What we are talking about...
GDPR in Action: Why Data Protection in schools is important Rss
Posted on: December 13th 2019
The General Data Protection Regulation (GDPR) has fundamentally changed the way schools, academies and Multi-Academy Trusts must handle, store, share and process the personal data of their students, parents and carers, staff and governors. Failure to comply with the new legislation can have wide ranging consequences for schools and potentially result in reputational damage, regulatory body constraints and financial penalties.
The Education sector processes a disproportionally high volume of sensitive data compared to other sectors organisations and as a lot of this is children’s personal data, it is vitally important that schools embrace the new post-GDPR world. The question is, how are we doing a year on?
This week we sit down with Harris Federation’s Head of Compliance and Data Protection Officer, Humphrey Gullett to talk through the importance of handling personal data in schools.
What was your start with Harris?
At the beginning of March 2018 – which is an important date as it was ten weeks before the advent of the General Data Protection Regulation on the 25th May 2018.
What is your background with Data Protection and Compliance?
Data protection and compliance has been a feature of many of the jobs I’ve had in both the public and private sector. My previous job before Harris was as a management consultant where I worked on large transformation programmes. This meant I was well placed to drive through such a key change project for the Federation. GDPR has fundamentally changed the way personal data is processed in our academies, so one of the key challenges for me was driving the cultural change in the organisation.
My expertise in compliance stems from my first career in the Royal Navy, during which time I served as an officer for 18 years. One of my formative jobs was overseeing compliance for all the Navy’s logistics functions, which included logistics management, supply chain, catering, pay and personnel, hospitality and medical administration. My remit was extensive and covered warships (ranging from aircraft carriers to Frigates and Destroyers), submarines, shore establishments, the Royal Marines and the Royal Naval Reserves. This provided me a great experience in delivering, overseeing and reviewing compliance in a large public sector organisation and one which prides itself on being the best!
I think that because of its size, with 48 academies, Harris has been able to develop a team of specialists in the Head Office, providing support that smaller MATs may not be able to consider or afford. I personally benefit from having access to legal, procurement and recruitment experts to help me do my job better. Head Office staff are charged with providing key support to academies, which takes some of the work load off schools and allows them to focus on delivering exceptional teaching and learning.
What do you feel sets the Harris Federation apart from other MATs?
I feel the leadership in Harris sets it apart from other MATs. We have a passionate sponsor in Lord Harris and an excellent CEO in Sir Dan Moynihan, who are constantly driving people to set and achieve stretched targets. The strong leadership evident in Head Office permeates down through the academies, both at the Principal level and also within academy Senior Leadership Teams. Given my background in the Royal Navy, I naturally feel leadership is a key component of any successful organisation and I’ve seen a lot of evidence of it in my time at Harris.
As a well-established organisation, we are at the cutting edge of delivering exceptional education in London. So, if you want to work in education, whether that’s on the frontline in teaching or within a support function like mine, I believe this is a great place to work.
What does data protection management look like in our schools now?
In every one of our 48 academies there is a nominated Data Champion, who leads on data protection matters. They’ve been doing a great job of raising awareness and facilitating training, and act as my conduit in each academy.
When you walk into an academy, you’ll be able to identify quite clearly who the Data Champion is from the visible data protection awareness posters. They provide day-to-day operational oversight of data protection matters in their schools and are the point of contact for escalating any issues back to the Central team, such as a data incident or a complex Subject Access Request.
There are two types of data we handle at schools, can you explain what they are, the distinction and how they work at school level?
There are many categories of personal data, but if you were talking about two types it would be basic level personal data which can refer to any information, facts or opinions, recorded electronically or on paper, which identifies a living person and GDPR special category data.
Special category data needs additional protective measures to ensure it is processed securely. Such data includes an individual’s racial or ethnic origin, physical and mental health and biometric data.
Can you tell us a bit about the importance of personal data in schools?
Our academies process a tremendous amount of personal data on students, staff, parents and governors. It is really important that as a Federation and as individual academies, it is handled, stored and shared appropriately. The Federation, as the Data Controller, has clear data protection obligations and it is important we adhere to them. Ultimately, we have a duty to protect and safeguard children and the processing of their data forms part of that.
How are we, as an organisation, responding to GDPR laws and demonstrating compliance?
Firstly, the Federation has to have the right policies and guidance documents in place to ensure we are informing our staff and academies on how they should process data. The important thing here is not just to tell them ‘what’ the implications of the new legislation, but articulate ‘how’ they should be doing things differently.
We acknowledge that for a lot of people this is a relatively new area, so have ensured it is a regular feature of INSET days and provided bespoke training for Data Champions and staff in key support areas such as IT, Finance, HR, Data, Health and Safety, Medical and academy administration. We have also produced an in-house data protection training video, which all staff are mandated to watch and complete a questionnaire so we can identify training needs.
In addition, data protection compliance is monitored with regular academy visits and is an integral part of the Federation’s ‘Compliance and Safeguarding Reviews’, which are conducted at academies throughout the academic year.
What would you say are the most important things for school leaders to consider when handling data?
I think school leaders need to fully appreciate that we are living in a digital age now, where it is all too easy to share data, especially with external third parties. Data handling errors can and do happen, so it is vital that leaders ensure data protection awareness is a regular feature at staff training days and particularly for new joiners to their academies. If staff know that the school leaders take data protection seriously they are more likely to buy-in to the cultural change required in the post GDPR world and adhere to best practice.
Recruitment is a large area of any organisation which directly effects and is affected by GDPR, what are the key things to consider in this arena?
A lot of personal data is gathered as part of any recruitment process, so it is really important organisations have a robust mechanism for sharing and storing such data. Emailing CVs around an organisation for example, is no longer a recommended practice and even prohibited in Harris. It’s also about being aware of the of information you are handling, storing and sharing and ensuring you are treating it with the appropriate confidentiality which it warrants.
In a rapidly evolving digital age, what do you see as potential challenges for school leaders now?
There are various challenges that have arisen from the arrival of GDPR, but for me one of the key ones is the management of the information we hold. As we move away from holding lots of paper records we need effective and secure ways of managing electronic information, whether it be in Cloud storage or on Shared Drives. Schools need to understand the electronic data they hold, make sure it has the correct restrictions in place to prevent unauthorised access and ensure it is deleted in accordance with mandated retention periods.
At Harris we advocate that each category of information should have a nominated owner, who is responsible for it – ‘cradle to grave’ so to speak.
So, is it fair to say that there is more of a focus on this being a cultural risk and less of a technological risk as far as how schools respond to GDPR and Data Protection?
I think it is a combination of the two, you need to have the right ICT tools in order to manage your information, but it is also important that you have clear ownership of information. If you walk into someone’s office and see a filing cabinet and they have the keys, you know it contains information that they are responsible for and manage. The same principles must apply to information which is uploaded to central sharing networks or common drives. Without ‘ownership’ the information stored in an array of folders and subfolders becomes less clear and therefore more susceptible to mismanagement.
How are we as a Federation addressing potential data protection risks in our academies?
The first thing is to be aware of the risks and I think we know what most of them are at present. Coming up with effective plans to reduce them is the hard part! Increasing general data protection awareness amongst staff underpins all our efforts and this especially important in schools, where there has always been a traditional high turnover of staff.
Subject access requests are also a challenge for academies. With the introduction of the GDPR, came an increased awareness across the UK about ‘rights of access’ to the personal information held by organisations on individuals. As a result, we have experienced a growing number of subject access requests, particularly from parents, which can and does place an operational demand out academies. As the Data Protection Officer I have provided a lot of best practice advice to academies on how they should approach and deal with such requests.
Cyber security is a growing risk and we have invested a lot in to ensuring our ICT systems are as best protected as they could be. Awareness again, plays a big part in making sure staff recognise and aren’t susceptible to cyber security risks such as phishing links and double checking payment portals.
We also have to think about the data sharing agreements we hold as a Federation, we share a lot of data with external third parties for a whole realm of lawful reasons. Whether it is the Department of Education, Local Authorities or education service providers, we need to ensure the due diligence is conducted and arrange for the appropriate data sharing agreements to be put in place.
What are some action points you can give to school leaders about handling data?
Have a nominated Data Champion
1. Or a named member of staff who is the focal point for data protection matters and can deal with data incidents or queries as they arise.
Have a structured approach to how information is managed -
2. This is fundamental to understanding what data your school holds, why you are holding it and who it is being shared with. Work out the different categories of data you hold and ensure each category has an appropriate high level owner.
Continue raising data protection awareness
3. This is so that data protection is an integral part of the school’s culture. Awareness training should be little and often, with a particular focus on new joiners, who may not be aware of the changes that GDPR has meant on day-to-day practices.
What is the last key message you have?
Across all types of educational establishments data protection must now be a key consideration for staff at all levels. Schools hold a vast array of personal data on children, parents and carers, staff and governors, which means there must be appropriate safeguards and procedures in place to ensure it is managed effectively and securely. The risks of not doing so are high, especially in this digital age.
For more information on the GDPR and data in schools, see the links below.
Key Articles to check out by Tes