GDPR Do's and Don'ts with Craig Stillwell

With winter-term drawing in, many schools are facing increasing challenges. To help in these unusual times, Judicium offers a range of free 'On the Sofa' Sessions. These online sessions are designed to foster collaboration and networking. An informal setting where senior leaders from various education settings can connect, share practical strategies - and their questions can be answered. 

This blog is based on Judicium's GDPR 'Sofa Session' from 21st of October 2020, with our Resident expert Craig Stillwell LLB (Hons), LPC. 

Data Retention

Schools tend to have good practice when it comes to physical data retention, with many regularly reviewing old HR files and sending pupil files to secondary or further education. However, the use and management of electronical data is still a problem area. We advise the following:

• Firstly, ensuring you have a retention policy & staff know key guidelines around this. It is important to make sure that you tailor the guidelines to your organisation, and build staff awareness around them.
• Have a responsible person for data retention in your organisation. When someone is responsible, they will take out the time needed to deal with the data retention. Creating that element of responsibility will mean that it is addressed and looked at in regular intervals.
• Thirdly, having clear deletion dates for electronic data. We must keep data for no longer than is necessary. Electronic data is stored on a higher volume and more frequently, so strong retention rules are key. Use your IT provider and look at automation deletion options to help limit staff time spent, deleting emails etc.
• Finally, we recommend that when people are deleting and restoring data, they should log what and when they have done so. Keeping a record or log of this is good practice. The log doesn’t not need to contain each item destroyed, a summary of say ‘financial records 2018-2019’ is adequate.

We have seen a rise in poor data security surrounding Governors and trustees private email addresses. With terms of office coming to a close, the school cannot determine whether any data has been stored locally, or is able to physical remove access to previously shared files. Making retention policies hard to follow. By moving all governors and trustees to school email address, we are able to monitor and have more control on data shared outside of the organisation.

There is a legal requirement is that all organizations must put in place appropriate training with regards to data protection. This includes awareness and refresher training.
We should be making sure that staff across the board are properly trained in how to handle data. Senior staff, who deal with more data, should be trained more intensely. It is about putting the appropriate measures in place for the appropriate people. We suggest to do a refresher training every 2 years, especially now that people are working from home more. It also helps with keeping awareness of data breaches high. Most data breaches are down to human error and can be prevented with awareness, which is why appropriate training is so important.

The legal position from a data protection perspective is that organisations must put in place appropriate security to prevent from deliberate or accidental damage, loss or unauthorized access. When it comes to security, you want to think about both physical and electronical data. There is often very good practice in place for physical data, documents are stored in cupboards with keys and only appropriate staff members have access. However, when working from home you should keep a log of who signs documents in and out for good practice. It is useful to take stock of a few things:

• Encrypted laptops are recommended but might not be practical and too expensive. As a compromise you can provide senior staff member with encrypted laptops, because they often deal with more sensitive data.
• Are you happy with who has access to the files? Electronical data can also be restricted and access can be given to specific members of staff. Using platforms on the cloud such as google drive etc.
• Do you have appropriate security on how people can access data from home? For example, two factor authentications to access an internal drive or when using encrypted memory sticks.

Here at Judicium, we are seeing a rise in breaches across all area within the school, especially with misdirected emails. With staff transitioning between school and home working, it is important to review policies, look at refresher training and begin discussions surrounding retention of data in general as we return after half term.

If you require any support in any of these steps, or would like to talk to someone surrounding some support for your school please do not hesitate to call us on 0845 459 2130 or email tara.jones@judicium.com.