GDPR News for Schools

March 29, 2019

At DPAS we have been closely following the ICO audits in schools and multi academy trusts to understand the key areas they are focusing on and the recommended actions they are giving.

It's clear that schools and multi academy trusts are now

being targeted for audits - with 3 audits being

published during March.

We've detailed below the scope of the audits and key findings to help you ensure that you are ready for an audit if the ICO come knocking at the door! 

 

THE GENERAL SCOPE OF THE ICO AUDITS IN SCHOOLS

 

GOVERNANCE AND ACCOUNTABILITY 

The extent to which information governance accountability, policies and procedures, performance measurement controls, and reporting mechanisms to monitor data protection compliance to both the GDPR and national data protection legislation are in place and in operation throughout the organisation.

 

 

 

 

 

DATA SHARING

 

The design and operation of controls to ensure the sharing of personal data complies with the principles of all data protection legislation.

 

 

 

 

 

 

 

 

 

TRAINING AND AWARENESS 

 

The provision and monitoring of staff data protection, records management and information security training and the awareness of data protection regulation requirements relating to their roles and responsibilities.

 

 

 

 

 

 

REQUESTS FOR PERSONAL DATA AND DATA PORTABILITY 

 

There are appropriate procedures in operation for recognising and responding to individuals’ requests for access to or to transfer their personal data.

 

 

 

 

 

SOME AREAS OF IMPROVEMENTS ACROSS THE AUDITS

  • The trust should document fully its risk management process, including how risks are escalated.

  • A programme of regular internal data protection audits should be implemented. Routine compliance checks should be recorded and reported on.

  • The trust should introduce annual, mandatory information governance training for all staff and report on this as a key performance indicator. Training should include how staff should recognise a subject access request.

  • Specialist training for key staff in areas such as subject access requests, data sharing, and data protection impact assessments should be introduced.

  • The trust should document fully its approach to data sharing and record the details of all data sharing and data sharing decisions centrally.

  • A process for dealing with ad hoc disclosures should be formulated and embedded

 

General Findings - There is a limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with data protection legislation.

It was also noted that data sharing and data mapping (record of processing activity) was needing further attention. Other areas of concern were the lack of DPIAs where personal data is at risk. 

 

 

 

 

Please reload

Our Recent Posts

Our New Support Portal

October 8, 2019

Data Protection in Airports

July 12, 2019

Has your Data Protection Officer had training?

July 11, 2019

1/1
Please reload

Tags

Please reload

©2019 Data Privacy Advisory Service Ltd. ALL RIGHTS RESERVED

LONDON | DEVON | YORKSHIRE

01392 914019

info@dataprivacyadvisory.com

 Privacy Notice

Please note all information on this website is for your help and guidance. It should not be regarded as an authoritative

or definitive statement of the law.