The ICO understands school priorities but safeguarding data remains paramount.

Covid-19 has brought about the best in all communities and it turns out that the ICO (Information Commissioner’s Office) is not the big ogre everyone thought they were. It is their role to police data protection in the UK and rightly so. However, in a recent publication about their approach to the crisis it is clear that the ICO understands school priorities and the enormous pressures on all organisations during these challenging times.

There are some key messages in the document they published which schools should find reassuring. All the hard work they have already carried out to protect student and staff data will stand them in good stead for the months ahead.

What should schools be mindful of right now?

Some of the key points schools should consider, particularly as schools begin to open and experience the ‘New Normal’.

We will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis.

The Information Commissioner’s Office (ICO)

This is a very clear statement from the ICO. We are seeing fraudsters and criminals of various kinds using the current situation to further their own illegal, avaricious and repulsive means. Financial gain is the most common but sadly children are targeted directly or through their teachers and parents. Friends Against Scams is a great organisation for information about the most common scams and how to prevent them.

Wherever you can, you should raise awareness and help to ensure your community is safe online. Our free advisory videos for staff and parents can help with this. When schools return to normal there’s plenty of housekeeping to do around data protection – GDPRiS is already working on advice and resources to help schools ensure they think of everything to ensure their continuing compliance with the law.

We have stood down our audit work

The Information Commissioner’s Office (ICO)

This is good news – however audits do help to keep you focused on best practice. The audits carried out in MATs to date have been of immense value to those that have experienced one but the time audits consume would certainly be disproportionate in today’s climate. This does however provide you with an opportunity to prepare for the possibility of an audit once normal operations resume.

Watch how simple GDPRiS makes managing data protection

We may give organisations longer than usual to rectify any breaches that predate the crisis, where the crisis impacts the organisation’s ability to take steps to put things right.

The Information Commissioner’s Office (ICO)

Great news too! It doesn’t mean you can forget breaches – quite the contrary. Investigating breaches is one of the best methods to evaluate your data protection principles. If you have a breach you need to look how the process around it can be done better. However, you don’t need to keep looking at the clock!

Sharing best practice in breach management in schools

We will recognise that the reduction in organisations’ resources could impact their ability to respond to Subject Access Requests, where they need to prioritise other work due to the current crisis. We can take this into account when considering whether to impose any formal enforcement action.

The Information Commissioner’s Officer (ICO)

It’s our belief that most SARs should be suspended during this time and it looks like the ICO takes a similar view. However, the democratic rights and freedoms of individuals to know what information is stored about them is a key entitlement to anyone living in a free world and it must remain.