We hope that you had a great half term break whether it was last week, the week before or both, and are looking forward to a packed term… as well as the festivities at the end of it!
This month’s newsletter focuses on our document updates as we have provided updates for a wide-range of the document templates on our portal as well as some new templates to help you and reduce workload. And in light of the recent fireworks (politically, not literally!), we have an update on Brexit and how it is now looking likely to impact schools with regards to data protection.
If you have any further questions about the topics below, or if you would like to book a visit from us, please get in touch. Enjoy the new term and we hope to see you soon!
Document Updates: Policies and Privacy Notices
We have recently updated some existing, and added a number of new, documents to the Global Documents section of the online portal for you. The new and/or updated documents include the following:
- Data Processor Agreement (DPA) template – this can be used to formalise arrangements between your school and 3rd party processors, especially where a processor’s documentation doesn’t include a DPA of their own;
- Data Protection Impact Assessment (DPIA) template for a change of MIS – this can also be adapted for use as a DPIA for an MIS currently in use or for the implementation of another large-scale IT system (especially cloud-based) that will be processing sensitive/special category data;
- IRMS Tooklit for Schools v6 (2019) – this includes the retention schedule for schools and replaces the 2016 version 5 that we had on the portal prior to this;
- Data Protection Policy – this is an update to our previous version. When your Data Protection policy is next up for review, we would recommend using our most up to date template which this now is;
- Privacy Notices – all of our privacy notices have been updated to take into account the latest advice that has been published by the DfE. This includes pupil & parent and workforce privacy notices. As well as this, for the first time, we have put a privacy notice template up for School and Trust governance roles.
Brexit and Data Protection
Back in March, we issued the following advice to schools with regards to Brexit preparation and data protection:
“If we leave with no deal, schools may experience difficulties accessing data if it’s held on servers in another EU member state, because the UK will be considered a ‘third country’ for data processing purposes. For example, your school may use a cloud storage facility that’s provided by a company which has its servers in an EU member state (including the Republic of Ireland).
Our advice would be to speak to your ICT support provider and ask them to double check the data storage arrangements for the software systems that you use and identify if there are data transfers occurring outside the UK. You should ask them to ensure that your ability to function will not be impaired by any potential issues with data transfers as a result of a no-deal Brexit.
It is important to note that this is only in the event of a no-deal Brexit. If the withdrawal agreement is passed, there won’t be any immediate changes to data protection law and your school can continue processing data in the same way until the end of the transition period.“
Fundamentally, this advice has not changed. There is even more advice now published about how to deal with Brexit but, from a data point of view, the biggest impact will be if a no-deal exit occurs. And this will predominantly affect you receiving data from the EU if, for example, you are arranging exchanges or ski trips within the EU, or, as we said in our previous advice, if you have data stored in another EU country. If you are likely to be receiving data from a data controller within the EU (not from an individual but an organisation), then you will need to ensure that you have the appropriate standard contractual clauses (SCCs) in place if they aren’t already.
We are more than happy to support schools with this process should a no-deal exit look likely again. The most likely scenario at the moment seems to be that we will leave with a deal which should mean business as usual for your data, at least until the end of the transition period, currently scheduled to the end of 2020 but possibly as late as 2022!
Further advice can be found here:
Prepare Your School for Brexit – DfE’s general Brexit guidance for schools
Brexit Guide: Data Protection for Education Providers – DfE’s guidance on data protection and Brexit for education providers
Data Protection and Brexit – ICO’s advice on Brexit
GDPR in the News
No-deal Brexit data – should firms worry? – BBC.co.uk
Email addresses exposed in West Berkshire Council data breach – BBC.co.uk
Pubwatch scheme struggling with GDPR restrictions – Manx Radio
Tech and mobile companies want to monetise your data … but are scared of GDPR – The Register