In order to maintain ongoing compliance with Data Protection legislation, it is important that your Data Protection Officer (DPO) is fully aware of and involved in any changes within your school, college or Trust that could impact the data protection function of the organisation. Here is one example of where this is really important:
Updates to your Records of Processing Activities (ROPA)
Your ROPA is a “formal, documented, comprehensive and accurate… [record] based on a data mapping exercise that is reviewed regularly”. (ICO) Among other things, this will include the following:
- your organisation’s details and identification of controller or joint controller status;
- the purposes of your processing;
- the categories of individuals and personal data you process;
- the categories of recipients of personal data you process;
- any transfers to third countries you make including a record of the transfer mechanism safeguards in place;
- retention schedules;
- a description of the technical and organisational security measures in place; and
- an internal record of all processing activities carried out by any processors on behalf of your organisation.
This information will be contained within a number of documents including your data map, privacy notices, retention schedule and policy documents.
When making changes as an organisation, for example, bringing in a new system for the school, college or Trust, you should record your decision-making process, conduct risk assessments where appropriate, and ensure your ROPA is updated to reflect this.
Your DPO should be part of this process to input into decision-making, assist with risk assessing, and oversee ROPA updates. For this to be effective, the DPO should be involved at the earliest possible stage of the process.
For example, you decide as an organisation to bring in a new system for processing safeguarding data. Once this decision has been made, the following occurs:
- You seek quotes for 3 systems which you can take to Governors.
- At this point, your procurement process triggers a notification to the DPO that a new system is being investigated.
- Once you have 3 systems identified, the details are sent to the DPO who can conduct compliance checks on each including identifying any third country transfers, security measures in place and so on. If any of the options are not compliant, this can then feed into the decision-making process.
- Once the final system is identified, the DPO can then highlight the need for a full risk assessment (DPIA) due to the sensitive nature of the data in this example. The DPO can assist the school in completing this and identifying any practice and procedures that need to be implemented as a result. This should occur before the system itself is put in place.
- (Note, for a lower risk system, a Data Decision can be recorded rather than a full risk assessment (DPIA)).
- The ROPA then needs updating to take into account the new system. This includes updating the data map, privacy notices and other relevant documents.
As you can see, it is important that the DPO is involved at the start of this process to ensure that your organisation remains compliant throughout.
SchoolPro TLC Ltd (2021)
SchoolPro TLC is not responsible for the content of external websites.