Department for Education data protection compliance toolkit: The toolkit and school governance arrangements
9th May, 2018
Ward Hadaway's Information Law team is supporting the schools and academies sector as it gets to grips with the DfE toolkit. We are taking a look at what more you will need to prioritise in order to place your organisation in a compliant state.
In this third briefing, we focus on how the school leadership team should engage with its Board over the impact the new legislation will have on its organisation. Here we use the term ‘Board’ to refer to the Board of Trustees or for a maintained school, its governing body.
Here are some hints as to how to achieve the best possible level Board engagement.
An important statement will be found at Step 1 “Raising awareness” in the toolkit. Users should be looking to achieve, as an awareness-related outcome, that the Board is aware of “the key issues arising for the schools from the legislative changes and understand how to effectively monitor and review compliance with the data protection regulations”.
The effectiveness of this engagement is vital for various reasons. Ensuring that the Board is clear not just about the impact of the legislation on the organisation that the Board oversees, but also appreciate the legal duties that form part of their directors’ responsibilities. They must also be midful of any weaknesses inherent in the organisation that require attention as part of a compliance programme with financial and other resources requiring to be committed to this end.
With this in mind, here are some top tips as to how to plan for engagement with the Board.
If you have local governing bodies within your governance structure make sure of its involvement and commitment
Whilst it will always be the Board that carries the can if something goes wrong in data protection compliance, local governing bodies have an important role as the eyes and ears of the individual school – knowledge at that level of processes and procedures already in place will be valuable. Provide for regular reporting from School level through the data protection officer to the Trust Board.
Ensure that the Data Protection Officer has direct access to the Board
Your data protection officer is entitled to have direct access to the Board – this based upon a concern legislators had of conflicts of interest within the school leadership team if reporting was to be through, say, the Chief Executive Officer.
In the toolkit, the choice of language adopted over this issue is one of being sure that the relationship with the school leadership team is “somewhat distant”. This is not the way we would express the relationship and it is hoped that in the final version of the toolkit there will be rephrasing of the issue.
We would expect the data protection officer to be working very effectively with the leadership team. Advance knowledge of plans (such as to invest in new software or to bring further schools into the Trust) will be vital for the data protection officer to play his or her part effectively e.g. through overseeing Privacy Impact Assessments.
Develop a routine reporting regime based upon analysis of the organisations, Data Protection compliance and issues and risk that require to be addressed
Developing a template for regular reporting to the Board should be an early priority. That report should take account of routine assurances that the Board should expect to see – e.g. no notified breaches in the period reported on, all staff training required in the period has been completed. The report should also include updates on projects that are focused on improving compliance within the Trust e.g. investment in technology. If privacy impact assessments are being undertaken these should be reported on with the Board being clear as to the outcome of the assessment and any implications arising.
There is absolutely no reason why drafts of regular reports should not be shared within the organisations leadership team for comment given that in the vast majority of cases matters being commented on will matters that the leadership team already know about or ought to know about.
Ensure that the Board gains early familiarity of investment related implications of the organisations compliance plans – it is highly unlikely that Schools and Academy Trusts can achieve the best possible level of compliance with GDPR without an allocation of financial resources.
The data protection officer is entitled to be appropriately resourced to perform the role he or she has assumed. We suggest that, as financial planning moves ahead for the next annual budget, careful consideration should be given to this aspect. This is not an easy issue given financial constraints faced generally, but the duties of your Board extend not just to ensuring that there is a data protection officer. There must be a demonstration that the officer is in a position to perform the role effectively. Paying for training and online resource materials for the officer will be a good demonstration of support. Taking seriously the recommendations of the data protection officer for other investment e.g. subscriptions to staff wide online training modules and the allocation of funding from the technology budget for projects that address data security weaknesses should all be taken seriously.
If you are giving consideration to outsourcing the data protection officer role ensure that the Board has carried out a thorough analysis of the issues and risks that could arise from this approach.
For smaller organisations the need to appoint a data protection officer can be seen as somewhat frustrating given also the imperative that the individual undertaking the role is not a risk of conflict with other duties to the school.
With this in mind, the EU has created within the regulation an option to outsource the role of the data protection officer. Many schools are known to be considering this possibility. For the present, there are no pre-determined criteria that will help you understand whether a particular person or organisation carries sufficient level of experience, understanding and competence to perform the role. We believe that there is a need for DfE to say more on this particular aspect – an obvious approach would be for an advisory framework to be established with outsourcing experts vetted against a range of criteria that would demonstrate their competence to perform the role specifically in the education sector.
We hope that these ideas will help you as you take forward GDPR preparation. Our next briefing will address the challenge of ensuring that your organisation is well placed to secure staff buy in to the implications of the more rigorous data protection regime that lies ahead.
If you have urgent questions at this stage, please contact Frank Suttie.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.
Topics: