'Refresh Yourself' - Judicium in 'The Voice' by ISBL

'Refresh Yourself' - Judicium in 'The Voice' by ISBL

Posted  18th May 2021

Whilst remote working has highlighted a potential for future flexibility for staff work routines, it has also shown the challenge in ensuring schools remain GDPR compliant. Russell Dalton, Director of Operations at The Rivers C of E Academy Trust in Worcester, and Craig Stilwell, Head of Data Services at Judicium Education, discuss the importance of data protection in an uncertain world.

Like so many school business professionals (SBPs), Russell has dealt with the issues of staff and pupils working both in school and remotely during the pandemic. Technology has made teaching and ‘face-toface contact’ far easier than it would have been even a few years ago, with systems such as Microsoft Teams, Google Classroom and Zoom enabling staff and pupils to continue the daily timetable and work. However, while this continuity has been very positive, in the back of many educational leaders’ minds has been the issue of data protection – not only with regard to keeping pupils safe while working online, but also keeping personal records, documentation and information safe when a lot of it has been taken off site or accessed remotely.

Legal requirements

Whatever the circumstances, the data protection law requires organisations to ensure personal data remains protected when it is being handled away from the organisation or on personal devices. Every school should have a data protection policy, preferably managed by a designated data protection officer, that covers data retention, data breaches, and data security/e-security, and every member of staff should be aware of, and reminded regularly about, these policies, as Craig explains. “The legal requirement on organisations is that staff receive appropriate data protection training relevant to their role. SBPs not only come into contact with a wide array of data but are also likely to have responsibilities for how that data is handled and shared within the school and externally, so they require in-depth training including being briefed about handling personal data. The Information Commissioner’s Office suggests that training is regularly refreshed, preferably annually if circumstances permit, but every two years as a minimum.”

Remote working

When the majority of staff and pupils moved to remote working, all should have been reminded about the importance of data protection, as Russell explains. “At the start of the pandemic, all our staff signed to acknowledge they understood the acceptable use of IT and data protection policies, and reminders about these were issued regularly over the year. Parental consent was also sought for pupils to access the Seesaw learning platform, with teacher and pupil interactions on this platform managed to ensure everyone was protected. “The teachers were also only able to use websites during lessons that had been checked for privacy policy statements and data usage, ensuring both pupils and staff were safe. If staff wished to use a website that wasn’t on our ‘safe list’, they had to discuss this with the data protection officer, who checked out the credentials before permission was given.” It hasn’t just been online learning that has been a cause for data protection, however: far more personal data has been physically taken off site than in a normal school year, and staff have accessed school records and information remotely from their homes. “It has therefore been important to ensure all equipment used offsite was security protected,” continues Russell. “All our systems are password-protected, and security protocols restrict access to data that isn’t required. Furthermore, access to our management information system was limited to on-site only to reduce any potential risk.”

"The data protection law requires organisations to ensure personal data remains protected when it is being handled away from the organisation or on personal devices."

Future protection

Now that schools have fully reopened, it is important devices and systems are reviewed to ensure there aren’t any weaknesses. “Review your data protection practices, using regular data audits or data protection impact assessments,” says Craig, “tightening them up if need be. Also check the levels of authorised access for physical files in terms of who can sign them out and how this is managed so you always know where documents are. You should also review your guidance and awareness around working practices in schools and at home to ensure that:

  •  staff know to blind-copy parents/students on group communications so that personal email addresses are not given out to others
  • staff do not share their devices if working at home and ensure they are password-protected and have up-to-date security software
  • staff lock their computer screens when they are away from their desk
  • devices or paperwork are kept in a secure place so they can’t be stolen
  • data is removed from any personal devices when it is no longer needed
  • USB storage devices are not used because they are easy to lose/misplace
  • data protection procedures are regularly communicated to pupils to ensure they understand how to keep theirdevices safe, and data breaches are reported as instructed by your data protection lead. There are 72 hours in which to report a serious data breach to the ICO.

If dealing with GDPR seems daunting, especially in the current climate when working circumstances can change so quickly, there is plenty of online training available that focuses on areas such as breach notifications, data protection impact assessments, social media, CCTV, and photos and consent. Such training can act as a great refresher and help with daily workloads.

"Now that schools have fully reopened, it is important devices and systems are reviewed to ensure there haven’t been any breaches."