Data Protection for schools – everything you need to know
Written by Luke PeachDPO & Compliance Officer
Schools can learn from Data Protection Officers
As legislation goes, the GDPR could be unique in its insistence that a new professional role, the Data Protection Officer (DPO), be created to ensure its mandates are properly met. But getting a DPO in place is no simple recruitment exercise, and that’s especially true for schools.
For starters, people with the requisite mix of abilities and experience to do the job in educational environments are hard to find. However, schools don’t necessarily have to recruit externally, as the GDPR guidelines allow for other options. Governors and members of school staff can be made DPOs – although given the baseline career skills and background required, this is probably not feasible.
In the UK, schools can also request their Education Authority manage the DPO requirement on their behalf. However, a more robust option is to outsource the job to third-party data security specialists, since the data protection in the education sector can task schools more than commercial businesses.
School-specific data governance challenges
Schools naturally handle a lot of sensitive information about children, which means special provisions in the Data Protection Act 2018 (the UK’s implementation of the GDPR) must be observed. Some data may be accessed by students themselves, which introduces extra risk compared to managing data security among an enterprise workforce. Part of the school DPO’s role is to maintain cyber awareness among younger end-users who may not be as receptive to cyber dos and don’ts as salaried employees.
Funding pressures are always an acute issue for many educational establishments, and hiring a DPO only compounds matters. Schools are faced with having to recruit a new staff member whose exceptional skills and abilities place a premium on the salaries DPO candidates can demand. According to Glassdoor, these range from £32k per-annum to £79k per-annum, with £50k being the national average. Add to this any additional budget to pay for third-party cover when the DPO is on leave, off sick or otherwise indisposed. The sum total can be a significant expense for resource-strapped schools. The thorny issue of cost is one of the primary reasons that educational establishments are increasingly outsourcing the DPO role for an affordable monthly cost.
Another key factor in the trend to outsourcing is finding candidates with the relevant educational experience. DPOs don’t technically require professional qualifications to undertake the role – the GDPR stipulates only that DPOs should have ‘expert knowledge’ of data protection law and practices, plus a good understanding of IT infrastructure and organisational models. However, to be an effective DPO for a school you’d need to add experience of the education sector into the mix. And that makes the recruiting challenge even harder.
All this means it’s crucial that a school DPO’s purpose is clearly understood by all levels of school management, including students, right from the outset. It’s important to avoid any perception of the DPO as a serial box-ticker who works outside of day-to-day educational operations.
DPOs help avoid fines
Probably the first and most obvious benefit of having a DPO onboard is that they will help prevent a school’s data protection processes and procedures from being found wanting by the regulator, resulting in a fine. The Information Commissioner’s Office (ICO) has taken a fairly lenient approach toward the education sector so far in terms of actual penalties. However, since 2018 the ICO has instigated a series of audits of selected Multi-Academy Trusts (MATs) and their education establishments.
Over-reporting security incidents wastes school resources
The savvy DPO can also add value when it comes to advising when not to take action. For example, of 1,385 school data security incident referrals handled by the ICO in the year after the GDPR went live, just 208 (15%) resulted in orders for action to be taken. This was attributed to schools being overly concerned to make sure they were covered, but the figure also suggests a lack of awareness of the circumstances in which incidents must be reported.
“It does reflect a misunderstanding of what the GDPR actually means for schools,” said a consultant quoted in Schools Week. “It may be that the schools that are self-reporting just don’t understand what they’re doing.”
A DPO who knows their GDPR obligations thoroughly can save their school time and resources by knowing when a data compromise incident has to be reported – and when it does not.
Your local regulatory go-to person
The scope of data governance has widened markedly over the last two years, and its work is added to by the changes to data protection compliance caused as the UK leaves the EU. The Government plans changes to the GDPR and Data Protection Act 2018 to retain EU GDPR provision in UK law (until then the EU Withdrawal Act retains the GDPR in UK regulation).
Schools must also increasingly ensure that third-party suppliers that process their data are also properly GDPR-compliant. This has assumed greater criticality in the context of the GDPR as digital transformation enters the education sector and more schools rely on cloud services providers to host their applications and data. As these compliances affect more aspects of day-to-day educational activities, the DPO becomes the regulatory go-to person for the schools and trusts.
Understanding schools’ special data protection needs
Schools face added complexity due to the special provisions for the protection of data that pertains to children. Schools process and store large amounts of data that concerns personal information: students’ academic records, medical profiles, contact details, ethnicity, biometrics, still and video images, and so on. Schools also hold data on teaching and administrative staff, governor activity, external volunteer activity and suppliers.
For example, children have the right to request a copy of their personal data under the GDPR-empowered Data Protection Act 2018, and have the right to request that a school no longer processes their data. The GDPR explicitly requires that children’s data is protected and, additionally, it stipulates that privacy notices must be articulated in ways that are clear and accessible to a child or worded specially for them.
We chose Bulletproof as our school DPO as they had impressive knowledge of the data privacy requirements within our industry. Our consultant is always on-hand to assist with reviewing and updating our internal procedures, as well as providing quick responses to our data protection queries. Bulletproof is professional and friendly - a great extension to our team.
Bryon White Head of Legal Services, London School of Science and Technology
Our experts are the ones to trust when it comes to your cyber security
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.