Data Protection: Training and Awareness

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 22nd of March, with our Data Protection Consultant Jessica Gant. This session focused on managing an internal training program, the key messages to share, and how to keep up to date on developments in the world of data protection.

How to Manage an Internal Training Program

It’s important to ensure that all employees receive appropriate data protection training and awareness, specifically looking at how the school or Trust manages their data protection.

But why do schools need data protection training if it isn’t mentioned much in UK GDPR?

The clearest example of UK GDPR mentioning training is within article 39, where it discusses the role of the data protection officer (DPO).

It states the DPO “to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.”

Whilst this is one of the only times that training is mentioned in the UK GDPR, it directly links to the accountability principle.

Schools and Trusts need to be able to show how they are carrying out compliance and training to support this.

The Accountability Principle

It is regularly discussed within audits and instructs that you must put in place appropriate technical and organisational measures to meet the requirements of accountability.

Furthermore, the Information Commissioner’s Office (ICO) states, “The Accountability Principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.”

The ICO also stipulate that you must have appropriate measures and records in place to be able to demonstrate your compliance.

7 key processes to meet the ICO’s expectations:

1. Incorporate national and sector-specific requirements.

2. Ensure your programme is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.

3. Consider the training needs of all staff and use this information to compile the training programme.

4. Assign responsibilities for managing information governance and data protection training across your organisation and you have training plans or strategies in place to meet training needs within agreed timescales.

5. Have dedicated and trained resources available to deliver training to all staff.

6. Regularly review your programme to ensure that it remains accurate and up to date.

7. Ensure senior management approve/sign-off your programme.

Anyone who processes personal data within your School or Trust must complete data protection training, i.e., anyone who handles or uses personal information including names, DOB, email addresses, medical information, photos.

This can be information relating to pupils, parents, other teachers, or even suppliers.

Therefore, it is likely that most of your employees will need data protection training. From the Headteacher to dinner ladies – they will all process personal data in some form or other.

Why do staff need data protection training?

• Training reduces the risk of breaches.
  • Most breaches we see in schools are caused by human error.
• Adequate training reduces the human error element.
  • Alternatively, the earlier a breach is reported, the better you can mitigate against it.
• It reduces the risk of damage to the reputation of the School or Trust due to poor data practices.
  • It is common for the press to report on data protection issues.
• It enables the school/Trust to demonstrate the accountability principle of GDPR.
• It reduces the risk of financial penalties – either individually to staff or to the school.
• As each staff member can be individually liable, it is in their best interest to have had training.

Polls

Recent Enforcement Action that References Training

The ICO acknowledged within their enforcement action justification (a fine) against a charity that there is no fixed requirement within the DPA as to the type of training an employee should undertake or when it should be provided. However, as part of the organisational measures, they would expect training to take place.

In a recent case the ICO mentioned after fining a different charity £25,000, one of the reasons they decided to go ahead with enforcement action was due to a lack of adequate training. This included a lack of face-to-face training on data protection, and the ongoing issue was not identified by anyone at the charity, which demonstrated the training implemented was inadequate and/or ineffective.

Thorough in-house training could have prevented the £25,000 fine.

Refresher Training

Unless the member of staff is actively working with compliance or data protection legislation, their knowledge will slowly start to fade.

You do not necessarily need to do the same courses repeatedly, but it is good practice to carry out staff training at least annually. Judicium recommends more thorough training takes place every two years, with refresher training taking place annually.

It also helps staff to be made aware of any changes to the law which may affect how they work and how they demonstrate their awareness.

The training must be relevant, accurate and up to date. NB: Training and awareness is key to actually putting into practice your policies, procedures and measures.

Records of Staff Training

As part of your School/Trust’s training, you should keep records. Keeping documentation of your training shows your compliance with the accountability principle of the UK GDPR.

When looking at ICO enforcement action notes, it’s evident a training programme can be a mitigating factor when deciding on the value of the financial penalty. Holding training records provides the credibility the training was completed.

Key Messages to Staff

Discussing data protection in briefings is essential!

Judicium recommends monthly briefings and whenever a data protection issue arises.

For example, if you have a data breach, speak to staff about it. It prevents similar breaches from occurring while raising attention about breaches. However, be mindful of not embarrassing any staff members, particularly if it is a confidential breach.

Touch upon privacy notices as they describe how and why you process data while keeping staff alert to data protection wording.

Staff should also be aware of your Data Protection policy, where it is and they should sign off on it annually to show they understand how the School or Trust processes personal data.

Staff should also be trained on how to handle a subject access request (SAR). Anyone can verbally or in writing request information to ANY member of staff. If a member of staff doesn’t know what a data request is or how to report it correctly, you can risk surpassing the one calendar month timeframe for response. 

Staff should also know who to approach internally regarding data protection. As well as a DPO, the School/Trust need an internal data protection contact who can implement the correct changes. This person will interact with the DPO to ensure they are updated with the legislation, any changes and ensure that the School/Trust are working within the law.

Keep Updated on Developments in the World of Data Protection

It is the DPO’s role to ensure you are aware of any updates. Often this is done with newsletters. Any big changes to the law that will affect your organisation should be discussed.

Training helps keep individuals aware of any developments. Your training provider should regularly update their data protection training modules in line with the law and any refresher training should be done with this in mind.

Our Top Tips

1. Complete a training programme annually within classrooms, or even at home if that is preferred. A good online training programme followed up with briefings really helps.
   • If you use Judicium’s eLearning modules there are 4 to do every other year. These are: Intro to GDPR and DP; What is a Breach; Intro to SAR and FOI requests; and Breach notification.
   • These can then be followed up with a refresher course annually.
2. All staff receive induction training when they join the School or Trust.
   • This should be regardless of how long they will be working within your school or their job status. If they have access to personal data, they need to have formal training.
   • These staff members should receive training within one month of starting.
3. Individuals in specialised roles such as SENCo, DSLs, etc should have more detailed training.
   • There are more in-depth courses these staff members should complete.

Helpful Information:  

Summary notes regarding CCTV –

https://www.judiciumeducation.co.uk/news/DPO-data-implications-of-cctv-usage

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.