Governance and Data Protection in Schools

Governance and Data Protection in schools play a key part of compliance. Schools have a well-established and well-documented governance structure, aimed at ensuring that there is a consistent level of strategy, balanced against healthy accountability.

The balance between the strategic role of Governors or Directors against the operational roles and activities of the school Senior Leadership Team and other school staff is core to the success of schools and anything that bypasses, alters or subverts this can cause issues for schools.

Why is that important with regards to data protection?

Well, Schools, Trusts, Colleges and Universities are Public Bodies and, as such, require a Data Protection Officer (DPO). But what is a DPO? Our article on ‘fulfilling the role of DPO’ goes into details about the tasks of a DPO, what employer duties are with regards to their DPO and what the requirements for the role are.

There are contentious issues around experience and knowledge, conflict of interests and reporting levels. Our article who can/can’t be your DPO looks at the pros and cons of each role in school if you appoint your DPO internally. When we take this into account, we find that those who may have some of the best understanding, the IT Managers or IT/Operation Directors at MATs, are going to have a conflict of interests. You cannot audit your own work. Likewise, making sure you have the right person with sufficient weight to their words when reporting to the Governing Body or the Trust is going to be difficult!

This leaves us with the final option of contracting out the role of DPO. This could be problematic when it comes to ensuring that the DPO understands the setting of the school as well as supporting the school correctly. We work with many DPO as a Service (DPOaS) providers that are experienced in the Education sector and have a deep understanding of how schools work and the types of data they process.

We’ve thought long and hard about another option…

Not an employee but a volunteer… where would a Governor fit?

We already have established structures in place that could be modelled. When we consider the Designated Safeguarding Lead (DSL) we have the corresponding Safeguarding Governor. When we consider the H&S lead within the school, often a site manager or a school business manager, we have the corresponding Governor who helps the Governing Body in their oversight of the school or trust.

Why is this not an immediate option for Data Protection Officers? If we look at the tasks of the DPO, “To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).” This clearly has operational activities but to what extent? We must think about what those operational activities are and the way they can take place.

Let’s take a look at the minimum tasks set out by the ICO in reverse order.

  1. To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

In simplest terms, this is the go-to person for anything the ICO (the UK’s supervising authority) wants to ask about and the go-to person for children, staff, employees, volunteers and anyone else for whom the school may hold and process data.

The most obvious representation on this is how a school would handle a Subject Access Request (SAR).

On the face of it, the DPO is contacted with the request and they do the leg work, or delegate others to do it, before reporting back to the requestor. However, the task does not say that they are the sole point of contact or that they must do everything themselves.

  1. To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.

The above tasks appear reasonable enough. Governing Bodies are experienced in monitoring compliance and providing advice, but these tasks go further. You would be expected to train staff, conduct internal audits, manage internal data processing activities, and as most Governors would say, this looks all too operational to me, and for most Governors that crosses the line! Governors are meant to be strategic NOT operational.

  1. To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.

This task is already undertaken by the Governing Body, who would draw up the Data Protection Policy. It does start to cross over with the above task, as we can easily see training and assessment within this area. Again, a possible conflict with the need to remain strategic.

When we take the above into account, some might worry that a Governor could never be considered, especially when we consider the section below.

The GDPR does not specify the precise credentials a data protection officer is expected to have. It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.

We already know that Governors are drawn from a wide base of experience and knowledge, but the chances of every single Governing Body having access to someone with the required experience and expertise is going to be extremely low. The GDPR sets out that the Public Authority (the ICO in the case of the UK) will set up an accreditation around relevant qualifications, and this is backed up via the Data Protection Act 2018. The downside is that this is not going to be set up for some time and so we are unsure about what training can be put into place for Governors or anyone else looking to take on the DPO role.

So, what options does this leave most schools with?

Well, it is not as bleak as you might think and when we consider some of the comments raised above, there could be a range of scenarios. Below are a few to spark some discussion about possible solutions that could suit your school or Trust.

DPO as a Service (DPOaS)

We have already seen that GDPR allows for DPOaS. This is possibly the simplest option for many schools or smaller MATs. They are probably in the position where they cannot employ a permanent role. That said, there are growing examples of adverts for DPOs for schools and/or MATs, most of which are poorly paid, term time only, with inconsistent requests on experience or qualifications.

By taking on a service to manage and run all the DPO activities, or make sure they are done, then the school is mitigating a wide range of risks. The DPO may be a nominated person within the service provider that has their expertise spread across a team, giving schools far more access to experience and knowledge than if they were relying on a single person in the role.

The downside is that you cannot start to estimate costs on this until an assessment is made of the amount of support the DPO needs to provide. Do they need to train all staff directly? Do they need to do the legwork for data discovery exercises? Will they be writing all the policies and procedures themselves? Will they be the sole person conducting audits? Will they be needed 3 days a week or 3 days per month?

Governor as a DPO

If you are lucky enough to have a Governing Body which has one or more members with the required expertise, then you need to consider how we handle the operational activities. It may be that they volunteer additional time to the school to undertake any operational activities. That they are happy to be the first point of contact for parents, children, staff and the ICO.

It may be that there are staff within the school that support them operationally with activities. The extent of this support will vary from school to school. A nominated Data Protection Lead (DPL) would ensure that operational tasks are completed and the DPO kept informed, cutting down on tasks such as responding to Subject Access Requests, performing initial risk management of any new scheme or programme that will start processing data and so on.

A blended approach

In all likelihood, the most successful approach is likely to be blended from the two above. The school could operate a similar model to the Designated Safeguarding Lead and Safeguarding Governor, with additional support from a DPOaS provider.

The school could have a service from a ‘DPO as a service’ provider, bringing in the required expertise to ensure that all activities are set up to run as correctly as possible. They would be able to support the school with bringing in trainers or verifying the capability of trainers that the school commissions. They would ensure that the policies are appropriate, that operational procedures for handling SARs are in place, that systems are in place to log the audits that the school runs and so on.

The school then has a nominated Data Protection Champion Governor, who provides strategic support with the decisions that school makes where Data Protection has an impact. They are supported by a DPL that they were being done.

How would this work in the scenario where the school receives a SAR?

If via email, it is then sent to a distribution group containing the DPL, the Data Protection Champion Governor and the DPO. The DPL would log it and then initiate the required work. This could be by using software tools such as GDPRiS which follow a workflow, providing a checklist for activities and monitoring the timeline, providing guidance on which data sources need to be reviewed, providing alerts for the System Owners / Information Asset Owners that work was required, allowing the DPL and DPO to centrally monitor progress including providing timely alerts when key deadlines are closing in. It may be that the system purely provides the much-needed framework for managing the response to the SAR, or it may be that they allow for the response itself to be part of the system.

It may be that the above is done via manual effort instead, which would mean the DPO and Data Protection Champion Governor must rely on the DPL to be on top of their game!

Other scenarios, such as the Privacy Impact Assessments / Data Protection Impact Assessments could follow a similar model, managing operational processes against strategic direction and impartial advice and oversight.

This 3-tier system is likely to give most flexibility, allow schools to keep close to their existing governance structure but also enable them to tap into the key expertise and knowledge they need.

Free webinar: Top tips to kick-start your compliance strategically and operationally

We’re running a fortnightly webinar aimed at Headteachers, Senior Leaders, School Business Managers, DPOs, DP Leads, Governors and Trust Board members.

Join us as we share top tips on how you can kick-start your compliance both strategically and operationally. Simply choose one of the dates below and click ‘register now’.

Tuesday 16 March 14:00-15:00
Tuesday 30 March 14:00-15:00