Staff GDPR Information
GUIDANCE FOR STAFF ON HOW TO PROTECT DATA
Below is some practical guidance and steps you can take to protect the data that you currently hold or have access to. This will hopefully protect you, the School and the Data Subjects.
1. Don’t store personal data on memory sticks (USB)
All staff have a Google Drive which is fully GDPR compliant and allows you to securely access information and data from any location, without having to carry it on a memory stick which has a greater risk of being lost, or which may not have appropriate encryption on it.
2. If you use your own devices to access academy data, it must be secure
If you use your own personal phone, tablet or computer to access your email or remote file access, for example, you must ensure that it is adequately encrypted and password protected. The school email access policy only allows encrypted devices to access the webmail facility.
3. Ensure all requests for data are in writing
If you receive a request for personal data from the Police, Social Care, or other body that has a legitimate reason for requesting it, you must still ensure that the request for information is put in writing to the School by that body and that you verify the identity of the requester. We need an audit trail.
4. Send personal data securely
If you are sending personal data by email (except if to fulneckschool.co.uk) you must ensure that the data is encrypted or password protected and that the password is communicated by a different means of communication e.g. telephone or text.
5. Lock your screen when you leave
Everytime you leave your laptop or computer you MUST ensure that the screen is locked. Failure to do this could provide access to the SIMS or other sensitive information saved on the network for students or other people within the School who do not have the right to see this data.
6. Check, check and check again
If you are responsible for sending out communications that contain very sensitive data, e.g. exclusion or behaviour information, double check:
- The name and address are correct;
- That nothing has been accidently attached to the letter/document;
- That the name on the letter/document matches the address on the envelope.
7. Keep hard copies safe off site
If you need to take information off site as part of your job, this could be taking it home to work on, taking it to a meeting off site for example, ensure that you never leave personal information unattended in your car. Unfortunately, data can be vulnerable even in a locked car if it is broken into. If you have to take data off site, try to minimise the risk by using initials or first names only rather than full names.
8. Safety on Social Media
If you are responsible for any social media site, ensure that any photographs of students have consent and that you use only first names in the post, never full names.
9. Report any loss of data
If you think data has been lost or stolen, report it immediately to your Principal or to the School’s Privacy Officer, privacy@fulneckschool.co.uk
GDPR - FAQ
Does the GDPR really affect schools?
Yes, every organisation or business that handles personal data needs to review its data protection policies and bring them in line with the General Data Protection Regulation.
What is personal data?
Any information that can identify a natural person (‘the data subject’). This person can be identified, directly or indirectly, such as – name, email address or where they are, but also online identifiers such as IP address, types of website cookies and other device identifiers. Thus, an email from a parent carrying data such as their name, email address, and their child’s name can clearly identify both the child and the parent. Just a UPN or an MIS identifier in a specific school is also personal data as it points to the child’s and in the case of the MIS identifier, to also the parent/carer’s information.
What will the GDPR change in Fulneck's existing data protection processes?
If you have implemented processes in line with the existing data protection act, DPA (1998), then you are well placed to meet the new requirements. Changes are mainly based on clarification and qualification of existing directives. A major change is that you can no longer say you meet the requirements you must be able to offer evidence that this is happening.
Who are data controllers, processors and sub-processors?
A data controller, in the context of schools, is the organisation that determines purposes and means of processing personal data. Data processors provide services to the data controller and must follow the conditions laid down in the data controller’s instructions. The GDPR applies to both data controllers and processors. When data controllers collect data from the data subject, they must clearly tell them how they will use the data. They must also establish the legal basis for processing. Another category is called sub-processors or third-party data processors. These process data for a data processor and although they do not have direct communication with the data controller they are still wholly accountable for the protection of personal data.
How can my we benefit by complying with the GDPR?
Without a doubt, by reviewing your data protection processes throughout the school will help you to restore confidence and trust in both your internal procedures and those of your suppliers. A review of the Data Protection Act is long overdue. The previous Act became law in an era when some technologies were just emerging. Ensuring that you protect an individual’s fundamental rights will give you confidence in your policies and data sharing agreements.
Why should special categories of personal data, known as sensitive data must be treated with extra care?
Sensitive personal data which “uniquely identify a person” are classed in the GDPR as Special Category Personal Data. For example, genetic and bio-metric information.
This data must be limited to only the people entitled to see or use it and extra provision must be taken to ensure this happens