Details of available tools and training and other useful resources.
Please note, if your school purchases the Data Protection Officer Service from GDPR in Schools/the Education Data Hub, the policies and templates you should use are all now available to download from your GDPRiS account. The Education Data Hub also has its own website which contains full details of the services provided, including a number of free resources available for all schools.
The 'Addendum to child protection policy for records management' document has now been incorporated into the Derby and Derbyshire Safeguarding Children Procedures.
Training
The Education Data Hub designs and delivers a wide range of relevant and up-to-date training to meet all requirements. The team also provides support and raises awareness amongst school staff. Training topics include:
- UK GDPR - from information requests to data breach procedures
- AI compliance
- Data protection- in-depth exploration of all aspects of data protection compliance for senior leaders
- Data protection for Designated Safeguarding Leads (DSLs)
- Data protection – strategic overview for governors
For further information on what training is available from the Education Data Hub team, please email: DPforSchools@derbyshire.gov.uk
Toolkits and resources for schools
Schools that subscribe to the Data Protection Officer service are able to access template privacy notices, policies and other useful documents. Non-subscribing schools may purchase a template policy suite from the Education Data Hub containing the following documents:
- Data Protection Policy including
Annex 1: Legal Conditions for Processing
Annex 2: Personal Data Breach Procedure (including cyber Incidents)
Annex 3: Data Protection Impact Assessment Guidance
Annex 4: Subject Access Request (SAR) Procedure
Annex 5: Requests under the Freedom of Information (FOI) Act 2000 / Environmental Information Regulations (EIR) 2004
- Privacy Notice Pupil and Family
- Privacy Notice Workforce
- Privacy Notice Governors
- Privacy Notice Pupil and Family Nurseries
- Privacy Notice Pupil Friendly
- Records Retention Schedule
- Social Media Policy
- Bring Your Own Device Policy
- IT Security and Acceptable Use Policy
- Off Site Working Policy
- CCTV Policy
- Special Category Data Policy
- Biometric info Policy
- Remote Learning Policy
- AI Guidance and Policy
For schools that do not subscribe to the Data Protection Officer service or do not wish to buy any template policies from the Education Data Hub, there are a variety of free resources that are available to assist you.
The ICO has comprehensive advice on compliance with Data Protection laws in their SME web hub area. This includes advice on Paying the ICO Registration Fee, Data Protection Self-Assessment, Responding to a Personal Data Breach, How to Respond to a Subject Access Request, Advice on Installing CCTV and Data Protection Impact Assessments (DPIAs).
The ICO has also produced guidance specifically for schools in relation to the Age Appropriate Design Code (the Children's Code) which contains important guidance on what due diligence schools should be conducting when using services accessed by children.
The Department for Education (DfE) published a Data Protection: Toolkit for schools guidance document. This guidance is aimed at helping schools develop policies and processes for data management, from collecting and handling data through to the ability to respond quickly and appropriately to data breaches.
The Information Records Management Society has also written a Toolkit for Schools. This contains lots of useful guidance on all aspects of Data Protection as well as a Model Retention Policy.
Privacy notices
Advice, guidance, templates and support are available from the Education Data Hub Team, email: DPforSchools@derbyshire.gov.uk
In addition, guidance and templates can be found on the DfE website.
Data sharing
The Information Commissioners Office (ICO) guidance on information sharing agreements, which it refers to as 'data sharing agreements or protocols', is as follows:
Data sharing agreements - sometimes known as 'data sharing protocols' - set out a common set of rules to be adopted by the various organisations involved in a data sharing operation. These could well form part of a contract between organisations. It is good practice to have a data sharing agreement in place, and to review it regularly, particularly where information is to be shared on a large scale, or on a regular basis.
A data sharing agreement should, at least, document the following issues:
- the purpose/s of the sharing
- the potential recipients or types of recipient and the circumstances in which they will have access
- the data to be shared
- data quality – accuracy, relevance, usability
- data security
- retention of shared data
- individuals’ rights – procedures for dealing with access requests, queries and complaints
- review of effectiveness/termination of the sharing agreement
- sanctions for failure to comply with the agreement or breaches by individual staff
For more information see the ICO data sharing code of practice - Information Commissioners Office data sharing code of practice.
Derbyshire schools and academies will need to share information with Derbyshire County Council. Information about this is held on our Information sharing page.
Please note, any data sharing arrangement involving the processing of personal data where one of the partners is acting a data processor rather than data controller should be subject to a specific agreement relating to the data processing activity.
Phishing, scams and fraud
Data security is an important part of compliance with UK GDPR, it is your responsibility to keep up to date with the latest security threats.