It’s well over a year since the General Data Protection Regulation came into effect – can you truly claim that your school is prepared for the worst if a breach occurs? Ian Buss, director of the Education Banking Consultancy, believes schools are still underestimating the issue
When – not if – a school has a serious data breach, will it be the fine or the adverse PR that creates the biggest challenge? We all know that the new General Data Protection Regulation (GDPR) came into force in May 2018 but, over a year on, how much have we really done to ensure GDPR compliance?
When meeting multi-school trusts, single-school trusts and maintained schools, I always explore how they approach the role of the data protection officer (DPO). Invariably, the conversation ends with another action on the school’s ‘to-do’ list. Most schools and trusts I have dealt with have either stated they have a temporary DPO (that they intend to review) or listed their DPO as a member of the SLT (head teacher, SBM, etc.). The SLT members I meet already have a role that is extremely demanding without having to add to their workload, and the DPO role comes with a significant number of responsibilities.
DPO – basic responsibilities
First, there are some basic requirements for the DPO. They must:
- Be independent. In other words, they should not be at risk of a conflict of interest.
- Have ‘sufficient expertise’. ‘Sufficient expertise’ is difficult to assess but, for schools, the level and sensitivity of data it holds would suggest that the ‘expertise’ should be pretty thorough.
Let’s also remind ourselves of the additional responsibilities that the DPO must take on:
- Keeping up-to-date with GDPR developments and ensuring staff are trained accordingly.
- Keeping their school(s) up-to-date with their data obligations, now and in the future.
- Monitoring compliance with the law, as well as their school policies.
- Co-operating with the Information Commissioner’s Office (ICO).
- Managing subject access requests (SARs) within the required timescales
- Advising on, and reporting, data breaches to the ICO within 72 hours.
Not an exhaustive list, but certainly something to consider when assessing your DPO.
Two interesting examples
Two recent examples I came across at the end of the summer term involved a small maintained primary school and a large, 15-school MAT – both with quite similar challenges.
The primary school had appointed the SBM as their DPO. Two years ago, this person was running the school reception desk and dealing with a mixture of administration, parents bringing their children in late and applying sympathy and plasters in the sick room. It was at the point that a parent formally requested information – through a SAR – on how the school dealt with an incident of bullying that the school realised there were shortcomings in their current DPO’s knowledge and ability to deal with a complex SAR.
The MAT case was interesting as well. Each of the schools in the trust had their SBMs appointed as their DPOs, and they were all reporting into a member of the trust senior leadership team as the ‘senior’ DPO. Unfortunately, none of them were confident of their ability to fulfil their responsibilities, or handle any breaches or SARs. In fact, the schools have not detailed a single reportable incident to, or discussed any potential breaches with, their central senior DPO.
Whilst there may well have been absolutely no reportable breaches, this is unlikely to be the case in a trust of that size; at the very least I would have expected the school DPOs to have had some kind of conversation with the central senior DPO to explore whether an incident required reporting or not.
The case study used in the DfE data protection toolkit for schools (August 2018) covers a school sending an email with personal data to a wrong email address. This is a reportable breach – and I also suspect it is an incredibly common occurrence. I wonder how many schools would report this type of data breach to the ICO?
In my view, some responsibilities are worth outsourcing to ensure compliance and minimise risk and reputational damage and, arguably, the role of the DPO is one of them. The education specialist DPO service provider that I work with currently acts as DPO for over 1200 schools. It is handling over 100 subject access requests per week and dealing with, on average, over a dozen reportable breaches per day.
Consider this a call to action; review your current DPO and assess their competence to fulfil the role. If there are shortcomings, consider outsourcing.