As Head Teacher or Chair of Governors are you confident that your data protection is managed effectively at your school? If not, these are the likely consequences:

• Damage to the reputation of the school if a breach occurs;
• A significant fine;
• A mistake in the way data is handled and/or confidentiality could have adverse consequences for a child or a member of staff or a parent/guardian.

Who on your SLT team has been allocated the role of Data Protection Coordinator? The SLT needs to take leadership responsibility for this important area as it is coming under increasing scrutiny. One or more members of the SLT need to be developed to take on the role. (See our earlier article about developing members of the SLT). The creation of such a role does not transfer liability to the individual as the school still bears the responsibility as an overall data controller. The creation of the role should help to ensure you have appropriate arrangements in place.

To help you to develop a member of the SLT appropriately, some pointers are given below and:

• Use the references section to read further advice on the requirements;
• Carry out an audit and lead discussions at the SLT to build ownership and confidence in the school’s arrangements.

What Data Should be Protected?

In essence any data which identifies a particular individual and which has the following characteristics:

• The data is sensitive as it contains personal information about an individual,who is still alive, and refers to, for example, health, ethnic origin, religious beliefs, alleged or actual criminal offences and even trade union membership;
• The data is private and if shared inappropriately would have an adverse impact on the individual;
• Such data concerns an individual, for example, a child, parent/guardian, member of staff, governor, volunteer, job applicant, work experience person or a former employee or child/student;
• Such data that is held on paper, on a computer or tablet or mobile phone or lap top, camera or stored on a disc or memory stick, kept on a server whether at the school or elsewhere or stored in a cloud storage arrangement.

As you will gather the scope and care of such data is wide in its nature and also its potential accessibility. Later, I shall refer to a data protection audit with the chance for you to obtain a blank template for your school. Before that we need to understand the dimensions of data protection in a school setting.

In What Way Must Such Data be Protected?

Are you confident that the data your school stores and uses meets the following criteria? When ‘individual’ is used below it applies to any person e.g. employee, pupil, parent who is the subject of the data.

i) Data is Processed Fairly and Lawfully

• Has personal data been acquired in a fair and transparent way?
• Where appropriate, has the individual provided the information and consented to its use in the way intended? The use to which data is put may not be obvioius to individuals so less obvious purposes should be explained especially in unusual circumstances e.g. during a transfer of staff under TUPE where information about employees has to be provided to another employer.
• Is the collection and processing of the data required by law, irrespective of the individual’s wishes? Examples of this need will be encountered but again is the collection and use of such data in line with ii) below?
• Has the school notified the Information Commissioner of the data that it collects etc and the use to which that is put?
• Is the individual able to see the information that has been or will be collected about him/her? What rights does the school have to decline to provide data if the effort is disproportionate to the purpose?
• Do you have an effective policy in place for individuals to obtain copies of the data held about them? What exceptions can you include in the policy?

ii) The Data Collected must be Relevant and Sufficient but Not Excessive

• The data should be relevant to the purpose and not go beyond that. Collecting personal information regardless of its relevance would be unlawful;
• Data should not be retained longer than necessary. You need to become familiar with the periods required by law, the DfE etc. for data which you may hold at the school or elsewhere. It is useful to publish a retention policy so that all staff are aware of what records may be kept, by whom and for how long;
• Data must also be accurate and up to date. Errors must be corrected promptly when they are discovered or when made known to the school;
• The use of CCTV and other media should not be overlooked. The prevention of crime is a recognised use of CCTV but should not be used for other purposes unless individuals affected are aware of this. Covert surveillance is subject to special requirements which can be seen on the Information Commissioner’s web site.

iii) Data is Kept Secure

• Only authorised persons should have access to personal data and only for the approved purposes – that requires practical measures to ensure that others can not see or access the data in question. A walk around the school after most staff have gone home can be revealing as to now much personal data can be seen or accessed by anyone walking about.
• How secure is stored data? Is paper data kept locked and access limited to particular individuals who understand the need for confidentiality at all times?
• Is access to programmes or folders containing personal data restricted to authorised persons? Are strong passwords used and kept secure?
• Do you have policies about the way in which personal data may or may not be kept on memory sticks, portable hard drives etc?**
• What instructions have been given about the holding of personal data on lap tops and the security of that data and the lap tops?**
  The two asterisked points above are those in which there have been significant breaches of data protection and on which the Information Commissioner has taken strong enforcement action.
• Who holds your data externally and where is it actually stored? For example do you use a cloud service such as Dropbox or similar. Personal data should not be transferred to a country outside of the EEA except if the data is kept secure. Beware that there are misgivings about the Safe Harbor Scheme in the USA. You should consider the use of agreed contract clauses to ensue that all parties will keep data secure. There are EC Model Clauses available to use – refer to the Information Commissioner’s website for details.
• You need to inquire where your data will actually be kept as even UK storage companies may be ‘holding’ your data in overseas storage facilities.
• When data is no longer required, are your disposal arrangements secure? If a contractor is used, you should walk yourself mentally through (or physically if practicable) the processes that the contractor’s staff will apply to your data.

Embedding Your Data Protection Arrangements and Policy in the School

Having a policy is a requirement but how will that be applied in practice?

• What actions are necessary to ensure that your staff, volunteers and Governors are aware of the actions to be taken re the above points?
• What aspects of the use of personal information do students/children need to be made aware of?
• What procedure should be followed if a breach of protection is discovered?
• How will you ensure that the breach is remedied promptly and that preventative action is taken and monitored?
• How are you developing a culture of respect for confidentiality within the school?

Audit of Data Protection Arrangements

A data protection audit is a useful way to identify what data is actually being collected or stored and the used to which it is put. An audit helps to ensure that certain types of data or current practices are not overlooked and also begins the process of making managers and staff familiar with what needs to change and practices must be kept under review.

Further Reading – Schools and Data Protection Duties

Summary_report_dp_guidance_for_schools, September 2012, Information Commissioner.
Pointers for Schools by the Information Commissioner’s Office