Copy
09/19
share on Twitter
View this email in your browser

Data Protection Newsletter
Dear <<First Name>>

This is the latest edition of the Data Protection Newsletter. You're receiving this because your school is using eLIM as its Data Protection Officer.

In this month's newsletter:

Contact address

If you have any questions about Data Protection contact Amy Brittan at:
dposchools@somerset.gov.uk

Bookmark these: new DPO resources page and weblinks


The DPO resources have moved! Now we are a subscription service we need to protect the resources you’ve paid for. We’ve moved them to the Support Services for Education website, where they can be downloaded with your SSE login. Resources are updated all the time and will be advertised in this newsletter.

These links should be added to your bookmarks: If you are a subscribing school and have any problems downloading resources, please let us know dposchools@somerset.gov.uk

Online audit – DPO schedule for schools

Under Article 39 of the GDPR, it is a statutory responsibility of the DPO to monitor the compliance of the organisation they are acting for. See the ICO’s tasks for Data Protection Officers.

This year, we will be issuing an online audit to all our subscribing schools. The audit will be rolled out on a scheduled basis, with schools contacted throughout the year. Priority will be given to subscribing schools who did not have a DPO visit last year, or schools who were visited in Autumn term 2018.

The online audit should be completed by the data protection lead in schools, and will take about an hour. When the audit is submitted to the DPO, we will read through your responses and arrange a time for a follow-up phone call. After the phone call, we will send you through a written report on your compliance and action points which can be shared with governors.

The first schools will be contacted in the next few weeks. Please contact us if you would like to be added to the priority schools.

Somerset LA Data Sharing Agreement 2019-20

The annual data sharing agreement for Somerset schools has been sent out to all education provider mailboxes, supporting the LA’s requirement to collect large-scale data from schools to fulfil its legal and statutory duties. The data sharing agreement:

  • reduces the administrative burden on Education Providers – as data will only be inputted once but used many times for the benefit of children and employees
  • provides better targeted services to all children and employees
  • ensures the safety and wellbeing of individual children and employees
  • ensures inclusion in the Overarching Information Sharing Protocols with the Avon and Somerset Police and the Local NHS CCG, Partnership and Trusts

The 2019-20 Somerset Data Sharing Agreement must be read and signed by all school settings - failure to sign may limit some of the LA services available to your school.

On Page 2 you will see a list of changes from the 2018-19 agreement. Click here to read the 2019-20 Data Sharing Agreement  

When you have read the agreement, complete the electronic form here 

Clicking Submit at the end of the form acts as your signature. Thank you to the 120 schools who have completed this promptly. Please contact us if you have any questions.

Farewell Egress, hello Microsoft Azure Information Protection!


In the latest data sharing agreement, Egress has been removed as a specific named secure sending tool. The reason for this is that the LA contract with Egress is coming to an end, and the LA are gradually replacing it with Microsoft’s Azure Information Protection (AIP).  This will allow LA staff to label and encrypt emails in a similar way to Egress.

Our understanding from the team dealing with the roll-out is that all schools currently covered by an Egress exemption (that is to say, you do not need to sign in to Egress to open LA emails – mainly schools using educ email accounts) will continue to receive emails in the same way, without needing to sign in. More information will become available as we receive it.

If your school is not covered by an Egress exemption and you need to sign in to download Egressed emails, you may request that your school email domain is added to the LA exemption list by emailing the ICT helpdesk. They will consider your request, evaluating the security measures your school has in place.

If you’re sending personal information outside the LA, or not replying directly to an LA email, then the school will need to have secure sending in place e.g. password protecting a document as detailed in section 5.3.2 of the data sharing agreement.
 
If password protection isn’t possible, then all reasonable precautions should be taken to verify the identity of the recipient (e.g. by phone call) and labelling the email in the subject line as OFFICIAL - CONFIDENTIAL, including a read receipt and obtaining confirmation from the recipient. If password protection isn’t in place, we would also consider funnelling sensitive data sending through a nominated member of staff e.g. the office manager. That way, you have control over what is sent / how it is sent and can more easily manage any problems.

Remember - if data is incorrectly sent or not received by the intended recipient, this is a data breach by the school and must be recorded with your DPO.

DPO Case Files – The Confidentiality Conundrum

Each month, we will feature a data protection issue raised by a school. We will not identify the school, but share their dilemma and how it was resolved, so that other schools can consider their response in the same circumstances.

It’s a well-worn phrase, but your school’s data protection will only be as good as your weakest staff member. Data breaches occur when people don’t follow your procedures, either intentionally or unintentionally.

But what if you become aware that a member of staff has been discussing sensitive personal information of pupils and adults with a third party? Over the last year, we have had a number of reported data breaches involving staff sharing or accessing confidential information. For obvious reasons, we won’t be more specific!

These incidents will be dealt with as HR issues and appropriate disciplinary action will be taken. However, they are also data breaches and the school should assess the risk to individuals and record / report the breach in line with advice from their DPO.

If there is a high risk of harm to the rights of individuals, the school will need to inform the Information Commissioner’s Office. The school will need to prove that data protection is included in compulsory induction training, and that it regularly provides compulsory updates to all staff. It will also need to prove that staff agree to comply with the school’s data protection-related policies (e.g. data protection / signed code of conduct / signed staff acceptable use policy)

If data controller can demonstrate that they have robust policies and procedures in place, and that they have taken the breach seriously and acted appropriately then the ICO response should be proportionate. 

ICO guidance on SAR timelines

The ICO has updated its guidance on response times to Subject Access Requests. The 30 day deadline for responding is now calculated from the day of receipt, not the day after receipt.

"Following a Court of Justice of the European Union (CJEU) ruling, the ICO has updated its guidance around how long an organisation has to respond to a subject access request (SAR).

The guidance stated that SARs must be responded to within one calendar month, with the day after receipt counting as 'day one'. This has now changed.

'Day one' is now the day of receipt - for example, a SAR received on 3 September should now be responded to by 3 October."

This may be different for maintained schools responding to a parental request for the pupil record – contact your DPO for advice on this.

DfE Brexit data protection guidance

 
Over the summer, the DfE released guidance on schools, data protection and Brexit:
 
The main actions to take are:
  • Evaluate where you send data in / out of the EU for processing e.g. identify where online providers are storing your personal data by looking at the terms and conditions of your contracts. Is it in the UK or EU?
  • Check that your contracts with these providers, which include the processing of personal data in the EU, “provide the additional safeguards required” – in most cases, you will be sharing some information with providers that counts as a ‘restricted transfer’ under GDPR and in the event of a no-deal Brexit, you should check whether there are standard contractual clauses which apply https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers#ib6
  • Review your privacy notices and data protection privacy impact assessments (PIAs) to ensure they are up to date and reflect any changes made to the way you work
In the event of a no-deal Brexit, GDPR will be incorporated into UK law and the Data Protection Act 2018 will continue to apply to data transferred within or from the UK. The UK will become a ‘third country’ outside the scope of  the EU GDPR rules, so data coming in to the UK from the EU will not be allowed unless safeguards such as standard contractual clauses are in place.

In all cases, we advise schools to prepare by assessing risk – what services do you use where data comes in from the EU? How sensitive is the data that is being processed by this service? Prioritise the most sensitive services first and examine the contract you hold with them.

As more information becomes available, we will share it with our subscribing schools - we recognise that you and your governors will have questions and will do our best to respond with the information we have.

Issues, questions or myth busting

If you have any questions or issues around Data Protection then please get in contact.
dposchools@somerset.gov.uk
 
Copyright © 2019 e-Learning and Information Management, All rights reserved.


unsubscribe from this list    update subscription preferences 

Email Marketing Powered by Mailchimp