Details of available tools and training and other useful resources including template policy and procedure documents and articles, contacts, links and FAQs.
Please note, if your school purchases the Data Protection Officer Service from GDPR in Schools/the Education Data Hub, the polices and templates you should use are all now available to download from your subscribers area within Services 4 Schools.
We are pleased to offer GDPR training sessions to support you and your teams. Topics will include:
- GDPR in-depth - from privacy and legal processing to supplier compliance issues and breach procedures
- GDPR awareness - an updated session for your new starters
Details of current and upcoming GDPR training sessions can be found on the Services 4 Schools training page.
The School General Data Protection Regulation workshop 2018 presentation which ran in the early part of 2018 is attached to this page along with supporting documents referred to during the workshops.
Toolkit for schools
The Department for Education (DfE) published a Data Protection: Toolkit for schools guidance document. This guidance is aimed at helping schools develop policies and processes for data management, from collecting and handling data through to the ability to respond quickly and appropriately to data breaches.
The information audit spreadsheet and guidance can be found in the related documents area.
Third party contracts involving processing of personal data
Advice and guidance on amending contracts can be found on Derbyshire Services for Schools (S4S) in the communications area. To access this link you must first be logged into S4S.
Data sharing and privacy notices
Advice and guidance on data sharing and privacy notices can be found on the Data Sharing page of this site. Guidance and templates for privacy notices can be found on the DfE website.
Data protection policy and access to personal information procedure
Templates for 'Data Protection Policy for Schools' and 'Access to Personal Information Procedure' can be found in the related documents area.
Privacy impact assessments
Schools should consider carrying out Data Protection Impact Assessments when sharing data with a new provider, or sharing different data, or in a different way, with existing providers.
Advice and guidance is available in the 'School Privacy Impact Assessments Procedures' attached to this page.
DCC Audit Services have also provided audit guidance, which is attached to this page, for schools who are considering using a new IT system and the circumstances under which a Data Protection Impact Assessment should be carried out.
More information about Data Protection Impact Assessments is available from the Information Commissioner's Office.
CCTV and GDPR
Several schools have asked us about the use of CCTV and how this is impacted by GDPR and whether we can provide a sample CCTV Use Policy.
The use of CCTV (Close Circuit Television) in schools is on the increase. Schools use it both for security and health and safety purposes and these are legitimate reasons for continuing its use.
However in GDPR terms it must be remembered that the digital images these CCTV systems generate are Personal Data and therefore must be dealt with using the same level of thought and care as other forms of personal data.
If you are using CCTV within a school you must have a CCTV policy in place. You should also regularly review the use of CCTV with your Data Protection Officer.
Here are some key things to think about in relation to CCTV and GDPR:
Justify the use of CCTV
To be compliant with GDPR the processing of personal data must be lawful, fair and transparent. In almost all cases schools can rely on legitimate interests or the need to comply with another legal requirement for the legality of operating CCTV. For example, because they are protecting the vital interests of data subjects, however they will be required to justify this against the area of coverage. Data subject's rights and freedoms cannot be overridden, especially in the case of legitimate interests. Even inside a school pupils and employees have a right to privacy.
Data subjects have the right to be informed
While not an expressive right, data subjects are entitled to understand when their personal data is being processed, covering the transparency aspect of processing. It is recommended that the use of CCTV is communicated via signage which indicates the areas covered and instructions for further information.
Privacy Impact Assessment
Under the ICO guidelines on the use and operation CCTV it is recommended to conduct a data privacy impact assessment to ensure you can justify processing and that you are not excessively reducing the privacy of data subjects.
Data retention cannot be indefinite
One of the core principles of the GDPR requires personal data to be processed for only as long as its purpose requires it to be. Each camera and its purpose will need to be assessed to determine how long footage can be retained for. There are no defined acceptable retention times as it is subjective to the purpose, however be aware that years later or until the footage overwrites it, is not a good demonstration towards consideration of the data subjects rights.
Data subjects access requests of CCTV footage
As with any other aspect of personal data, data subjects have a right to access, which could result in you disclosing footage to them. Schools will need to ensure that the requester is present in the footage and that by supplying the footage they do not disclose any personal data of another data subject. This may involve blurring parts of the footage such as figures or license plates.
Security measures such as encryption are essential
Any act of storage or access is considered processing and it is imperative that schools uphold the confidentiality and integrity of any footage. Screens displaying live or recorded footage should only ever be viewed by authorised individuals and not members of the public who stray past a security guard post or CCTV operation room. Footage should be secured regardless of its format, for example in electronic format it should be encrypted and in physical format be locked away and tracked via a signing process.
The content of this section on CCTV usage has been extracted from an article by Chris Payne.
Use of walkie-talkies
It's possible for conversations to be heard by anyone in possession of a walkie-talkie or similar device.
It is therefore essential to avoid the personal identification of pupils and the transmission of any confidential or sensitive information.
Whilst we are unable to offer any specific expertise on walkie-talkies, we are aware that technology exists to transmit this information in a scrambled or encrypted manner, and you are advised to take this into consideration when making a decision to purchase any walkie-talkies.
Some walkie-talkie systems require a user licence and you should check whether a licence is required before purchasing a system.
Phishing, scams and fraud
Data security is an important part of compliance with GDPR, it is your responsibility to keep up to date with the latest security threats. Please see our information on fraud and scam alerts for updates.