In this article
Schools and other educational institutions have to gather and process significant amounts of personal data relating to their students, parents, governors, visitors and staff. Under the Data Protection Act and UK General Data Processing Regulations (GDPR), schools are required to appoint a Data Protection Officer (DPO) and comply with the law regarding data protection. This includes the way data is collected, handled, stored, shared, used and disposed of.
For staff and educators to fully understand the extent of the role they have in data protection, as well as how to act in a way that is both ethical and legally compliant, they require training on data protection protocols.
Understanding Data Protection Protocols
If you work in a school, you will have access to a significant amount of student data which will contain personal and sometimes sensitive information. This may include:
- Names, ages and addresses
- Details on attendance
- Academic and behavioural records
- Medical records
- Safeguarding information
- Biometrics
- Photographs/images
You will also hold data on employees, parents and other key stakeholders.
It is vital that anyone with such responsibilities is trained in how to behave in an ethical and compliant way. This requires careful and thorough staff training in line with current legislation, best practice and ethical guidelines.
According to the Education Authority (EA), to ensure compliance with the UK GDPR, training should be completed by:
- All school staff (both teaching and non-teaching)
- Volunteers
- The board of governors
Schools have to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). As well as complying, they have to be able to demonstrate they are compliant by using the correct procedures and keeping accurate records. This can only be achieved if staff are competent and have the correct training, tools and resources to adhere to these requirements.
Data protection protocol in schools – the basics:
- Each school must have a data protection policy. You can find sample templates online
- According to the UK DPA 2018, schools need an appropriate policy (for Special Categories of Personal Data and Criminal Offence Data) to comply with the principles in Article 5 of the UK GDPR
- If you collect personal information (in writing or electronically) you must include a Data Protection Statement
Each school is required to have the following three Privacy Notices:
- Privacy Notice – Pupils and Parents/Families/Carers/Legal Guardians
- Privacy Notice – Teaching Staff
- Privacy Notice – Non-Teaching Staff
The Privacy Notice for Pupils and Parents/Families/Carers/Legal Guardians is standard across all schools. The other two will be specific to your school type.
Essential data must be collected, stored, processed and destroyed in line with legislation and guidance. It must also be adequately protected from cyberattacks.
Key principles of the GDPR in schools include:
Lawfulness, fairness and transparency
- Data must be obtained in a lawful way that complies with all GDPR guidelines
- Fairness means that schools have to fulfil the terms of their privacy statement and that data will only be used as described
- Your privacy notice must have transparent terms that inform individuals why and how their data is collected and for how long it is stored
Purpose limitation
- UK GDPR legislation states that personal data should only be collected for specified, explicit and legitimate purposes
- Individuals should be informed about the purposes of your school collecting their data
Data minimisation
- Processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed
- Data should only be stored for a minimum amount of time
- Schools should process data if the purposes for processing cannot be fulfilled using a different method
Accuracy
- All data should be accurate and kept up to date. Records should be carefully checked and updated as necessary
- Outdated information and personal data should be deleted once it is no longer relevant or necessary to keep, for example once a student moves on to secondary school
Storage limitations
- Schools should only keep personal data ‘in a form which permits identification of data subjects for as long as is necessary’
- Time limits should be established for data to be either erased or reviewed to check that storing it is still necessary
Integrity and confidentiality
- Data must be processed within schools in a way that ensures security, integrity and confidentiality
- Safeguards need to be in place to prevent unauthorised access and/or use and accidental loss, damage or destruction of data
Accountability
- Schools must take responsibility for their compliance with GDPR rules and be able to demonstrate this through good record-keeping and documentation
- To do so, everyone responsible for data collection and processing in schools must have a thorough understanding of all of the above principles of data protection
To ensure processes are lawful, accurate and confidential and that schools remain accountable for their responsibilities around data protection, effective training programmes need to be put in place. These programmes should be attended by all and learning outcomes measured to ensure everyone understands their role and responsibilities.
Components of Effective Training Programmes
When staff are well trained, they are less likely to make mistakes. Good training can also improve engagement and staff retention and create a culture of accountability.
Training may consist of:
- Training as part of the induction process
- Regular training
- Refresher training
- Specialist training (e.g. when the rules change or new legislation is introduced)
All staff and educators have a role to play in data protection; however, some roles will be more involved than others. Institutions should consider offering basic training to everyone and additional, more in-depth training to others, tailored to their specific role.
Training programmes should cover:
- Relevant legislation such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) and what it means
- Key terms used in data protection and their definitions (such as consent, personal information, processing, special category data)
- What a data protection policy is
- The lawful grounds for processing data
- Obtaining consent from data subjects
- Data subject rights (such as the right of access or the right to have your data erased)
- What a school Data Protection Officer is (and who theirs is)
- The responsibilities of the school and the DPO
- Basic cyber security, how to keep data safe and how to report security breach
- Potential consequences of non-compliance
Legislation can change and be updated at any time. It is vital that training reflects current rules and guidance.
Staff training should also cover:
- Understanding risks around cyber security (not clicking suspicious links or opening attachments from unknown senders)
- Updating firewall and anti-virus systems when prompted
- Performing regular computer scans
- What to do in the event of a data breach or cyber attack
- Encrypted documents
It is important that training focuses on regulatory requirements, for example reporting data breaches to the Information Commissioner’s Office (ICO) within 72 hours, as well as prevention and upholding best practice. Sometimes, data protection training can focus too heavily on legislation and regulation and leave staff confused about how to actually implement strategies effectively in practice, or how regulations affect them in their day-to-day role. This leaves them open to taking risks and making mistakes.
Implementation Strategies
For training to be as effective as possible it needs to be comprehensive, accessible, relevant and engaging:
- Plan the dates and frequency of training to ensure maximum attendance
- Make data protection training mandatory
- Involve a range of stakeholders in training (such as school leaders, IT staff and legal advisors)
Training for educators and staff should be developed by people who are competent and have a full understanding of data protection, as well as some experience in course development such as:
- Creating interesting and engaging content
- Presenting information using different mediums (video, writing, audio clips, graphs etc)
- Focusing on clear and easy to understand explanations as data protection and the GDPR is full of jargon and can be tricky to comprehend
- How to measure learning outcomes against the materials presented
- Using case studies and real-life examples of the consequences of poor data handling and protection within the education sector
Good ICT skills are fundamental to being able to adhere to basic data protection principles. Without these skills, employees are likely to make errors, become disorganised and be overwhelmed by their tasks. If staff have gaps in their ICT skills, ensure these are addressed and that training and support is given.
Monitoring and Evaluation
Schools and educational institutions should regularly monitor and review their training in data protection to:
- Measure its efficacy
- Evaluate whether it is fit for purpose or not
- Expose any gaps or errors
- Assess whether it needs updating
- Check compliance with current law and legislation
To assess and improve the effectiveness of training, you could:
- Check everyone’s understanding of key terms and definitions in data protection before, during and after training
- Test staff on questions relating to what they have just learned
- Ask for feedback about the training and ask attendees to suggest improvements
- Ensure that training is collaborative, with staff encouraged to ask questions and support one another to see how competent and engaged they are in the process
- Act on feedback to refine and improve future training modules
Case Study
Ridgeway Academy Primary School opened in the 1930s and currently has 450 pupils. After the deputy head was appointed as Academy Data Protection Officer, they decided to look for training solutions.
The school was facing multiple challenges, including:
- The new DPO had no formal training in data protection
- No one in the school was able to provide sufficient support to the DPO
To try to overcome these challenges:
- The Academy Trust announced each school would have a Data Protection Representative
- They would be engaging with an outsourced Data Protection Solution
- The newly appointed DPO began researching online and did some training
Solutions:
- The DPO decided to employ the service of an expert company
- Through various phone calls they discussed current practices within the school and were able to validate the DPO’s training
- They acted on the third-party company’s suggestions and simplified and streamlined their processes to make it easier for all staff at the school
- The school continued to engage with expert services on an ad hoc basis, even once they had everything in place
- After a minor data breach, the school were able to get expert advice from consultants at the company on how to proceed
Changes made as a result:
- All staff now use the online GDPR training provided by the third-party data protection experts
- Training has been implemented for everyone (teaching and non-teaching)
- Data protection training is now a standard part of training for new starters
- Refresher training is also conducted
- The school now have robust processes and procedures in place and have implemented a new assessment system
- The DPO now feels confident that they can advise others and answer questions about the sharing of information and that if they cannot, expert support is only a phone call away
In this example, staff training in data protection within the school was lacking and the newly appointed DPO was left to their own devices in terms of finding training resources. As a result, a decision was made to engage the services of experts for additional support and to check compliance.
Although engaging the services of experts has its advantages, staff on the frontline should always be empowered with the correct training and resources and should only be relying on consultants for complementary support.
Resources and Tools
It is important to select the correct resources and tools in order to deliver engaging, interesting and effective training programmes.
Methods of training include:
- Online courses
- In-person learning from an instructor
- Books and online resources
- Using simulations or role play to train staff in scenarios that are likely to come up
A sample template of a Schools Data Protection Policy by the Education Authority can be found here. It sets out key GDPR principles and ways in which the school will comply.
The policy should be read and understood and the template will need to be updated with the information highlighted in green to make it specific to the school in question. It will also require the name of the school, their logo and the names of people responsible for handling questions about the policy.
The policy lists key information such as:
- GDPR regulations around processing, sharing, accessing and disposing of data
- Data Breach Management Procedure
- Subject Access Request Procedure
- Department of Education Document Disposal Schedule
You should also design some checklists for training sessions. These should include the name of the person who received the training, the date it was completed and when training is next due. These can be stored electronically, as physical records or both.
Useful sources of information on data protection and cyber security within schools include:
- Videos produced by the Education Authority’s Information Governance team, including module 1 The GDPR in Schools (35 minutes) and module 2 Data Security & Personal Data Breaches (35 minutes)
- ICO Media Pack which includes posters and leaflets that can be printed out and displayed around the school offices to remind everyone of the importance of handling personal information carefully
- Data Protection Guide for School Governors
- Free cyber security training from the National Cyber Security Centre (NCSC)
Links to watching or downloading all of the above resources can be found here.
Conclusion
Schools and other educational establishments should assess their current data protection programmes to ensure they are up to date and effective. This allows for a safe, compliant and professional educational environment, where personal data is handled carefully and in line with regulations and guidelines.
Staff who have the correct knowledge and expertise in data protection will be able to safeguard student information, answer questions in a competent way and enhance overall school security.
Data Protection in Schools
Just £20
Study online and gain a full CPD certificate posted out to you the very next working day.