Happy New Year!

We hope that you managed to get some kind of break over the Christmas period although we are well aware of the ongoing and ever-changing situation and the strain that can put on you and your teams. Don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.

The main topic this month focuses on keeping your DPO in the loop and ensuring that they are aware of all data protection activity within the school. This includes changes in your data processes, decision-making that may impact on data protection, updates to suppliers, and changes to key personnel within your school. There is also:

  • the latest about data protection and Brexit;
  • an update on Covid testing in schools including the privacy notice template required;
  • a previously asked question about School Governors using school email accounts;
  • a reminder that we have extended our budget saving referral discount for 2021-22;
  • a reminder of our new confidential waste disposal service; and
  • the latest on the new and updated resources in Global Documents this month.

After the announcement of the new national lockdown, we also want to remind you of the guidance and resources that are freely available for you to use at this time. They can all be found in the Global Documents section of the portal as well as from the links below:

COVID-19 Daily Risk Assessment for Schools and Hubs
DPIA – Online Live and Recorded Lessons (Remote Learning)
DPIA – Online Live and Recorded Lessons & Events (Remote Learning & Events)
DPIA – Storage and Communication of Health & Medical Data – Coronavirus Update
Infographic – Conducting Virtual Governor Meetings
Infographic – Conducting Virtual Interviews
Infographic – Conducting Virtual Staff Meetings
Infographic – Live Lesson Streaming
Infographic – Safe Remote Learning
Training – Working From Home Securely – Fact Sheet

Please note – these documents are up to date at the time of writing for this newsletter. Where they do get updated, the latest, most up to date version of the documents can be found in Global Documents. Each month we notify you which documents we’ve updated in the newsletter.

The Key have also made a lot of their remote learning resources available to non-members temporarily including this page about loaning IT equipment to pupils with resources such as exemplar loan agreements:

Remote learning: loaning IT equipment to pupils and staff | The Key for School Leaders (thekeysupport.com)

If you don’t have any resources to hand out to pupils but know that you have pupils without access to laptops or computers at home, there are useful resources circulating online that explain how pupils can access Office365 or Google Classroom through their games consoles if they have those as an alternative. These are easily found through a quick Google search.

If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools are accepting visitors, please get in touch via GDPR@schoolpro.uk.

Stay safe and healthy!

Keeping Your DPO Involved

In order to maintain ongoing compliance with Data Protection legislation, it is important that your Data Protection Officer (DPO) is fully aware of and involved in any changes within your school, college or Trust that could impact the data protection function of the organisation. This includes, although is not limited to, the following:

Updates to your Records of Processing Activities (ROPA)

Your ROPA is a “formal, documented, comprehensive and accurate… [record] based on a data mapping exercise that is reviewed regularly”. (ICO) Among other things, this will include the following:

  • your organisation’s details and identification of controller or joint controller status;
  • the purposes of your processing;
  • the categories of individuals and personal data you process;
  • the categories of recipients of personal data you process;
  • any transfers to third countries you make including a record of the transfer mechanism safeguards in place;
  • retention schedules;
  • a description of the technical and organisational security measures in place; and
  • an internal record of all processing activities carried out by any processors on behalf of your organisation.

This information will be contained within a number of documents including your data map, privacy notices, retention schedule and policy documents.

When making changes as an organisation, for example, bringing in a new system for the school, college or Trust, you should record your decision-making process, conduct risk assessments where appropriate, and ensure your ROPA is updated to reflect this.

Your DPO should be part of this process to input into decision-making, assist with risk assessing, and oversee ROPA updates. For this to be effective, the DPO should be involved at the earliest possible stage of the process.

For example, you decide as an organisation to bring in a new system for processing safeguarding data. Once this decision has been made, the following occurs:

  • You seek quotes for 3 systems which you can take to Governors.
  • At this point, your procurement process triggers a notification to the DPO that a new system is being investigated.
  • Once you have 3 systems identified, the details are sent to the DPO who can conduct compliance checks on each including identifying any third country transfers, security measures in place and so on. If any of the options are not compliant, this can then feed into the decision-making process.
  • Once the final system is identified, the DPO can then highlight the need for a full risk assessment (DPIA) due to the sensitive nature of the data in this example. The DPO can assist the school in completing this and identifying any practice and procedures that need to be implemented as a result. This should occur before the system itself is put in place.
  • (Note, for a lower risk system, a Data Decision can be recorded rather than a full risk assessment (DPIA)).
  • The ROPA then needs updating to take into account the new system. This includes updating the data map, privacy notices and other relevant documents.

As you can see, it is important that the DPO is involved at the start of this process to ensure that your organisation remains compliant throughout.

Changes in key personnel within your organisation

This is a relatively simple one. If you know that the main point of contact for us within your organisation is leaving and will be replaced by another member of staff or someone new to your organisation, please ensure that we are notified so that we can maintain lines of communication with the school and keep our systems up to date with the correct personnel.

Data Protection and Brexit

With the transition period now at an end, we have clarity about the deal that has been struck with the EU and the ICO has released a statement regarding the current situation from a data protection perspective. In case you missed our update over the holidays, here is the key message.

Essentially, it is good news. A six month extension has been agreed for personal data flows to and from the EU/EEA and UK which means there are no immediate changes needed regarding these data transfers. We hope that an adequacy decision is made for the UK by the European Commission by the end of this extended period so that data flow can continue as is between the UK and the EU/EEA. We will, of course, be looking at contingencies for you in the event that this decision is not made.

The full ICO statement can be found here: ICO statement in response to UK Government’s announcement on the extended period for personal data flows, that will allow time to complete the adequacy process | ICO

Data Protection & Covid Testing in Schools

We have heard back from the DfE with regards to our queries on School Covid Testing and data protection. The DfE has prepared a template privacy notice as well as FAQs for parents regarding the testing and use of data. We have updated the privacy notice to our template and added our details as DPO for you. The updated privacy notice and FAQ document are available in Global Documents on our portal. You can also download them here:

Privacy Notice – School and College Covid Testing

COVID-19 Testing FAQs for Parents

We have also been sent a link by the DfE to a Google Drive folder which includes all of their documentation regarding mass testing including their original templates. This can be found here:  Folder – Google Drive.

We do recommend that you add a reference to the consent form stating that pupils’ data will be used in line with the school’s Covid testing privacy notice and providing a link to this.

After the announcement on Monday night and the new lockdown, it is our understanding from the guidance that testing will still continue for staff and those pupils attending secondary schools and colleges.

Previously Asked Question

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on the website for these and all of our answers are published there. You can find this on the Data Protection page of the website or in the blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:

Should Governors use school email accounts?

There are a couple of different ways to look at this situation.

  • Firstly, the school is the data controller. As the data controller, the school should be retaining control over its data and that includes communication conducted by and on behalf of the school. The best way to do that is to ensure that it stays within the school’s systems – so, in the case of email, within the school’s email systems. 
  • Secondly, as the data controller, data protection by design is the overarching priority of data law. Anything that doesn’t give the school as the controller the ability to implement controlled security designed into a system is in fact against the principle of data law… ergo if the school chooses to design their email system to ensure security of data, the governors and clerk must use the system. Using their own email does not allow for that design and is a problem. You don’t know what security, backups, archives and so on they have in place on their email system so can’t guarantee the protection of any data that may end up in that system. 
  • Thirdly, from a practical point of view, the school should always be able to audit any data that it controls including monitoring and audit of emails if necessary. If someone is working on behalf of the school and is using a personal email address instead of the school’s, the school is unable to audit or monitor that without requesting access to that person’s email account. There is always a risk that if that were the case, the school would be able to access other personal emails on that system that they shouldn’t. 
  • Fourthly, and this links to the previous point, when the school is given a SAR, it should be able to search all of its systems for any data regarding the data subject that has put in the request. This could include emails if that has been specified in the request. Someone using a personal email for school business does not give the school easy searchable access to their emails for data in this sort of situation which puts the school at risk of not being able to disclose all of the information it holds.

Referral Discount – Deadline Extended!

We have mentioned previously about our budget saving triple referral discount deal because we know that budgets are tight. A number of schools have taken advantage of the offer and we want to remind that this is still available and we have extended the deadline for the offer.

We are offering you a triple referral discount for any new school that you refer to us and signs up to our DPO service between now and February half term 2021. We have extended the offer to allow more schools to benefit and save money. Our usual referral discount is 10% per school referred so this means you would get a discount of 30% off your school’s* subscription for 2021.

If you were to refer 3 schools to us by February half term 2021 who all signed up to our DPO service, you would receive 90% off your school’s* subscription fee for 2021! Refer 4 or more schools and it will be free*!

Please note – maximum referral discount is 100% which would apply if 4 or more schools were successfully referred.
*Referral discount applies to annual fee for 2021-22 only.
*Referral discount applies differently to MATS. To discuss how this would apply to your MAT, please contact your DPO directly.

Confidential Waste Disposal Service

We would like to take the chance to remind you of our discounted secure confidential waste disposal service that we recently launched. This will have the added bonus of being fully documented and compliance checked by us as your Data Protection Officer.

Click on the button below and complete our short 30-second survey to register your interest and request a quote:

New & Updated Resources on the Portal

This month we have two new and one updated document resources for you in Global Documents:

New Documents

  • Privacy Notice for School and College Covid Testing
  • DfE produced FAQs for parents regarding Covid Testing

Updated Document

  • Template consent form
    • Updated to include explicit listing of specific social media and other online platforms that the organisation may use to share images of pupils/students
Data Protection in the News

Tech Tent: Who wants a digital vaccine passport? | BBC News

Google fined £91m over ad-tracking cookies | BBC News

Google and Amazon fined €135M over misuse of cookies by French data watchdog | The Verge

Massive Instagram ‘click farm’ found following data breach | TechRadar

How To Check If Staff Emails Are in Data Breaches | cloudsavvyit.com

45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware | The Register

Twitter fined by Ireland over bug that made private tweets public, in world first for EU data privacy law | The Independent

Facebook users in UK will be moved to US terms and lose European privacy protections after Brexit, company announces | The Independent

Apple will require privacy “nutrition labels” from developers starting December 8th | The Verge

WhatsApp goes after Apple over new privacy label requirements | Axios

People’s Energy data breach affects all 270,000 customers | BBC News

Ethical power supplier People’s Energy hacked, 250,000 customers’ personal info accessed | The Register

Dutch officials say Donald Trump really did protect his Twitter account with MAGA2020! password | The Register

Menstruation apps store excessive information, privacy charity says | Society | The Guardian

Unsecured Azure blob exposed 500,000+ highly confidential docs from UK firm’s CRM customers | The Register

T-Mobile rounds out this awful year with another data breach, affecting hundreds of thousands of subscribers | androidpolice.com

US regulators open privacy probes into tech giants | BBC News

Facebook and Instagram disable features in Europe | BBC News

Twitter fined £400,000 for breaking EU data law | BBC News

ICO fines Ticketmaster UK Limited £1.25million for failing to protect customers’ payment details | ICO

ICO to recover £250,000 fine from Manchester claims management firm | ICO

ICO warns public to be vigilant against pensions cold callers | ICO

UK political parties must improve data protection practices | ICO

​Please contact us if you do have further questions at GDPR@schoolpro.uk.

 

SchoolPro TLC Ltd (2021)
SchoolPro TLC is not responsible for the content of external websites.