DPO: How to Create a Data Protection Culture

DPO: How to Create a Data Protection Culture

Posted  16th March 2022

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 16th of March, with Data Services expert Claire Lockyer LLB (Hons), LPC. This session was focused on: what we mean by adopting a privacy by design approach, why policies and procedures matter and tips we can offer school staff.

What do we mean by data protection culture in schools? 

Data protection culture is what happens when we aren’t conducting tasks purely for the regulator.

Creating a culture of data protection is stepping away from box-ticking against the legal requirements and focusing on creating a culture of privacy.

Keeping this culture of privacy bubbling away in the background as a low-level awareness gives school staff the knowledge of when to ask questions and who to ask.

Privacy laws are not written by people that know the education sector, so we can see why school staff sometimes struggle with seeing the point behind data protection measures.

So, our shared goal is to build an understanding amongst all staff of how personal data can and should be used to support schools’ daily activities.

Who is accountable?

The big shift since GDPR is the idea of accountability. It is no longer enough to say you comply, we must also show and provide proof of that compliance.

In our experience, schools are actually very good at keeping data safe. Don’t forget data protection (in the form of DPA 1998) was around long before GDPR.

Data protection by design is about considering data protection and privacy issues upfront in everything your school does. It can help ensure that your school complies with the UK GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.

What does privacy by design mean?

Data Protection by Design 

Article 25 specifies that schools, as the data controller, have responsibility for complying with data protection by design and by default. But what does that really mean?

Data protection by design is about adopting an organisation-wide approach to data protection, and privacy considerations are integral in any processing activity you undertake. It’s not only looking at privacy when you design a new system, but also how privacy protection continues to work in all activities.

For example, look at SIMS and all the sidesteps schools put in place to get what they want out of it. Now imagine how much better it would be if it just did as you needed, right from the start.

Data protection should be built into the system by design. If you incorporate data security at the very start, it’s much easier than plugging gaps later.

Circumstances vary, but some examples of how schools can do this include:

  • The role of senior management, e.g. developing a culture of ‘privacy awareness’ and ensuring you develop policies and procedures with data protection in mind

  • When a school buys into new systems, take account of data protection requirements NB: this is your DPO’s job.

But what if things go wrong?

If there are transgressions and there is ICO involvement, they will take into account the technical and organisational measures you have put in place in respect of data protection by design.

Under the Data Protection Act 2018 (DPA 2018), the ICO can issue an Enforcement Notice against you for any failings in respect of Article 25.

At the end of February, a London solicitor was fined £98,000 by the ICO for the below breaches:

  • They suffered an avoidable ransomware attack (They had not applied a security patch available for their systems until six months after it was available).

  • Multifactor authentication wasn't applied where it could have been, despite SRA and NCSC advice to do so.

  • They didn't follow their own policy on timely updates.

  • Sensitive files were not encrypted in storage.

  • Sensitive files were sometimes retained for longer than necessary.

In short, the fine wasn’t for an incident, it was because the solicitors didn't put in place appropriate technical measures.

This was the first GDPR penalty of 2022 with the new Information Commissioner. There have been other fines, but these are Privacy and Electronic Communication Regulations (PECR). It may be worth thinking about measures in place at your school and how you can evidence them.

What measures can schools put in place?

1. Start at the top 

Any organizational culture starts at the top where the SLT should be looking at creating a shared vision. Just like when staff model best teaching practices, if the SLT model good data protection measures, it will filter down. Start by building support in a few key individuals then start small with gentle reminders in staff meetings, provide high-level overview of past issues to all staff, and mostly ensure conversations are open and mistakes are not punished.

2. Think about different roles within school

Each role in school plays a different part. With each role it is important to focus on how data protection comes into contact to their daily duties and what awareness you would like them to have. For example, does your TA know how to recognise a subject access request? Does your safeguarding team take a step back before sending sensitive data? Does your office staff know how to handle a CCTV request from a police officer?

3. Create privacy champions

Make sure all at school know who they are. It can be SLT, but it can also be successful when given to less senior staff (or those that will be significantly impacted by data use). For larger settings, consider a champion per department.

4. Talk about it

Find opportunities to talk about data privacy. Did someone in your organization flout a phishing attack? Use that as an opportunity to applaud the employee and underscore the importance of the data your organization holds.

Think about safer internet day or celebrate Data Privacy Day. Consider organizing a data clean-up day each year (we recommend July) to encourage employees to go through their computers and delete information they no longer need. The more touch points, no matter how small, the better!

5. Include it in your employee handbook and on-boarding training

Culture is made up of the things you do on an individual basis every day. Show employees from day one that privacy is an important cultural value by including it in your employee handbook and on-boarding. Remember to talk about the privacy of the information you hold about them too.

6. “GDPR says no… "

We cannot tell you how many times we see emails with GDPR says no. However, it’s very unlikely GDPR ever says no. Don’t let this message spread as it makes people want to avoid or ignore data protection. Despite its stigma, there are many good points to data protection.

Considering privacy doesn’t always mean no, and it’s important all staff know the DPO/school are working with them to achieve their objectives in ways that agree with your organization’s new culture of privacy.

7. DPIAs and feeding info upwards

Understand how the organisational chart and process flows. If any member of staff is bringing in a new system, do they know who to needs to be made aware? Do you need a data impact assessment?

8. Be aware of third parties

Schools may not be able to push their data protection culture on to any suppliers, but they do have a responsibility to ensure the supplier looks after the data. Again, this links to the need for DPIAs and third-party sharing agreements and if so do all staff know who to ask and where to go?

9. Think about reporting

Is your data breach log completely empty? Ask yourself the question is this because all staff have never accidentally done a data breach, no matter how small? Or is the culture around reporting frowned upon and staff don’t confess to errors?

Most importantly, not all measures will fit for all schools. There is so much variety in schools so at an individual level, this is something a DPO can help with.

What are some common errors DPOs see? 

One of the biggest mistakes is when the focus is on tactics rather than the blend between tactics and strategy.

Think less about implementing rules and processes and more about training, coaching, teaching and enabling.

Data protection is not about simply fulfilling regulatory requirements, but rather about engaging and consulting with staff. Schools should be looking for honesty, openness and transparency.

The same as schools do for children, encourage asking questions, share mistakes and learn from them.

A data protection culture recognises mistakes happen. Breaches will occur and that is ok – as long as all the other measures are in place.

Your DPO can help your school evidence the measures you take. Without this, your school is left exposed to fines.

Remember the £98,000 fine the solicitor’s received wasn’t for an incident. It was for not having everything in place that could have prevented the cyber attack. 

In a school with a data protection culture staff who feel confident in discussing data safety will spot issues before they escalate.

Key points to take away:

  1. Data protection is not just having the right policies in place, it is about the strategies to use them throughout your school.

  2. A successful culture starts from the top!

  3. Share mistakes and talk openly because mistakes will happen. Ensure they are human error and not preventable systemic issues.

  4. Keep building upon and reviewing awareness. GDPR is not scary, use your DPO and make sure it supports what you do, not says no.

Helpful Information:

UK GDPR - https://uk-gdpr.org/

Data Protection Act 2018 - https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

ICO - https://ico.org.uk/

Judicium also offer a range of GDPR e-learning designed for schools. You can see current course availability here.