Unless you have been hibernating and ignoring all training emails for the last six months, you will undoubtedly know about GDPR. As with the current Data Protection Law, the aim is to ensure our schools are and continue to be data controlling compliant with regard to stakeholder data held. It is only fair to our stakeholders that we are act responsibly and diligently with the data we collect. This ethos will be important for us as leaders to remember in the coming months, especially when we may feel overstretched with the review, audit and mapping of our school data. The need for privacy and security in areas such as pupil information and payroll details is already recognised by school management. However, it is understandably easy to overlook the data gathered and held through the systems used to manage the facilities and premises within a school.?
I am firm believer in not looking at the top of the mountain but taking small steps to get there. So for this blog, I intend to focus on GDPR in relation to some areas within facilities and premises management. There are key systems in most schools relating to facilities and premises which will have to be audited and mapped - Payment Systems, Communication Tools, School Transport and Trips, Identity and Entry Management and Catering Management.
As part of the data audit, we will need to firstly identify the systems we are using in relation to premises and facilities. Over the past ten years, this is likely to have increased for most schools as a result of the installation of electronic systems which draws data from the schools Management Information Systems. Systems used by school, for example, a catering payment system, will have to be added to the Fair Processing Notice issued to stakeholders. The issue of consent will have to be considered. This can then work towards meeting two of the criteria regarding GDPR compliance in that consent is given and the data is necessary for the performance of the contract/system. Consent as with any other type of data has to be positive with a clear demonstration that agreement is given.
One significant area is the requirement to gain confirmation from our suppliers that they are ready for GDPR and how they will demonstrate this to your school. This can then be provided to the stakeholders on consent forms and Fair Processing Notices to assure them that the relevant data security has been verified. For example, the electronic entry management system in your school may download data from the pupil and staff database records. To evidence compliance, ask questions if the supplier, as part of remote maintenance, can access, read or save this data? If so, seek confirmation in writing that the supplier is not retaining the data unnecessarily. This may be already stated within the contract or on the supplier’s website. My decision has been to send out a letter to each of my school’s system suppliers to establish a clear GDPR compliance agreement.
The viewing, storage and retention of material such as Premise CCTV recordings will need to be reviewed. The use of CCTV and other premise monitoring systems should be validated by the completion of a Privacy Impact Assessment. This will ensure that the use of the data is necessary and proportionate.
I do fully understand (from my own experience!) that the level of procedure and systems review can feel overwhelming but as professionals we will meet these challenges, we always do in education. As with most statutory obligations, it is essential that this is managed as a whole school responsibility and not a remit for one person, that of the Data Protection Officer in school. In addition, there is a lot of guidance and support available so that you can put in place whole school understanding through training and information sharing.
Department for Education, GDPR Guidance for Schools https://www.youtube.com/watch?v=y09IHXv6u6M&t=34s (accessed online 25.1.18)
NASBM (2017) Preparing for the General Data Protection Regulation Bulletin, Coventry: ISBL
By Fiona Gill - January 2018