At DPAS we have been closely following the ICO audits in schools and multi academy trusts to understand the key areas they are focusing on and the recommended actions they are giving. It’s clear that the ICO are targeting schools and multi academy trusts for audits. 3 audits were published during March. In this article on GDPR news for Schools, we’ve detailed below the scope of the audits. We’ve also included key findings, helping you ensure that you are ready for an audit if the ICO come knocking!
THE GENERAL SCOPE OF THE ICO AUDITS IN SCHOOLS
GOVERNANCE AND ACCOUNTABILITY
The extent to which information governance accountability, policies and procedures, performance measurement controls, and reporting mechanisms to monitor data protection compliance to both the GDPR and national data protection legislation are in place and in operation throughout the organisation.
The design and operation of controls to ensure the sharing of personal data complies with the principles of all data protection legislation.
TRAINING AND AWARENESS
The provision and monitoring of staff data protection, records management and information security training and the awareness of data protection regulation requirements relating to their roles and responsibilities.
REQUESTS FOR PERSONAL DATA AND DATA PORTABILITY
There are appropriate procedures in operation for recognising and responding to individuals’ requests for access to or to transfer their personal data.
SOME AREAS OF IMPROVEMENTS ACROSS THE AUDITS
- The trust should possess full documentation on the risk management process, including risk escalation processes.
- Implementation of a programme of regular internal data protection audits. Reporting on routine compliance checks is essential.
- The trust should introduce annual, mandatory information governance training for all staff. It should be reported on as a key performance indicator. Training should include how staff should recognise a subject access request.
- Introduction of specialist training for key staff. This should include subject access requests, data sharing, and data protection impact assessments.
- The trust should document fully its approach to data sharing. It should record the details of all data sharing and data sharing decisions centrally.
- Create processes for dealing with ad hoc disclosures.
There is a limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with data protection legislation. It was also noted that data sharing and mapping (record of processing activity) requires further attention. Other areas of concern were the lack of DPIAs where personal data is at risk.