In the run-up to 25th May 2018, someone in your school was very busy making sure that the school’s data policies and procedures where GDPR (General Data Protection Regulation) compliant. Old data was destroyed, current data was scrutinised and 3rd party data handlers’ assurances were sort. You might have received some training about looking after personal data and you were probably told about how your employer handles your personal data.
It would be easy to think that you were now done with GDPR but have you considered all of your data?
The signing in / out system?
- All schools collect personal data (name, company, car registration) about people who visit the school but rarely provide a privacy statement at the point of collection.
- How do you ensure that the paper-based log doesn’t get lost or stolen?
- What happens to the personal data, which often includes an image, collected by computer/app based sign in/out systems?
Display of photos and names?
- Many staff rooms have a little display of photos of children who have particular medical conditions or special safeguarding needs. Consider if this display is necessary and whether it poses a potential data breach risk.
- Do school visitors use the staff room? Why are you sharing this personal data with them?
- In your next staff meeting cover up the display. Ask staff to name the children and their special medical condition or safeguarding concern. If your staff can’t recall which child has a special medical condition or who isn’t allowed to be collected by their dad the display not achieving its aim.
- Is there a better way to make all staff aware of individual pupil’s health and safeguarding issues without broadcasting them to every casual visitor to the staffroom?
Computer Display Screen?
- Do all staff lock or log out of systems when they leave their devices? It's amazing what you can find out by glancing at an unmanned PC or laptop.
- Is there a line of sight between the device screen and the door, or worse still a window? Imagine that the Head is typing up your reference or a disciplinary notice, or maybe the SENCo is writing a safeguarding report. Now, imagine someone else is peering in through the window and reading over their shoulder? That's a data breach!
Becoming, and remaining, GDPR compliant is a big task but schools are good at compliance. However, in the rush to write new policies, clear out the file stores and seek assurances from 3rd-party suppliers of their compliance it is easy to overlook the more human aspects of data protection. Most data breaches are due to human fallibility. So as well as looking at your office systems take a 'data walk' around your school and actively look for places where personal data is collected or processed. Consider paper-based as well as computerised data. Think about the physical environment as well as the device being used. How and where do your staff handle data? Think about who else could take that 'walk'. What personal data could they see, steal or change?
For more help on GDPR please see our partner company, Data Protection Education's website