The GDPR and Data Protection Act 2018 came into effect in May 2018. It is safe to say that a lot has changed in the 2 years since that day! We are continuing to support you through these challenging times so please contact us if you think that there is anything we can do to help out. And, exactly as we said in last month’s newsletter, we continue to be amazed by the fantastic work being done both in school and remotely by teachers and schools across the country!

In this month’s newsletter, we are going to look at some of the key lessons learnt since the GDPR and Data Protection Act 2018 became law two years ago. We also have more advice from the ICO and data security specialists about avoiding scams during the current lockdown as well as reminders and advice about staying safe whilst working remotely. And we have news about key document updates on our portal including our Data Protection Policy and Privacy Notice templates.

If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools reopen, please get in touch via

Stay safe and healthy!

Two Years of the GDPR – What Have We Learnt?

Later this month, it will have been two years since the introduction of the GDPR and the Data Protection Act 2018. Here are some of the key lessons that we have learnt in that time:

  • Many Data Protection Officers (DPOs) are still not compliant.
    Following a Belgian ruling where an organisation was fined, organisations really need to identify a DPO with relevant experience and no conflict of interest.
    If you have colleagues in other schools or organisations where there is a concern that this is still an issue, don’t forget that we still offer you our 10% referral discount if they take on our DPO service through your referral.
  • Schools need to ensure that DPIAs are written and in place.
    These are the impact assessments that demonstrate that you are mitigating risk when you are mass processing data or you are processing high risk data. We are here to support you with getting these in place if you haven’t already so please speak to us and we can arrange this with you.
  • It is important to maintain good communication with your DPO.
    Schools must involve their DPO in decisions where new processing is being considered. It is important that we, as the DPO, are aware of new processing and can provide advice and guidance where required. Using the Data Decision log on the SchoolPro portal assists with this link.
  • Schools need to maintain ongoing compliance.
    Schools need to be keeping data maps up to date, recording processing activities, and ensuring that new processors are compliance checked. All of these things can be supported by us as your DPO.
  • Ensure that staff practice matches policy and processes.
    Although schools are moving towards better compliance, staff practice is slower to follow. Lots of breaches arise from avoidable human error which indicates a need for more training and regular refresher training so that staff don’t forget after the initial push. So book training in with us as soon as the national situation allows!
  • Common trends are arising in breaches.
    The most common type of breaches that we are supporting schools with at the moment involve electronic communication. Examples include personal information sent to unintended recipients by mistake, or email addresses CC’d into group emails instead of being blind copied. Procedures should be in place to ensure that personal information is always password protected, encrypted or sent by other secure systems, and staff need to be following these procedures. This would, on its own, hugely reduce the number of breaches reported to us by our schools.
  • Common trends are arising in SARs.
    More than 90% of the Subject Access Requests (SARs) that we support schools with come from parents rather than any other stakeholder.

Protecting You and Your Staff from Covid-19 Scams

The coronavirus pandemic has seen a number of scams arise as criminals seek to take advantage of organisations and their staff. Many of these are targeting businesses but they could equally be targeted at schools so it is wise to be prepared and aware of what the risks are:

Invoice/mandate scams – An organisation may be contacted out of the blue by someone claiming to be from a regular supplier. They state that their bank account details have changed and will ask you to change the payment details.
Never rush a payment. Use contact details that you have used before to check that it is genuine.

CEO impersonation scams – A sophisticated scam that plays on the authority of company directors and senior managers. A member of staff receives a phone call or email from someone claiming to be a senior member of staff – they ask for an urgent payment to a new account and instil a sense of panic. Scammers may even hack a staff email account or use spoofing software to appear genuine.
Be cautious about unexpected urgent requests for payment and always check the request in person if possible.

Tech support scams – With more people working remotely and IT systems under pressure, criminals may impersonate well-known companies and offer to repair devices. Criminals are trying to gain computer access or get hold of passwords and login details. Once they have access, criminals can search the hard drive for valuable information.
Always be suspicious of cold callers. Genuine companies would never call out of the blue and ask for financial information.

Information provided by the GFirst LEP ( and Businesses Against Scams – a new element of the successful Friends Against Scams initiative, run by National Trading Standards to provide free online training to protect and prevent people from becoming victims of scams

The ICO also has information on staying one step ahead of the scammers on their Your Data Matters blog.

Staying Safe Whilst Working Remotely

Last month, we shared advice about keeping your staff safe whilst working from home including advice from the ICO. This month, they have produced ten top tips for working securely whilst working from home that we would encourage you to share with your staff:

  1. Follow your organisation’s policies, procedures and guidance.
  2. Only use approved technology for handling personal data.
  3. Consider confidentiality when holding conversations or using a screen.
  4. Take care with print outs.
  5. Don’t mix your organisation’s data with your own personal data.
  6. Lock it away where possible.
  7. Be extra vigilant about opening web links and attachments in emails or other messages.
  8. Use strong passwords.
  9. Communicate securely.
  10. Keep software up to date.

More information and advice from the ICO about this topic can be found in their working from home hub.

As well as this, here is another resource to help staff stay safe during this period of time provided by Cyber Security Associates:


Download Staying Safe When Working From Home

Useful Links

How We Will Regulate During Coronavirus – ICO

ICO – News, Blogs and Speeches – ICO

Coronavirus (COVID-19): Guidance for Schools and Other Educational Settings – GOV.UK

Reducing Burdens on Educational and Care Settings – GOV.UK

Case studies: remote education practice for schools during coronavirus (COVID-19) – GOV.UK

The Skills Toolkit – National Careers Service

Tech Tip – Setting A Background in Microsoft Teams – Reformit

Document Updates

We have recently updated a number of policies and privacy notices for you which you can find on the portal. The documents updated are:

  • Data Protection Policy Template
  • Data Protection Policy (for Hospital Education & Alt. Schools) Template
  • Privacy Notice for Hospital and Alt. School Pupils and Parents
  • Privacy Notice for Primary Academy Pupils and Parents
  • Privacy Notice for Primary School Pupils and Parents
  • Privacy Notice for School and Trust Governance Roles
  • Privacy Notice for Secondary School Pupils and Parents
  • Privacy Notice for Academy Workforce
  • Privacy Notice for School Workforce

These documents have increased rigour around the conditions of processing for special category data and criminal offence data as well as a few other minor updates.

Going forward, we are adding a ‘Document Version Control Log’ to the start of each document to detail the changes that we’ve made each time they are updated. This has been requested by schools and will make it easier for you to identify what is different to previous versions without having to scan through the entire document.

We have also added all of our Covid-19 resources including our action plans, risk assessment template, infographics and staff training fact sheets – all of which can also be found on this blog.

Data Protection in the News

Zoom faces a privacy and security backlash as it surges in popularity – The Verge

Coronavirus: Call for single EU tracking app with data protection – BBC

Microsoft Teams doubles down on security advice – TechRadar

Aptoide data breach leaks personal info of over 20m users of the Android app store – 9To5Google

EU privacy body urges anonymization of location data for COVID-19 tracking – TC

Nintendo confirms 160,000 accounts accessed in huge privacy breach – Eurogamer

Exercise app accused of “massive data leak” – CyclingTips

Stuck at home, UK lockdown DIY fans slammed with Robert Dyas data breach – ZDNet

Sheffield data breach: Drivers’ details ‘leaked’ online – BBC

Please contact us if you do have further questions at

SchoolPro TLC Ltd (2020)
SchoolPro TLC is not responsible for the content of external websites