Our newsletter has a new format this month. We have moved a lot of the written content to our here in our blog. This should make it easier to skim down the email newsletter and identify the content that is relevant to you more quickly! See below for the full details on each article.
The main topic this month focuses on the new DfE Daily Attendance Data Collection that has been in circulation over the past week or so. The DfE has contracted Wonde to process this and we have been investigating for you. Your questions answered below. There is also:
- information about other processor updates that will impact your risk assessments of these suppliers – ParentMail, ParentPay, and Wonde;
- an introduction to our new company Wildstep and its re-wilding programme;
- our new partner spotlight highlighting a company we work with and recommend;
- the latest information on recent and current cyber threats;
- a previously asked question about possible exemptions applicable to Subject Access Requests; and
- the latest on the new & updated resources in Global Documents since the last newsletter.
You can still download our ‘All Staff’ update based on the content of this newsletter by clicking on the image to the side.
And, as always, if you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite now many schools are accepting visitors, please get in touch via our new email address DPO@schoolpro.uk.
Don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.
Stay safe and healthy!
DfE Daily Attendance Data Collection & Wonde
The DfE have recently been in contact with schools about the trial for their new daily attendance data collection through their processor, Wonde. The short answer is that you can participate in this trial if you want your school to. However, there are some considerations that you should take regarding this:
Wonde is contracted as a processor by the DfE for the purposes of this data collection. Appropriate contracts are in place between the DfE and Wonde, and compliance and due diligence has been conducted by the DfE. The school is the data controller and Wonde is the data processor. In this case, the DfE is also data controller and becomes controller at the point it receives data from Wonde’s secure portal.
DPO advice: Ensure procedures have been well communicated with relevant staff. Clarify that these staff are clear with regard their specific roles and responsibilities around the system and that appropriate training has been undertaken for staff in the relevant positions.
Technical and other recommendations to be clarified as follows:
- Ensure that parents and pupils have access to the DfE privacy notice and Q&A document.
- Ensure that approval in place for essential data only for integration.
- Data will be updated for up to 7 days after the date of registration so it is important for schools to ensure full accuracy of data within 7 days in school MIS to ensure full data accuracy collected by the DfE.
Important points to note
- Wonde state that they are unable to revoke access to data integration at the point of cancellation/termination of the contract. Wonde rely on the controller to adjust these manually or by explicitly requesting that they do this. It is important that the school is aware of this and revokes permissions where required upon cancellation.
- Any attendance codes that are entered or changed up to 7 days after the date of registration will be automatically reflected in the data sent/synced with the DfE.
- The DfE state they are not collecting information that is recorded in the comments fields on the school’s MIS.
- The daily data collection will not be used for funding purposes.
- During April ’22, schools should be able to view their own data using the View Your Education Data service (VYED).
We have also written a DPIA for this new process as it is distinct from any other process you may already have with Wonde where you contract them directly. The DPIA can be found in Global Documents on the portal.
Whilst working with our schools over the past few weeks, we have identified some updates that are required to the risk assessments to a few processors. These include actions that you should take as a school if you use one of these. The processors are:
ParentMail - warning that the system does not fully sync to your MIS
We have been in discussion with ParentMail (IRIS Software Group) with regards to the way their product syncs with school MIS and the need for verification of details changes by parents when they have been initiated by the MIS sync. There was also a discussion regarding the lack of write-back to the school MIS if details are changed in ParentMail by the parents themselves. It is important that this is clarified for the purposes of data accuracy and to reduce the risk of incidents where ParentMail and the school’s MIS don’t match. To assist with this, ParentMail has agreed to the following:
ParentMail will make a report available within a reasonable time-frame to ensure schools were able to immediately identify change requests, where they had been instigated and if they were synced with the MIS or not.
ParentMail will be updating the verified changes report as follows:
- Update Verified Changes report to include rejected and pending change requests
- Add a new column to the report to the left of the Approval Date column called “Status” and include Approved, Rejected, and Pending. (Rejected will require a date)
- Add an Alert to the Overview page enabling the school admin to address data change requests by including a link to launch the verified changes report. This action should clear the alert from the overview page.
- The alert should only display if there have been changes since the report was generated last.
ParentMail have also emphasised the following 2 links that should accurately describe how data is synchronised between ParentMail and the MIS system. There is also information about the how the Verified changes report currently works.
ParentPay - new sub-processor added for data storage
ParentPay have notified their users of a new data centre that they are using which is provided by a new sub-processor. ParentPay have made assurances in their communication that appropriate contracts are in place and GDPR-compliance has been confirmed with this new sub-processor. Consequently, we have added the following to the ParentPay DPIA with regards the cloud infrastructure provided by them:
As of February ’22, to improve the resilience and scalability of services, ParentPay has expanded their network and added a secure data centre facility in London. The additional data centre is operated by a new supplier not used previously: CAE Technology Services Ltd. Under normal circumstances, the supplier’s engineers will not be granted access to school data.
Wonde - warning that permissions are not automatically revoked on contract termination
Due to recent interaction with Wonde from a couple of our schools, we have added the following text to our standard Wonde DPIA and recommend that schools that use the system are aware of this as it is not currently made explicitly clear by Wonde themselves:
Important point to note – Wonde state that they are unable to revoke access to data integration at the point of cancellation/termination of the contract. Wonde rely on the controller to adjust these manually or by explicitly requesting that they do this. It is important that the school is aware of this and revokes permissions where required upon cancellation.
Wildstep – Invest in the Wild
As part of our climate commitment, we have recently setup a new company called WildStep. The aim of the company is to invest in the land and re-wild our outdoor spaces. We have recently purchased our first piece of land for this project and want to involve schools and education establishments in our re-wilding venture. We will be in contact soon with more detail on how you can invest in our project or sponsor parts of the re-wilding programme. For now, you can read more about the project here:
Each month we throw the spotlight on a different partner. This month it is Delegated Services, a regional not for profit that provides support services for the education sector including H&S, Property and Facilities Management, Safeguarding, Risk Management, Training, SMT and Governor Consultancy.
Recent and Current Cyber Threats
Increased Ransomware Threat
UK, US, and Australian cyber experts are warning of a “growing wave of increasingly sophisticated ransomware attacks”. Lindy Cameron, the chief executive of the UK National Cyber Security Centre (NCSC), has warned that ransomware is “a rising global threat with potentially devastating consequences”. Organisations can get advice about how to prevent and protect against ransomware at the NCSC ransomware hub here:
Warnings have also gone out in the past fortnight with regards to an increased cyber threat as a possible consequence of the on going situation in Ukraine. More information on what actions you can take can be found here:
Phish Kits that can Beat Multi-Factor Authentication
Enterprise security company, Proofpoint, has warned that cyber criminals have found a way to beat multi-factor authentication by using phish kits. The kits leverage transparent reverse proxy, enabling them to man-in-the-middle (MitM) a browser session, steal the multi-factor authentication tokens, and bypass this trusted layer of security.
Reporting Suspicious Emails to the NCSC
How to report emails to the NCSC’s Suspicious Email Reporting Service (SERS) using Office 365’s ‘Report Phishing’ add-in for Outlook –
Previously Asked Question
What are the common exemptions that may apply in the case of a Subject Access Request?
When preparing data for a Subject Access Request, it is important to remember that there are a number of exemptions that could apply to the data. This list is by no means exhaustive but it includes the exemptions we think are most likely to apply to data requested of a school. Any, all, or none of these exemptions may apply to your data when requested and, if you are unsure, please speak to us as DPO:
- Information about others. There is an exemption in the DPA 2018 that says the school does not have to comply with a SAR, if doing so means disclosing information which identifies another individual, except where the other individual has consented to the disclosure, or it is reasonable to comply with the request without that individual’s consent. For example, information about witnesses to an incident would apply here.
- Confidentiality. A duty of confidence arises where an individual discloses genuinely ‘confidential’ information (ie information that is not generally available to the public) to the school, with the expectation that it remains confidential. This tends to apply in specific situations such as during a counselling session, medical appointment or similar. The SAR guidance and DPA 2018 do provide examples but the list is not exhaustive. As data controller, you can decide if you think there is an expectation around the confidentiality of data.
- Crime and taxation: general. Personal data processed for crime purposes is exempt from the right of access. These purposes are the prevention or detection of crime, or the apprehension or prosecution of offenders. This exemption applies only to the extent that complying with a SAR is likely to prejudice one of these crime purposes. Unlikely in the case of most education establishments but is possible.
- Child abuse data. Child abuse data is personal data consisting of information about whether the data subject is or has been the subject of, or may be at risk of, child abuse. This includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18.
- Education data – processed by a court. This exemption can apply to education data (personal data in an educational record) processed by a court which is relevant in this case. The exemption applies if the education data is supplied in a report or evidence given to the court in the course of proceedings; and those proceedings are subject to certain specific statutory rules that allow the education data to be withheld from the individual it relates to.
- Education data – serious harm. This exemption applies to the extent that complying with the right of access would be likely to cause serious harm to the physical or mental health of any individual.The key phrase here is “any individual”. So if you think there is a risk of harm to “any individual” in releasing certain data, this data becomes exempt. That could be a risk to the requester themselves or anyone else mentioned (or not) in the data. Or any other individual linked to the data.
- Confidential References. This exemption applies to personal data consisting of a reference given (or to be given) in confidence for the purposes of education, training, or employment of the data subject; the placement of the data subject as a volunteer; the appointment of the data subject to any office; or the provision by the data subject of any service. This is also applies to the “prospective” enactment of any of these options.
- Exam scripts and exam marks. Personal data consisting of information recorded by candidates during an exam is also exempt, as well as data consisting of marks or other information processed for the purposes of determining the results of an exam or in consequence of the determination of the results of the exam. There is more detail to this within the DPA 2018 which also explains time limits for providing certain types of data relating to exams so, if exam data is included in a request, we recommend reading that (link below) or speaking to us directly.
So any data that falls under one of those exemptions would be redacted and not included. You should always record what exemptions you are relying on for each data and why. You should also explain to the data subject which exemptions you have applied and why. However, it may be that giving that information prejudices the use of the exemption so there are some instances where you may have to tell the data subject that you can’t tell them exactly what has been redacted, why, and under which exemption. You also have to be able to defend your decision if they challenge it and/or complain to the ICO.
Remember, our role is to help you apply the legislation correctly and we will provide you with advice and guidance as to how to do that. Please ask!
Next month – we are going to look at whether staff working remotely abroad require international transfers of data and relevant safeguards being implemented.
New & Updated Resources on the Portal
Since our last newsletter, we have added seven new documents and two updated documents:
- DPIA – Canvas (LMS Software Service) – Instructure Inc.
- DPIA – Change of MIS to Arbor
- DPIA – Change of MIS to Arbor – Appendix (Arbor’s Compliance with GDPR)
- DPIA – OpenApply (School Admissions & CRM) – Faria Education Ltd
- DPIA – Payroll Software – FS4S (Juniper Education Group)
- DPIA – Wonde – DfE Attendance Data Collection
- Privacy Notice – Guest WiFi Users
- DPIA – ParentPay
- Addition of new sub-processor.
- DPIA – Wonde
- Updated risks and DPO guidance.
Data Protection in the News
SchoolPro TLC Ltd (2022)
SchoolPro TLC is not responsible for the content of external websites.