Details of available tools and training and other useful resources.
Please note, if your school purchases the Data Protection Officer Service from GDPR in Schools/the Education Data Hub, the policies and templates you should use are all now available to download from your GDPRiS account. The Education Data Hub also has its own website which contains full details of the services provided, including a number of free resources available for all schools.
In July 2023 all schools were sent the Derby and Derbyshire Safeguarding Children Partnership (DDSCP) template Safeguarding/Child Protection policy for schools for tailoring and adoption. Following further input from the Education Data Hub, an Addendum to address the records management aspects has been created with the Safeguarding Partnership. This is available for all schools to add to their template policy at their earliest convenience.
Training
The Education Data Hub is able to offer GDPR training sessions to support you and your teams. Topics will include:
- UK GDPR in-depth - from privacy and legal processing to supplier compliance issues and breach procedures
- UK GDPR awareness - an updated session for your new starters
- Data protection - strategic overview for governors
Details of current and upcoming GDPR training sessions can be found on the Services4Schools training page.
Toolkits and resources for schools
Schools that subscribe to the Data Protection Officer service are able to access template privacy notices, policies and other useful documents. Non-subscribing schools may purchase a template policy suite from the Education Data Hub containing the following documents:
- Data Protection Policy for Schools (including Freedom of Information Policy, Data Breach Procedure, Subject Access Request Procedure and DPIA Procedure)
- Pupil Privacy Notice
- Workforce Privacy Notice
- Governors Privacy Notice
- Records Retention Policy (Derbyshire County Council no longer provides this for free, but it is available to purchase as a standalone policy - contact: DPforSchools@derbyshire.gov.uk)
- Social Media Policy
- Bring Your Own Device Policy
- IT Security and Acceptable Use Policy
- CCTV Policy
- Special Category Data Policy
- Biometric Information Policy.
For schools that do not subscribe to the Data Protection Officer service or do not wish to buy any template policies from the Education Data Hub, there are a variety of free resources that are available to assist you.
The ICO has comprehensive advice on compliance with Data Protection laws in their SME web hub area. This includes advice on Paying the ICO Registration Fee, Data Protection Self-Assessment, Responding to a Personal Data Breach, How to Respond to a Subject Access Request, Advice on Installing CCTV and Data Protection Impact Assessments (DPIAs).
The ICO has also produced guidance specifically for schools in relation to the Age Appropriate Design Code (the Children's Code) which contains important guidance on what due diligence schools should be conducting when using services accessed by children.
The Department for Education (DfE) published a Data Protection: Toolkit for schools guidance document. This guidance is aimed at helping schools develop policies and processes for data management, from collecting and handling data through to the ability to respond quickly and appropriately to data breaches.
The Information Records Management Society has also written a Toolkit for Schools. This contains lots of useful guidance on all aspects of Data Protection as well as a Model Retention Policy.
Privacy notices
Advice, guidance, templates and support are available from the Education Data Hub Team, email: DPforSchools@derbyshire.gov.uk
In addition, guidance and templates can be found on the DfE website.
Data sharing
The Information Commissioners Office (ICO) guidance on information sharing agreements, which it refers to as 'data sharing agreements or protocols', is as follows:
Data sharing agreements - sometimes known as 'data sharing protocols' - set out a common set of rules to be adopted by the various organisations involved in a data sharing operation. These could well form part of a contract between organisations. It is good practice to have a data sharing agreement in place, and to review it regularly, particularly where information is to be shared on a large scale, or on a regular basis.
A data sharing agreement should, at least, document the following issues:
- the purpose/s of the sharing
- the potential recipients or types of recipient and the circumstances in which they will have access
- the data to be shared
- data quality – accuracy, relevance, usability
- data security
- retention of shared data
- individuals’ rights – procedures for dealing with access requests, queries and complaints
- review of effectiveness/termination of the sharing agreement
- sanctions for failure to comply with the agreement or breaches by individual staff
For more information see the ICO data sharing code of practice - Information Commissioners Office data sharing code of practice
Derbyshire schools and academies will need to share information with Derbyshire County Council. Information about this is held on our Information sharing page.
Please note, any data sharing arrangement involving the processing of personal data where one of the partners is acting a data processor rather than data controller should be subject to a specific agreement relating to the data processing activity.
Phishing, scams and fraud
Data security is an important part of compliance with UK GDPR, it is your responsibility to keep up to date with the latest security threats.