Our GDPR Strategy
What is GDPR?
In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules. It also ensures data protection law is almost identical across the EU.
At the moment, the Data Protection Act 1998 (“DPA 1998”) applies to the way schools and trusts handle personal data. Most schools and trusts will be familiar with the general requirements of the DPA 1998, for example, the circumstances when they can disclose personal data and what to do if a person submits a subject access request.
From May 2018, the DPA 1998 will be replaced by the General Data Protection Regulation which is often referred to as the “GDPR”. Although many of the principles remain the same as the DPA 1998, there are some important changes which affect the way we process data.
In general terms, the GDPR places more emphasis on transparency, accountability and record keeping.
Therefore, the Trust and its academies are reviewing the current procedures and are making changes to ensure that they meet the higher standards as set out in the GDPR.
Why do we need it?
The update to Data Protection legislation in many ways is long overdue as the 1998 Act pre-dates Facebook, Twitter and all social media. It is hard to remember, or believe, that in 1998 mobile phones were limited to making and receiving calls, and text messaging that was charged by each character. Email was being used, but not every organisation had email addresses and hard copy documents were the mainstay of storage and records.
iPhones, Blackberry’s, smart phones, tablets were yet to come. Access to the internet was limited and actually required a physical dial up. There was no 3G or wireless hotspots for casting communication and Google went live in 1998 - the same year as the DPA.
The Data Protection Act was fit for purpose then, but all of the changes in the last 19 years mean that a new framework is now essential.
Compliance with the Data Protection Act principles in the UK is largely the responsibility of the Information Commissioner. The Information Commissioner’s Office (ICO) is the regulatory and supervisory authority. The ICO has the ability to provide advice, undertake audits, access information, impose sanctions and penalties.
What does this mean for Schools?
Schools process a lot of personal data relating to pupils and staff in order to carry out its functions. They also acquire personal data relating to other people including, for example, parents / carers, local governors, trustees, members of the local community, suppliers, contractors and consultants. It is therefore important that all schools ensure they handle personal data carefully and legally.
As the body responsible for our member Academies, we are committed to protecting the privacy and security of personal information and being transparent about the way in which we use the information we hold. It is our responsibility to make sure we, and our schools are handling and treating information carefully and legally.
We understand that schools are not always equipped or resourced to manage big changes to legislation and so we are developing an internal service to support our schools and ensure compliance.
Our GDPR Strategy
As a Trust, we plan to focus on 3 core areas which will help develop a culture that respects data privacy and security whilst ensuring transparency with those whom we may hold information on.
- Policy & Guidance
We have developed consistent and clear policy and guidance for the management of GDPR across our organisation and schools. Our GDPR Policy details the way that we manage information across the organisation and the ways in which we protect your rights when handling your information. It details your rights as an individual and the measures we have in place to respond quickly and efficiently to any requests for information.
Our Privacy Notices have been developed to provide absolute clarity on the types of information we hold and our reasons for processing that data. Each school also details any bespoke systems they may operate and the ways in which they protect that information.
Our Guidance Documents have been produced to ensure consistent practice across our schools and enable them to develop their understanding of GDPR and how best to respond to any data requests.
We have also developed contract management tools to help ensure the parties we work with also treat your information appropriately and any future relationships with third parties are assessed prior to engagement.
To support our schools with the effective management of GDPR and to develop a culture that respects data privacy and security, the Trust will appoint and provide a Data Protection Officer and a Deputy Data Protection Officer. Their role will be to ensure that all schools are compliant and meet the Trust’s high expectations surrounding data privacy and security.
To support the Data Protection Officers, in each school, a deputy head will be designated as the ‘Academy Data Protection Lead (ADPL)’. They will be trained to quality assure the day-to-day practice in their school, to coordinate the response to any request for information and to report any concerns to the Data Protection Officer.
As a School Business Manager normally oversees the ‘back-office’ systems in each school, they will work with the Academy Data Protection Lead to support them in their role. In the same way that the Business Manager ensures compliance with the Data Protection Act 1998, they will work with the ADPL to update their processes and practices to meet the new requirements.
Our GDPR Framework (below) provides a visual overview of our management and support structure.
To ensure compliance, the Trust will conduct an annual Data Protection Audit designed to test the systems and processes in place across the Trust and within our schools. Any weaknesses will be quickly identified, and steps taken to ensure they are addressed. In addition, our Auditors, the school’s Governing Body and the Data Protection Officers will all play a role in ensuring compliance and building a culture that respects data privacy and security.
Chief Operating Officer
Data Protection Officer