You are in: School Admin » Schools Admin » Data Protection & Freedom of Information

September 2017

GDPR Guidance

Biometrics

Privacy Notice Guidance
formerly known as Fair Processing (Pupil Census)

Privacy Notice Guidance
formerly known as Fair Processing (Workforce)

Contacts

Data Protection &
Freedom of Information

Records Management for Schools

Data Security

Freedom of Information Act 2000 & Document Retention

Publication
Schemes

Cloud Software Services

 

GDPR (General Data Protection Regulation)

In May 2018 the current Data Protection Act will be replaced by the new General Data Protection Regulation (GDPR). This change will have an impact on any organisation that handles personal data. In order to help education settings understand the changes and prepare for compliance with the new law, Herts for Learning is running some twilight information sessions in the autumn term, as follows:

Monday 2nd October, Wodson Park, Ware [Book]

Tuesday 31st October, Stanborough Centre, Watford [Book]

GDPR – What does it mean for schools and settings?

These twilight sessions will act as an introduction to the European GDPR, legislation which the Government has confirmed will continue in English law even after Brexit. The GDPR regulates the way organisations can handle personal data, of teachers, pupils and parents/carers. In some ways, the new rules are not so different to the current rules that apply under the Data Protection Act. However, there are some important differences.

  • Schools will need to be able to identify that they have a legitimate reason for processing personal data. In addition, as public sector organisations, schools will not be able to rely on “consent” by the individual data subject.
  • People have a number of new rights under the GDPR and schools will need to be able to deliver against these rights. Some of these new rights should be relatively simply to deliver. Others may require new processes or even new technology.
  • Schools will have to appoint an independent data protection officer (DPO) with appropriate skills and knowledge; however potentially the DPO can be shared across several schools
  • There are enhanced requirements around the security of personal data – and enhanced fines for allowing breaches
  • Compliance with the new rules will not be sufficient: you will also have to demonstrate compliance.

While compliance with the GDPR should not be a problem for any school that is following the requirements of the Data Protection Act, it is certainly not a tick-box exercise. This session will introduce you to the main issues surrounding the GDPR and help you plan the activities you should be taking to ensure compliance by next summer.

Sessions run from 4pm to 6pm with the price of £50 (£55).

General Data Protection Regulation/ new UK Data Protection Law : a brief guide for schools - September 2017

Contacts

If you have any DPA or FOI queries please contact the Schools Legal Helpline - 01992 555520 (comnet - 25520)

 


Cloud Software Services and Data Protection

The DfE have produced guidance for local authorities, school leaders, staff and governing bodies on cloud software services. It outlines how schools need to consider data security when moving services and sensitive information to the internet-based facilities of cloud computing (the cloud).

 

Data Protection Guidance

August 2016 Updated EU-U.S. Privacy Shield

Schools are reminded that the data protection policy of third party data handlers (school data services for example) should always be checked for suitability according to the sensitivity of the data concerned. More information on the status of this new protection measure can be found at the foot of the document in this ICO link.

Here is the original European Commission press release.

Data Security

Security of Confidential / Personal Data - Electronic and Paper

It is critical that schools consider the safety of confidential / personal data removed from a school site (electronic and paper). Ensuring that ALL staff are aware of how to handle sensitive or personal information and their responsibilities when accessing data is vital and this section provides guidance on staff training and recommendations.

If you are considering applying this method of security to any computer devices in your school which you think may be taken off-site:

  • data encryption must not be attempted on any file servers or computer devices configured as RM Community Connect 3 or 4 workstations;
  • storage devices such USB sticks are best encrypted in their entirety;
  • staff laptops that hold personal data should have an encrypted ‘container’ created where all sensitive data should be stored;
  • existing SIMS ‘master’ PCs should not be encrypted at this stage.  SITSS are considering the feasibility of encrypting the whole of the hard drive on all new SIMS ‘master’ computers.  We are also investigating the possibility of encrypting existing, older SIMS ‘master’ PCs;
  • backup media must be kept secure at all times.

Warning – keep your encryption password in a safe place.  Access to encrypted drives and ‘containers’ is controlled by password - should you loose it you will NOT be able to access your data!

Password Security and Password storage – why it’s not as simple as 123…

Latest advice regarding password security from the Information Commissioner’s Office can be found here

Keeping Parents informed: What schools need to consider when using email

Latest advice from the Information Commissioner’s Office can be found here

How to Encrypt Files in schools only
Appendices

School Policy in Brief

 

Also see the 'Model School Policy for ICT Acceptable Use Incorporating eSafety, Data Security & Disposal of ICT Equipment' in the esafety section:

 

Privacy Notice Guidance formerly known as Fair Processing (Pupil Census)

Privacy Notices 2015/16 – there is no change to the notice for Primary Schools and schools with pupils aged 14 or under –

Versions of the Privacy Notices for Department for Education data collections are available below. The updated Privacy Notices will be for:

• Pupils in Schools, Alternative Provision and Pupil Referral Units and children in Early Year Settings

Schools do not have to reissue the Privacy Notices to existing pupils but must ensure that the updated version is available on the school's website and parents/carers are made aware of the updated version.

 

Privacy Notices 2017/18 – changes applicable for schools who have pupils aged 14 or over

Updated versions of the Privacy Notices for Department for Education data collections are now available below. The updated Privacy Notices will be for:

• Pupils in Schools, Alternative Provision and Pupil Referral Units

The core information in the Privacy Notice is largely unchanged. Some additional text has been included as recommended by the Skills Funding Agency but the context and meaning has not changed.

Schools do not have to reissue the Privacy Notices to existing pupils but must ensure that the updated version is available on the school's website and pupils/parents/carers are made aware of the updated version.

Updated


Privacy Notice Guidance formerly known as Fair Processing (Workforce)

For Action

In order to ensure that all staff have been provided with an appropriate form of notice it will be necessary for schools to inform all current staff of the change to this Privacy Notice.

It will be every school’s responsibility to issue a Privacy Notice to all staff that commenced employment with your school after 01/04/15 onwards.

Schools need to make Staff aware of the changes to the Privacy Notice who were in employment with the school before this date of 01/04/15 (this could be via a copy being posted on the staff notice board and staff being made aware of its existence).

Please note: The Privacy notices are in line with the suggested text issued by the DfE but can include any additional information as appropriate. However, if you experience any difficulties with the external links or require further advice on how any organisation processes data please contact the organisation direct.

 

 


Freedom of Information Act

ICO Advice to Schools Regardng Data Protection and Freedom of Information

The Information Commissioner's Office have posted a video and further advice on the responsibilities of schools regarding Data Protection Act and Freedom of Information. The Information rights video is aimed at head teachers, managers and governors to help comply with their responsibilities to information rights in schools, colleges and universities.

The Information Commissioner’s Office has updated its advice on the Freedom of Information Act and Environmental Information Regulations Act.

https://ico.org.uk/media/for-organisations/guide-to-freedom-of-information-4-5.pdf

https://ico.org.uk/media/for-organisations/guide-to-the-environmental-information-regulations-2-3.pdf

Freedom of Information and Environmental Information Regulations Act Guidance for Hertfordshire Schools in schools only Jan 2016

A new document has been produced by Hertfordshire County Council Information Governance Unit in conjunction with Herts for Learning. It is designed to help schools understand their responsibilities under Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations 2004 (EIR). The document can be downloaded here:

 

 



Records Management for Schools

The Records Management Toolkit for schools developed by the Information and Records Management Society can be downloaded from:

Publication Schemes

The ICO has updated their guidance for schools and provided greater guidance for nursery, primary and small schools.

Explanatory Notes for Model Publication Scheme for all schools including academies and free schools

https://ico.org.uk/media/for-organisations/documents/1235/definition-document-schools-in-england.pdf

Template Model Publication Scheme for Nursery, Primary and Small Schools

Guide to completing the Model Publication Scheme for Nursery, Primary and Small Schools

https://ico.org.uk/media/for-organisations/documents/1242/how-to-complete-template-guide-to-info-for-schools.pdf