Welcome to this month’s newsletter. There is a lot to get through so we are going to get straight to it!
The main topic this month focuses on reducing the risk of legal claims against your school as a result of data protection breaches and other data protection incidents. There is also:
- guidance on reducing data protection risk when using Teams;
- an update on Covid testing in primary schools including the privacy notice template required;
- a previously asked question about including teacher names within SAR data issued to pupils and/or parents;
- a reminder that we have extended our budget saving referral discount for 2021-22;
- a reminder of our new confidential waste disposal service; and
- the latest on the new and updated resources in Global Documents this month.
If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools are accepting visitors, please get in touch via GDPR@schoolpro.uk. And don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.
Stay safe and healthy!
Reducing the Risk of Legal Claims
Since October, we have worked with two separate schools that have received letters from ‘no win no fee’ solicitor firms regarding data protection breaches. Both of these breaches were relatively minor and did not involve a risk that warranted a report to the ICO. However, dealing with these claims takes time and resource away from other priorities within the school and we are still unable to confirm the outcome of either. The best advice we can give to you is how to best reduce your risk of breach and therefore your risk of also receiving a similar claim:
The most important action you can take is to reduce the risk of data protection breaches occurring in the first place. The main cause of data breach is human error so training staff and ensuring that they are aware of possible data protection risks is the key route to reducing your risk as an organisation.
We strongly recommend that staff receive training annually and will provide this service for you as your DPO. Many of you will already have completed training using our online training platform but, if your school hasn’t, we encourage this to be made an urgent priority. This training should be conducted by staff throughout your organisation including governors, senior and middle leaders, administration and office staff, teachers and TAs, site staff, cleaners, and any other roles that may handle data.
Each claim letter that has come through has asked the school to identify when the staff members involved in the breach had last received training. Whilst this shouldn’t be the sole reason for conducting staff training, it is important nonetheless.
There are also other methods of raising awareness that should also be considered including posters and infographics in key work spaces and online staff shared areas, as well as reminders through staff briefings, newsletters, and CPD sessions. Global Documents contains examples of resources you can use for this. Or speak to us if you need something bespoke.
- you have recently had a data protection audit from us as your DPO;
- governance has oversight of data protection across the organisation and that it is a standing agenda item at Governor and/or Trustees meetings;
- data mapping is completed and up to date;
- your suppliers (processors) are compliance checked, data processing agreements are in place if required, and you know if data is being transferred internationally (and, if so, it is being done using appropriate safeguards);
- your policies and privacy notices are up to date and available where necessary;
- you have risk/impact assessments (DPIAs) in place for high risk and large scale processing activities; and
- you speak to us as your DPO as part of your procurement process for new suppliers to ensure the appropriate checks and mapping updates are carried out prior to use.
Reducing Risk Using Teams for Video Conferencing
A common data breach that occurs in schools involves the unauthorised disclosure of personal data – in other words, sharing personal data with the wrong people or organisations!
We see this most often currently where emails are sent to groups of individuals outside of an organisation and the mailing list is setup in such a way that all of the email addresses are visible to all recipients. This is classed as an unauthorised disclosure and therefore a data breach. We are also seeing this a lot where schools are using video conferencing tools such as MS Teams and inviting individuals outside of their organisation to video meetings. Setting up a meeting for a group of parents, for example, can end up sharing email addresses with all participants accidentally. To avoid this kind of breach, it is important that the meetings are setup and configured appropriately.
Teams is primarily designed as an internal organisation collaboration tool so there is no direct way to hide email addresses in Team invites. Along with Cloud Happi (CloudHappi – For Better Education, Look To The Cloud), we have identified a number of ways to prevent this risk from occurring. Although we recommend you test these before you try them on a group!
- In Outlook, open the Calendar and click on the menu icon “New Teams Meeting” and create your meeting.
- For the invitees, click on the word\button REQUIRED or OPTIONAL (both get you to the same place).
- In the dialogue box at the bottom, enter all the invitees’ email addresses in the resources box.
- Click OK.
- It may ask if you wish to update the location – click NO.
- Ensure the LOCATION box has something in it such as “Team Meeting” and NOT the email addresses.
- Send the invite, and each user will get an invite with no sight of any other invitees.
- Log into the online / web version of Outlook.
- Create a new event as a Teams event and then select ‘Hide attendee list’ from the ‘Response Options’ dropdown tab:
- Create a meeting in Teams without attendees.
- Copy the meeting link into an email and send to all attendees using the Bcc field for the attendees’ email addresses.
- Ensure that the meeting lobby is monitored during the meeting as anyone with the link can attempt to enter the meeting. This can cause a security concern if not monitored rigorously.
- If you are using Microsoft School Data Sync (SDS) to sync your organisation structure with Office365 and Teams, you may be able to use the new Parent and Guardian Sync feature to add these external contact details to the system. This is described here: Parent and Guardian Sync – School Data Sync | Microsoft Docs.
Data Protection & Covid Testing in Schools
In January, we sent out the latest template privacy notice for primary school staff and the new Covid testing programme, which has been updated for you with our details as DPO.
If you missed that communication, the document is linked below and simply needs the school details added as well as a contact at the school. The document is also available in the Global Documents section of our data protection portal. There is also the link to the latest DfE guidance and the Google folder for Primary Schools Document Sharing.
For those looking for it, the Google Drive folder for secondary schools can still be found in our last newsletter which is elsewhere on our blog here:
Happy New Year from SchoolPro! – Newsletter 17 – January ’21
Previously Asked Question
We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on the website for these and all of our answers are published there. You can find this on the Data Protection page of the website or in the blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:
Should teacher names be disclosed in information contained in a Subject Access Request (SAR) by a parent or pupil?
The overall guidance regarding the Right of Access which covers SARs is as follows:
The specific areas we want in this case includes the guidance on Education Data:
In this guidance, it states, for example: “Parents can only submit a SAR for information about their child if the child is not competent to act on their own behalf or has given their consent.” This then links to further guidance (How do we recognise a subject access request (SAR)? | ICO) which clarifies how to make the decision around competency.
The guidance also states “if an educational record contains personal data relating to someone other than the requester (such as a family member), you must consider the rules about third-party data before disclosing it to the requester. However, you should not normally withhold information that identifies a teacher.”
On a side note, you also shouldn’t provide information that has been “supplied in a report or given as evidence to the court in the case of proceedings” or if “certain specific statutory rules apply to those [court] proceedings that allow the withholding of the data from the individual it relates to.” And you also shouldn’t provide information if you feel that disclosure could cause serious harm (“cause serious harm to the physical or mental health of any individual”).
The final piece of guidance which is of use in this case is this:
In here, it states the following about an education worker: “it is reasonable to disclose information about them without their consent, as long as the disclosure meets the appropriate ‘test’.”
The test being the following in the case of most of the education establishments we work with:
“For education workers, it meets the ‘education data test’ if the other individual is a teacher or other employee at a voluntary aided, foundation or foundation special school, an Academy school, an alternate provision Academy, an independent school or a non-maintained special school in England or Wales, and the information relates to, or was supplied by, the other individual in their capacity as an employee of an education authority.”
So it is unlikely that teacher names would be redacted from a SAR about a student except in exceptional circumstances.
Next month – we are going to look at what to do if you have concerns that data produced as part of a SAR, including teacher names, might be posted on social media or similar.
Referral Discount – Deadline Extended!
We have mentioned previously about our budget saving triple referral discount deal because we know that budgets are tight. A number of schools have taken advantage of the offer and we want to remind that this is still available and we have extended the deadline for the offer.
We are offering you a triple referral discount for any new school that you refer to us and signs up to our DPO service between now and the end of February 2021. We have extended the offer to allow more schools to benefit and save money. Our usual referral discount is 10% per school referred so this means you would get a discount of 30% off your school’s* subscription for 2021.
If you were to refer 3 schools to us by the end of February 2021 who all signed up to our DPO service, you would receive 90% off your school’s* subscription fee for 2021! Refer 4 or more schools and it will be free*!
Please note – maximum referral discount is 100% which would apply if 4 or more schools were successfully referred.
*Referral discount applies to annual fee for 2021-22 only.
*Referral discount applies differently to MATS. To discuss how this would apply to your MAT, please contact your DPO directly.
Confidential Waste Disposal Service
We would like to take the chance to remind you of our discounted secure confidential waste disposal service that we recently launched. This will have the added bonus of being fully documented and compliance checked by us as your Data Protection Officer.
Click on the button below and complete our short 30-second survey to register your interest and request a quote:
New & Updated Resources on the Portal
This month we have three new and one updated document resources for you in Global Documents.
We would also like to note that in the original Privacy Notice for Covid-19 Testing of Staff in Primary Schools document that we circulated, we made an error in one of the section headings. The heading “Who We Share Staff Data With” had the word “Pupil” in place of “Staff”. If you are using the template from that email, you will need to change that text. The version in Global Documents and linked to our blog post, correctly uses the word “Staff”. Apologies for the inconvenience!
- DPIA for the Implementation and Use of Wonde
- Privacy Notice for Covid-19 Testing of Staff in Primary Schools
- DPIA for the Implementation and Use of Tapestry
- Template consent form
- Updated to include explicit listing of specific social media and other online platforms that the organisation may use to share images of pupils/students
Note – As a consequence of Brexit, organisations based within the UK are now subject to the UK GDPR which has replaced the GDPR. We are in the process of updating our key document templates to reflect this change. These documents will be uploaded to Global Documents over the coming weeks and we will notify you exactly which documents this is relevant to in March’s newsletter.
Data Protection in the News
Please contact us if you do have further questions at GDPR@schoolpro.uk.
SchoolPro TLC Ltd (2021)
SchoolPro TLC is not responsible for the content of external websites.