership teams should be at the forefront of bringing about those changes. Data protection has now moved much higher up the school's agenda and whole-school policies must reflect that.

The new rules introduced under GDPR mean schools need to take “data protection to a new level”, says Karen Crowston, vice chair of the board of trustees at Ninestiles Academy Trust in the Midlands.

The legislation demands that organisations are able to demonstrate compliance and become more accountable for data protection.

“As a trust, we have to understand which systems we have across all of our academies and the data we hold in those systems," says Crowston. "We also need to be clear about what happens to the data, who has access to it, why we collect it and how we safeguard it.”

Mitigating risks

The first job of every leadership team is to assess risk. That means carrying out a thorough review of where data is stored or processed in your school; an assessment of who has access to that data and can process it; and the risks, in terms of security, to the data (is the password stuck on the department noticeboard, for example?). This applies to all data, not just student data. So the data of staff, parents and suppliers is included, too. 

That may sound like a lot of work, but Toks Oladuti, director of information services at an independent girls’ schools trust in London, says schools should approach the new changes in the same way as “things like safeguarding, managing trips, health and safety and other things where we look at the risks involved and come up with a way to mitigate those risks”.

“It is about how your organisation is able to be transparent, is able to be fair, is processing data in lawful ways, is able to recall and show compliance, and is able to meet individual subject rights,” explains Oladuti.

“So it is about looking at what you need to do as an organisation to ensure that you can do that.”

Where risks are identified, leaders need to act. 

“A self-review will potentially highlight operational changes that need to be made, or new operational procedures that need to be put in place,” says Oladuti. 

Revising policies

Once you have tackled the current risks, you need to anticipate future risks. That means having detailed policies around future data-processing tasks and any new third-party contract for which data is part of the service. 

“Implementation of any new data processing or systems may require a data-protection impact assessment to be conducted to manage and minimise or mitigate privacy risks," says Crowston. 

Essentially, you have to know that any new processing of data is compliant, so you need written evidence of compliance, whether the new data task is procesed internally or externally. 

You will also need to set up policies for the reporting of data breaches. 

“Policies and procedures will be required for reporting and investigating data breaches, and everyone will need to be clear about what they need to do,” says Crowston. 

You need to be ready to handle data access requests, too, so a policy for that will also be required. 

“Staff and supplier contracts will require a review and to be updated, and organisations now need to be in a position to recognise and handle data access requests within a month of submission,” says Crowston. 

“It is essential to have clear policies, processes and procedures for safeguarding in our academies. We have to do everything possible to protect and safeguard our children, and protecting and safeguarding data is an integral part of that.”

Staff training

GDPR is not just a leadership issue. It is something that will affect all school staff, so all staff must understand their obligations under the new European Union directive. 

By the end of the training process, staff should understand their role under GDPR, how to recognise a data breach, how to react to a data breach and who to report to in the event of one.

Training is not something that should stop after 25 May. It will be an ongoing process. It may be that, in the year after the introduction of GDPR, staff receive training every six months; that could then be reduced to every 12 months in 2020.

How long should you keep data?

As part of your risk assessment, you will no doubt ask how long it is legal to keep the data you have that belongs to students or others. 

There is no set time for how long you should keep personal data.

Helena Wootton, privacy law specialist and partner at Browne Jacobson, says the length of time you hold it hinges on “the purpose” for which it is intended.

“You keep a document as long as you need to for the purpose," she states. 

For example, whether you retain data for 10 or 15 years isn't an issue, but you need to ask yourself why are you keeping this data. Do you need this information?

As Wootton points out, the longer a document is kept, the greater the risk of a hack or the possibility of a subject access request.

However, Russell Holland, barrister and education specialist at Michelmores, says that schools are already good at only keeping the data they need.

“Schools don’t just collect data because it’s fun, you’d hope. Schools are collecting data because they need it to run a school," he says. "That’s why I think, for schools, it is very much about upgrading and thinking about where there may be risks.

Disciplinary policies

With the potential for a sanction, or worse, a fine, from the Information Commissioner’s Office (ICO) hanging over the school in the event of a data breach, disciplinary policies will need to reflect the increased importance that data privacy has gained.

Dai Durbridge, education specialist and partner at law firm Browne Jacobson, explains that if training is delivered properly, then data breaches should become a part of disciplinary processes. 

“Data breaches don’t really feature within disciplinary policies," he says.

“Taking a laptop home, leaving it in the car with the password written on a Post-it note on the inside of the screen is going to be [worthy of] a serious disciplinary action. So in terms of the governance structure and the management of the school data, management of privacy needs to move up the importance scale.”

Evolving picture

Finally, leaders need to regularly check in with how GDPR is being implemented nationally and which actions the ICO is taking. The regulations are likely to evolve over time, so keep up to date by heading to Tes News and searching for GDPR. 

Related Articles