GDPR News & Updates
A Teacher Tapp poll has revealed that 42% of the 2,452 teachers who responded haven’t received any training to prepare them for the introduction of the new GDPR laws.
Governor Services have been sharing GDPR information and advice with Governors since July 12th 2017 we hope you are aware of what your board needs to do to ensure you and your school are compliant. We have uploaded a “Governors and Trustees Checklist to help to prepare for the GDPR” to WES and to GovernorHub.
Governor / Clerk Email Accounts
As a governor, the personal data you send over email must be kept secure. Using a secure school email address will help you to meet the GDPR requirement to prevent a data breach and respond to subject access requests quickly.
As we continue to advise, GDPR does not specifically require governors to use a school email account when communicating on governing board matters. However, the GDPR does mean Governors / Clerks should be doing everything in their power to prevent a breach of personal data. This means the use of secure school email accounts by all governors / clerks is strongly advised.
- We continue to receive GDPR advice / updates which we share with you. The latest being:
- If a school email addresses isn’t an option available, you could use a service like Gmail or Outlook. Both of these will allow schools to set up email accounts for free.
In Gmail, emails will be encrypted if both sender and recipient(s) are using Google apps, such as Google Chrome or the Gmail phone app.
However, if you have any questions regarding GDPR, we would strongly advise you to seek advice from or question your school / academy / setting DPO as they should be able to answer any questions you have.
We too are aware of the extra work GDPR is causing, but the main aim of the law within a school context is the need to protect sensitive information about the children in our care, particularly those who are most vulnerable.
To ensure Governor Services comply with the GDPR legislation, as we have mentioned in previous emails we will only be sending emails to a secure / school / academy based email address. If the Chair or Clerk does not have a secure email address we will forward our communication to the Head teacher / school admin email.
GDPR Update for Clerks:
With support from the Chair of Governors and School DPO review your understanding of best practice.
- Clerks will have a role in processing personal data used by the governing board, such as data contained in confidential minutes, as they will often be in charge of sharing, storing and disposing of it.
- As clerk to the governing board all clerks should understand what is best practice for keeping the data you handle secure.
Actions for clerks:
- Ensure you have an understanding of the GDPR
- Review (with help from your school or trust) how you share, store and dispose of personal data.
- For clerks not on the school or trust's payroll (such as those employed through the local authority or an agency), talk to your school or trust about ensuring that your contract’s terms meet GDPR requirements.
This is explained in more detail in the ICO guidance:
How will governors and trustees monitor GDPR compliance?
To monitor GDPR compliance from May onwards some of these monitoring methods may work for your school and governance structure.
Possible actions:
- Add a standing agenda item to full governing board meetings to scrutinise the risk register, which will include the data protection section
- Designate a data protection champion who can liaise with the DPO and relevant school staff before each meeting
- Make sure your governing board receives reports from the DPO (a requirement under the GDPR)
- Request a 6-monthly update from the DPO on how the GDPR is working in practice (throughout the school / academy).
- Ask the relevant committee to present to the full governing board on the effectiveness of your data protection procedures and IT controls
- Incorporate questions about data protection into your school visits:
- Ask staff what training they receive on data protection, if they know what counts as a data breach, what procedures they should follow to keep personal information safe, and if they understand how data protection fits in with safeguarding
- Ask pupils how they learn about keeping information safe and how they learn about the internet
Local governing bodies in MATs: Need to check how the trust is preparing
In a multi-academy trust (MAT), the trust is the legal entity responsible for the processing of personal data and compliance with data protection law in all its schools, provided that the schools do not have any legal status separate from that of the trust.
However, at school level, it's worth being aware that if there is a serious breach involving one school, any resulting fine will apply to the MAT as a whole – not just that school.
Actions:
If you’re on a local governing body, seek assurances from the board of trustees or relevant central staff members that the MAT as a whole is preparing for the new law.
How you check that your trust is preparing will depend on the trust's communication arrangements, it may involve:
- The school’s IT technician, who as well as supporting other schools in the trust, is attending the local governing body meeting to discuss the GDPR at school level
- The chair of the local governing body attending the MAT’s regional board meeting to ask about the trust’s GDPR preparedness
- The local governing body asking the board of trustees for assurance that the MAT central staff team will be arranging a moderation of data protection processes and controls in each school in the MAT
It would be usual for the MAT central staff team and the board of trustees to be organising this moderation work. The MAT finance or business director will normally be the person co-ordinating this internal data protection audit, with an external audit arranged when appropriate.