• Contact address
• New IRMS Records Management and Retention Period Guidance
• DPO Case Files – The Scandalous Staff Data Breach
• New documents on the eLIM website
• Record your DPO with the ICO
• DPO package 2019-20
• Issues, questions or myth busting

New IRMS Records Management and Retention Period Guidance

The Information and Records Management Society have released new guidance on records management and retention, updating the 2016 Schools Toolkit widely used by Somerset schools.

The new guidance can be found at https://irms.org.uk/page/SchoolsToolkit - unlike the 2016 version, there is no option to download a handy PDF unless you are an IRMS member, and the guidance must be viewed online.

Some significant clarifications are summarised below:

Page 12: Pupil Record: clarity on what a pupil record consists of, and how maintained and academy schools should respond to requests by parents/pupil so information provided is consistent across settings.

Page 14: Transferring pupil records: much more information about safe transfer and advice that the CTF should be accompanied by paper files for SEND and CP data that may not be included in the CTF.

Page 19: Advice on email management: this has been completely rewritten and clearly states that emails are not a filing system, and emails should be transferred to the school MIS or other storage system where they could be considered part of the pupil record;  part of a contract; or relate to an employee. Once transferred, original emails can be deleted.

Page 22: Social Media: a new section with clear advice on how to do a social media risk assessment, set up a school Facebook or Twitter accounts safely, and how to be aware of social media retention periods.

Page 26: Information Security, Business Continuity and Digital Continuity: this is a rewritten section with more detail on preventing data loss by protecting paper data, preventing malware, training staff and ensuring that breaches are investigated, recorded and reported accurately.

Page 48: GDPR overview: information on GDPR and how it relates to schools.

Page 53: Advice on using consent as a lawful basis for data processing and how to seek consent.

Page 55: Suggested sample consent form for pupil images (the eLIM DPO will issue a copy of this to schools in the next newsletter).

Page 64 onwards: Records Retention Schedule: much more detail has been added to this in relation to GDPR. An interesting clarification is on page 78 – Disciplinary and Grievance Procedures. The old guidance suggested that the staff personnel file should be weeded for outdated complaints e.g. oral warnings should be weeded after 6 months, The new guidance is much clearer that warnings and grievances should not be automatically weeded in case of future complaints, and that a record should be kept even though the case may not be considered ‘active’.

Somerset County Council's Records Management Team (who co-authored the IRMS document) are updating their School Retention Schedule advisory document. We hope to be able to share this in the next newsletter.

If you are concerned about your records retention contact the DPO dposchools@somerset.gov.uk

DPO Case Files – The Scandalous Staff Data Breach

Each month, we will feature a data protection issue raised by a school. We will not identify the school, but share their dilemma and how it was resolved, so that other schools can consider their response in the same circumstances.

A school approached us for advice on a possible data breach.

A local Facebook page had shared some CCTV footage of two children engaged in some anti-social behaviour and asked if anyone knew their names.

A member of the school staff had contacted the person who posted the footage via a Facebook message, and identified the children as students of the school, giving their names.

The school became aware that the names had been shared by a member of their staff – was this a data breach by the school?

We considered whether this data being shared was likely to put the children at risk of ‘significant harm to their rights and freedoms’ (the threshold for ICO reporting) and judged that it did. The children, and possibly their families could be singled out for abuse or harm by members of the community who could now identify them. The member of staff only knew the children’s names because of their employment by the school. We advised that the school contact the ICO.

The ICO advisor took further advice before giving a response. They judged that the member of staff was acting 'consciously and independently of the school' in a personal capacity by sharing the information in a Facebook message.. When sharing information for personal use, data protection provisions do not apply in the same way as for organisations. So, the school had not committed a data breach.

However, the member of staff had acted in a way that may have breached the schools safeguarding policy, acceptable use policy or code of  conduct, and disciplinary measures may be appropriate.

Next month: The Mystery of the Missing Emails

New documents on the eLIM website

New pupil-friendly privacy notice: schools have requested version of a privacy notice that can be understood by most secondary students. This document includes more accessible language for students and parents.

New workforce privacy notice: the existing DfE notice (updated Feb 2019) has been updated again with advice from Somerset HR.

Governor monitoring questions: shared at this term’s governor training sessions, these questions are to support governors in monitoring the school’s compliance with GDPR.

Data handover form: a reminder about this form shared in the last newsletter – for staff leaving your employment.

Record your DPO with the ICO

Have you informed the ICO of your data protection officer? Follow this link:

https://ico.org.uk/for-organisations/data-protection-fee/your-data-protection-officer-is/

For school using the eLIM DPO service, the details are:

Name: eLIM Data Protection Officer

Address: Block D, County Hall, Taunton, Somerset TA1 4DY

Telephone: 07772 884438

DPO package 2019-20

Many thanks to all the schools who have ordered the eLIM Data Protection Officer package for 2019-20. A brief reminder that the package can be ordered from Support Services for Education http://www.supportservicesforeducation.co.uk under Buy Now when logged in. The package is ELI009/T Somerset Schools Data Protection Officer (Sep 2019 - Aug 2020)

Discounts are available for MATs and non-Somerset schools can contact us for further details.