Lynne Taylor, founder and co-CEO of GDPR in Schools, discusses how schools can support staff to improve awareness and training around GDPR
Data is an essential component of modern schools and something which most will have in abundance, from sensitive student information such as biometrics and medical details to data on teachers’ CPD and unions. Under the GDPR and Data Protection Act 2018 (DPA2018), schools have had to rethink the way they collect, manage and store this data; with particular focus on improving staff awareness around best practices. Now almost two years on we must ask the question, do staff members fully understand their data protection responsibilities?
Stepping up awareness
According to the latest ICO audits, schools and MATs need to step up their efforts to raise staff awareness. The audits, carried out by the ICO Assurance Team, assessed hundreds of schools across 11 MATs on key data safeguarding processes with many scoring ‘Reasonable’ and ‘Limited’ in the ‘Training & Awareness’ category. It is not that schools do not care about keeping student data safe, it is simply that they have not had the right resources and knowledge thus far to properly train staff.
The updates to the data protection legislation are new for everyone including the education sector. Ensuring staff members understand their responsibilities with better resources, training and best practice tips for keeping data secure must take priority going forward.
School-wide data responsibility
The shift in data protection becoming a whole-school responsibility was one of the biggest changes to come out of the updated data legislation. The challenge is that most headteachers, teaching assistants, kitchen staff and so on will not have traditionally seen themselves as accountable for data security; this perception is precisely what the updated data protection laws is designed to change. As a data controller the school is fully accountable for data protection. It is no longer up to the IT team alone to take care of compliance; each staff member has a duty of care to ensure the data which they encounter is managed safely and securely.
Data mapping
Schools should be communicating these changes to their teachers and wider workforce. In many cases, knowing what constitutes personal and special category data in the first instance is confusing in itself. Creating a data ecosystem is a useful first step to help staff visualise the types of data which come into the school, where this information is coming from, who it is used by, where it is stored and which persons and organisations the data goes to, once it leaves the school. Such training sessions are invaluable as they encourage staff to consider the different points at which data can be vulnerable, as well as giving the school Data Protection Officer (DPO) an opportunity to explain key terms such as the difference between ‘personal data’ and ‘Special Category Personal Data’.
It is also beneficial for the DPO to lead department-specific sessions to boost data awareness. Here, teams can map out what information they hold and who comes into contact with it, examine the lawful basis for holding and processing this data and review their security controls and disposal practices. For example, staff members might not have considered how leaving a piece of paper detailing a child’s allergy information on the teacher’s desk would pose a data breach risk. Looking at scenarios such as this along with data mapping will help staff to engage with their data GDPR responsibilities.
Role-based data protection training
Staff training was also highlighted by the ICO as a key area in which schools can improve and role-based training is essential to help staff understand their specific obligations. Furthermore, sector-specific role-based training is now an expectation of the ICO during school visits. Schools should take advantage of role-based training videos which explain the different types of data breaches than can occur in each position, helping staff to identify and prevent potential leaks. Holding group training sessions and encouraging staff to discuss best practices will enable everyone from teachers to administrators to correctly follow data compliance.
Everyone is accountable
Ultimately, the key message for schools to convey to staff is that of accountability. Supporting staff to understand their data responsibilities through data mapping and scenario-style learning sessions, as well as holding in-depth role-specific training, is essential so that staff can appreciate the ‘why’ behind data protection. The Trust managers, senior leaders and key staff within schools can further set the example by leading privacy and risk assessment throughout the departments. Creating a better culture of data protection awareness and accountability will help staff to recognise and implement new data protection controls and measures