At DPAS we have been closely following the ICO audits in schools and multi academy trusts to understand the key areas they are focusing on and the recommended actions they are giving. It’s clear that schools and multi academy trusts are now
being targeted for audits – with 3 audits being
published during March. We’ve detailed below the scope of the audits and key findings to help you ensure that you are ready for an audit if the ICO come knocking at the door!
THE GENERAL SCOPE OF THE ICO AUDITS IN SCHOOLS
GOVERNANCE AND ACCOUNTABILITY The extent to which information governance accountability, policies and procedures, performance measurement controls, and reporting mechanisms to monitor data protection compliance to both the GDPR and national data protection legislation are in place and in operation throughout the organisation.
The design and operation of controls to ensure the sharing of personal data complies with the principles of all data protection legislation.
TRAINING AND AWARENESS
The provision and monitoring of staff data protection, records management and information security training and the awareness of data protection regulation requirements relating to their roles and responsibilities.
REQUESTS FOR PERSONAL DATA AND DATA PORTABILITY
There are appropriate procedures in operation for recognising and responding to individuals’ requests for access to or to transfer their personal data.
SOME AREAS OF IMPROVEMENTS ACROSS THE AUDITS
- The trust should document fully its risk management process, including how risks are escalated.
- A programme of regular internal data protection audits should be implemented. Routine compliance checks should be recorded and reported on.
- The trust should introduce annual, mandatory information governance training for all staff and report on this as a key performance indicator. Training should include how staff should recognise a subject access request.
- Specialist training for key staff in areas such as subject access requests, data sharing, and data protection impact assessments should be introduced.
- The trust should document fully its approach to data sharing and record the details of all data sharing and data sharing decisions centrally.
- A process for dealing with ad hoc disclosures should be formulated and embedded
General Findings – There is a limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with data protection legislation. It was also noted that data sharing and data mapping (record of processing activity) was needing further attention. Other areas of concern were the lack of DPIAs where personal data is at risk.