Dispelling Common GDPR Myths – part 2
Following on from our blog ‘Dispelling Common GDPR Myths – part 1‘ here are 5 more GDPR myths we have heard and wanted to share to help clear up some of the confusion in schools.
Let’s dispel another #5 common GDPR myths
Myth #1 – This will stop me using any cloud services
To some extent this is both a myth and the truth.
There are many cloud services that have already done a lot of work to explain their own GDPR compliance, and both Microsoft and Google are good examples of this. However, there are some who are not being transparent, have data being used outside of the EEA (presently not allowed under the existing DPA without additional clauses in the contracts) or do not publish what data they make use of.
These services would need to be carefully reviewed and, if the risk is too high for the school to accept, they should no longer be used.
Myth #2 – Do I have to delete all pupil or staff information as soon as they leave?
The school sets out and agrees its retention schedule based on what it needs to use the data for and can justify within the law. The Information Records Management Society has a school toolkit that can help with this and the DfE and ICO will bring out more materials around retention in due course.
There is a certain amount of information items you are likely to keep for a while, including SEN information. Providing you have a schedule and can justify the retention of this information within the law, then you can retain the data.
You will need to consider how you then respond to pupils, parents and staff if they ask you to stop. For some items (records of employment, etc.) you are likely to respond that you need to continue to hold the data to comply with safeguarding requirements.
Myth #3 – Do I have to keep everything to 25 years?
There is a certain amount of information you are likely to keep for a while, including SEN information. However, you should only retain and use what you actually need. If there is no justification for retaining this data then you must destroy it.
This doesn’t mean that you destroy all the data, only those items you no longer require. For example, you might decide to only retain performance management records of staff for 3 years after they leave, but their record of employment is kept for longer.
Remember, the school sets out and agrees its retention schedule based on what it needs to use the data for and can justify within the law. As we outlined above, the Information Records Management Society has a school toolkit that can help with this and the DfE and ICO will bring out more materials around retention in due course.
Myth #4 – We cannot take laptops off-site now
Providing schools take appropriate security measures, including encryption, ensuring devices are fully updated, screensavers to lock out the device and have good anti-malware/anti-virus software, there should not be an issue.
Operational advice will also be needed to advise staff about looking after their devices and what networks they connect to when outside of school.
Myth #5 – We have to stop remote access to school servers
Remote access was a recommendation even back in Becta days as it supports the existing DPA. However, appropriate security measures need to be taken to protect the service (HTTPS / VPNs, 2FA/MFA, etc.) as well as appropriate staff policies about where the systems can be used (no internet cafes, public spaces, etc.)