News / National Pupil Database

Half of schools have no decision on a Data Protection Officer #GDPR

Half of 1,032 school leaders said they have not yet decided who would be their data protection officer, as required under the new data protection laws enforceable from May 2018.
That’s according to Schools Week out today, reporting findings from a survey carried out by The Key.

“According to Fergal Roche, chief executive of The Key, many schools are struggling with practical and legal issues surrounding the new role, especially at a time of financial pressures.”

We agree with Paul Whiteman, general secretary of school leaders’ union the NAHT,  who called for more support from government for schools struggling to meet the new requirements. It was our top recommendation last month from our own work on what schools are missing to be GDPR ready.
Schools have a few new obligations, and many are waking up to those they have not met for some time. We asked government and School Information Management System (SIMS) suppliers to start to support schools over a year ago. But many suppliers and schools do not offer any way for children to see all their data or know where it has left the SIMS, gone to which recipients, where it has been sent abroad, and cannot offer information, “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”.
Suppliers are going to let down children if they and the schools they serve, cannot fulfill their obligation to meet Subject Access requests. There’s no excuse. They’ve had over two years to prepare, after the legislation was finalised.
Whiteman suggests asking government for only the must-haves. “While data protection is nothing new to schools, and most should be prepared, the government could help schools more by highlighting the true must-haves for GDPR compliance, specific to schools,” he said. In doing so he risks failing to get to grips with what the new Regulation means for the sector. Data Protection isn’t a check list, to do by May 25, 2018 and then leave in a drawer gathering dust. Doing just the ”must-haves” won’t mean that a school’s data protection responsibilities for children, staff and parents’ rights can be set aside. There are no optional extras.

The must-haves are all anyone has, and what everyone must do.

If the Department for Education issues any guidance to strapped-for-resources schools, it will likely be the only guidance they will seek. If it is only about a school’s obligations, it is likely to leave school leaders with a false sense of security. Been there, done that. Meeting a “must-have” bare bones option is no option at all. Schools own practices are only part of the ecosystem.
Getting ready for GDPR and staying in a good place about data protection is about managing sustained practice that you may need to put in place compared with where you are today. It is these very schools who are the worst off, often having been without Local Authority or other data protection assistance for some time. It’s these schools that are likely to be those who have gone most off the rails of good policy and practice. And all too often, it’s because of their suppliers’ failings.
Getting the right DPO support matters. GDPR requires an understanding of privacy law, PECR, the laws pertaining to biometrics in schools, to statutory data retention periods, to parental access to education records that vary across schools, to privacy and human rights law and more.
We’ve already seen watered down recommendations on the qualifications that a Data Protection Officer need to have, as might be met by a vaguely “suitably qualified” volunteer. That’s no way to start to meet the real need for change that is required across the sector. A DPO has to be qualified enough to carry out a data protection impact assessment (Article 37(1)(c) and the record of processing activities (Article 30) and be independent of any conflict of interest.

One school told us, that they had bought advice, but not implemented changes due to cost and no one leading it.

If the Cambridge Analytica and Faceboook scandal this week has highlighted anything, it is that our children desperately need equipped with better data rights, and digital understanding. That starts in school. Government seems unwilling to give them either.
The government rejected a statutory Code of Practice for children’s data in education, proposed in the Committee stage in the Data Protection Bill this week.
We hope the government will change their mind, because GDPR is not only about what schools do, but their suppliers, about rights as well as responsibilities, and transparency and data protection-by-design across the whole intra-dependent ecosystem of data management. Schools are not getting the support their need from companies and product manufacturers. A sweep of apps and platforms this week, shows many wildly non-compliant, without privacy policies, and some claiming to be GDPR compliant when they are clearly not.
Schools will share responsiblity for their supplier actions too. How will a college using Facebook as a mandatory group sharing platform, ensure that they meet the Regulation?
With guidance propping up only schools, processing across the sector is likely to fall short of the standards required and let children down. Meeting a statutory code would give controllers and processors, schools and suppliers, a way to “demonstrate compliance with the legislation or approved certification mechanisms.” [GDPR Articles 24(3)]
Statutory support would help suppliers have clarity and consistency in the expected standards they must meet on profiling, automated decision-making, subject access data usage reporting, data minimisation and “appropriate technical and organisational measures” for data protection by design and default. Statutory guidance would help schools be more of an equal partner in supplier negotiations, and give them confidence how suppliers meet the law.
As part of our work for The State of Data 2018 we had also asked school IT staff about GDPR readiness. We ran a small and informal survey for IT professionals through Survey Monkey on the EduGeek forum. Staff from 35 schools replied to questions, “Are we ready for GDPR? A survey to complete only with reference to a state-funded educational organisation for any children age 2-19 in the UK. There’s more to being ready, than schools own responsibilities.

One of the replies that seems to have resonated in other discussions on what’s missing, was, supplier support. “Seriously,” one responded, “go chase Capita.”

What Can I do?

If you agree, that a Statutory Code of Practice would help support schools and suppliers to understand and meet their rights and responsibilities, and bring better understanding for staff, parents and pupils, you can write to your MP and tell them why. You might want to use our Briefing for some prompts. A Code would not mean new rights or powers, above and beyond the new law; but would offer clarity, consistency and confidence on rights and responsibilities of what that law requires — and a way for schools to show suppliers how to comply in ways that guidance materials and toolkits for schools cannot.It would also be a way to involve the wider sector and public in consultation on the Code once drafted by the Information Commissioner.
Write today, and call for a Statutory Code of Practice for Education in the Data Protection Bill.


More detailed survey views from 35 schools on GDPR readiness [snapshot of small sample of IT and Data Protection staff in 35 schools .pdf 939 kB] The word “school” in questions, refers to any organisation delivering education.