GDPR Do's and Don'ts with Craig Stillwell

Posted  12th November 2020

With winter-term drawing in, many schools are facing increasing challenges. To help in these unusual times, Judicium offers a range of free 'On the Sofa' Sessions. These online sessions are designed to foster collaboration and networking. An informal setting where senior leaders from various education settings can connect, share practical strategies - and their questions can be answered. 

This blog is based on Judicium's GDPR 'Sofa Session' from 21st of October 2020, with our Resident expert Craig Stillwell LLB (Hons), LPC. 


Data Retention

Schools tend to have good practice when it comes to physical data retention, with many regularly reviewing old HR files and sending pupil files to secondary or further education. However, the use and management of electronical data is still a problem area. We advise the following:
  • Firstly, ensuring you have a retention policy & staff know key guidelines around this. It is important to make sure that you tailor the guidelines to your organisation, and build staff awareness around them.
  • Have a responsible person for data retention in your organisation. When someone is responsible, they will take out the time needed to deal with the data retention. Creating that element of responsibility will mean that it is addressed and looked at in regular intervals.
  • Thirdly, having clear deletion dates for electronic data. We must keep data for no longer than is necessary. Electronic data is stored on a higher volume and more frequently, so strong retention rules are key. Use your IT provider and look at automation deletion options to help limit staff time spent, deleting emails etc.
  • Finally, we recommend that when people are deleting and restoring data, they should log what and when they have done so. Keeping a record or log of this is good practice. The log doesn’t not need to contain each item destroyed, a summary of say ‘financial records 2018-2019’ is adequate.


School email addresses

We have seen a rise in poor data security surrounding Governors and trustees private email addresses. With terms of office coming to a close, the school cannot determine whether any data has been stored locally, or is able to physical remove access to previously shared files. Making retention policies hard to follow. By moving all governors and trustees to school email address, we are able to monitor and have more control on data shared outside of the organisation.


Training

There is a legal requirement is that all organizations must put in place appropriate training with regards to data protection. This includes awareness and refresher training.
We should be making sure that staff across the board are properly trained in how to handle data. Senior staff, who deal with more data, should be trained more intensely. It is about putting the appropriate measures in place for the appropriate people. We suggest to do a refresher training every 2 years, especially now that people are working from home more. It also helps with keeping awareness of data breaches high. Most data breaches are down to human error and can be prevented with awareness, which is why appropriate training is so important.


Security and home working

The legal position from a data protection perspective is that organisations must put in place appropriate security to prevent from deliberate or accidental damage, loss or unauthorized access. When it comes to security, you want to think about both physical and electronical data. There is often very good practice in place for physical data, documents are stored in cupboards with keys and only appropriate staff members have access. However, when working from home you should keep a log of who signs documents in and out for good practice. It is useful to take stock of a few things:
  • Encrypted laptops are recommended but might not be practical and too expensive. As a compromise you can provide senior staff member with encrypted laptops, because they often deal with more sensitive data.
  • Are you happy with who has access to the files? Electronical data can also be restricted and access can be given to specific members of staff. Using platforms on the cloud such as google drive etc.
  • Do you have appropriate security on how people can access data from home? For example, two factor authentications to access an internal drive or when using encrypted memory sticks.

Here at Judicium, we are seeing a rise in breaches across all area within the school, especially with misdirected emails. With staff transitioning between school and home working, it is important to review policies, look at refresher training and begin discussions surrounding retention of data in general as we return after half term.


If you require any support in any of these steps, or would like to talk to someone surrounding some support for your school please do not hesitate to call us on 0845 459 2130 or email tara.jones@judicium.com.

Cybersecurity Incident Response for Schools
  April 24 2025

A practical guide to help UK schools respond to cyber-attacks, meet legal obligations, and strengthen their overall cybersecurity resilience.

Read more

Judicium Shortlisted for Fire Safety Consultancy of the Year at the 2025 FSM Awards
  April 22 2025

H&S

Discover why Judicium has been shortlisted for Fire Safety Consultancy of the Year at the 2025 FSM Awards, recognising our expert support for schools and trusts in delivering sector-specific, compliant, and practical fire safety solutions.

Read more

A Day in the Life of a MAT DSL: Volume 1
  April 17 2025

This blog deep dives into the everyday life of a Multi Academy Trust (MAT) Designated Safeguarding Lead (DSL). For a DSL, every decision echoes across schools, staff, and pupils. It’s a responsibility that requires a steady hand, sharp focus, and unshakable resolve. With over 22,000 multi-academy trusts in the UK, the role of a MAT DSL has become increasingly serious.

Read more

A Day in the Life of a School DSL: Volume 2
  April 17 2025

Volume 2 of our ‘A Day in the Life of a DSL’ series takes a deeper dive into the role of the Designated Safeguarding Lead (DSL) within schools. For many DSLs, the reality involves navigating unpredictable, emotionally charged situations that require immediate action. Their role isn’t about ticking boxes — it’s about making decisions that can profoundly impact a child’s life.

Read more

Attracting Top Talent: How Schools and Academy Trusts Can Improve Their Recruitment Strategy
  April 16 2025

HR

Attracting top talent in a school or academy trust’s recruitment process is crucial for ensuring they are staffed with the best teachers, administrators, and support staff. However, attracting the best talent is often easier said than done. In this blog, we will explore effective strategies that school and academy trust leaders can use to attract top talent and sustain a strong, successful team for ongoing success.

Read more

Golden Rules for Safeguarding and Data Sharing
  April 02 2025

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 2nd of April, with Helen King and Sofia Mastrangelo. This session focused on the guidance on sharing safeguarding data and concerns, retention rules, and managing SARs in relation to safeguarding and considering exemptions.

Read more