It’s easy to approach the EU’s GDPR (General Data Protection Regulation) as a box-ticking exercise. Appointing a DPO (data protection officer), updating policies and procedures, training staff, mapping data and reviewing suppliers are all necessities for schools, but does just ticking them off go far enough to protect the vast amounts of personal data in your care? Human error is the main cause of data breaches, so understanding your school’s data handling culture and targeting areas for change will help reduce the risk.
The Regulation requires organisations to record all data breaches and report serious breaches to the ICO (Information Commissioner’s Office). Reporting must happen within 72 hours of becoming aware of the breach and, in some cases, all affected data subjects must be informed. There are no exceptions. Hitting the headlines for a data breach is not something any school wants.
A starting point in understanding the data handling culture is to see what is happening through a data protection walk. We’ve compiled a checklist to take with you as you walk around your school.
Start with the outside of your school and walk through reception as if you are a visitor. What information is available? Can you overhear conversations or view the receptionist’s computer screen? Has consent been obtained for the photographs on display? Is the staff room open access? What’s left lying about in there? Are staff pigeonholes open? Can you pick up other people’s work from the printer or out of the recycling bin? Do staff secure their devices and passwords? Are staff and pupils following the school’s BYOD (bring-your-own-device) policy? And continue around the school.
Completing the form will help identify and prioritise areas for change, where staff need support and which school processes need developing.