|
|
|
|
Dear <<First Name>>
This is the latest edition of the Data Protection Newsletter. You're receiving this because your school is using eLIM as its Data Protection Officer, or you have signed up to this newsletter.
In this month's newsletter:
|
|
Contact address
If you have any questions about Data Protection contact Amy Brittan or Kirsty Budge at:
dposchools@somerset.gov.uk
|
|
|
 Data Protection Network Meetings 2021-22 – updates, top tips, and general grumbles
From September, we will be running virtual termly Data Protection Lead update sessions. We’ll be sharing the latest information, practical tips and resources, and there is an opportunity to ask questions. We’ll also share examples of good practice, as well as how to deal with risks, engage staff, and ensure compliance.
If you’re new to the role, or have been doing it for a while and want to keep up to date, do join us. Free for all schools who subscribe to the SSE DPO package. Governors are also welcome to attend.
Dates for 2021-22 are below, along with the Teams link:
Autumn Term
Thursday 16th September 2021 1.30pm-3.00pm – Teams Meeting Link
Thursday 16th September 2021 4.00pm-5.30pm – Teams Meeting Link
Spring Term
Thursday 20th January 2022 1.30pm-3.00pm – Teams Meeting Link
Thursday 20th January 2022 4.00pm-5.30pm – Teams Meeting Link
Summer Term
Thursday 5th May 2022 1.30pm-3.00pm – Teams Meeting Link
Thursday 5th May 2022 4.00pm-5.30pm – Teams Meeting Link
|
|
 Brexit – the last word, again
The European Union have finally granted the UK an ‘adequacy decision’ which means that personal data can flow between the UK, EU/EEA and back to the UK without complex arrangements being in place.
This is great news for schools – if you’ve done your statutory Data Asset Audit (Record of Processing Activities) you will know where your school personal data is being held, and you can confidently explain to parents that any data you may store in the EU/EEA is compliant with the law (if you haven't done your audit, contact the DPO for a template Excel spreadsheet).
There is a slight sting in the tale. The EU states that the adequacy decision can be revoked, at any time if the UK diverges from EU standards of data processing. There’s also an unusual ‘sunset clause’ which means in four years’ time, the entire decision will expire and need to be renewed. There’s an indication that the EU may not completely trust the UK Government to follow the GDPR in the long term, and the EU wishes to protect the rights of EU citizens.
Read more here: https://www.activemind.legal/gb/guides/adequacy-decision-uk/
|
|
 New staff in September? What can you share?
A number of schools have asked about what pupil personal data they can share with new staff, whose contract does not start until 1st September.
It is reasonable for the school to share necessary and proportionate pupil data with the teacher before they start at the school. It will help them prepare appropriately for their role, and it would be something that parents and pupils would expect.
So long as the information isn’t excessive, the school can use Legitimate Interests as the lawful basis under UK GDPR (the benefits to the pupils and school are balanced against possible risk).
We recommend adding the information to Office 365 or Google Drive and sending a secure, password-protected link (with an expiration date) as the safest way of giving the teacher access, rather than emailing attachments with personal data.
Before sending the information, it’s advisable to get the teacher to confirm their email address for receipt of the link and ask them to confirm that they will keep the information secure, and not accessible to anyone else. Don’t send without this confirmation and keep a record of the confirmation.
Don’t share any safeguarding data, and ensure that whatever is sent is the absolute minimum to ensure that the teacher can start their new role effectively.
|
|
 DPO Case Files - Celebrity Edition
Matt Hancock, CCTV and lessons for schools
Do you have CCTV on your school site? If so, there’s an item buried in the news reports about the downfall of Matt Hancock that you may find interesting. The footage of Hancock engaged in hands-on lateral flow testing with his aide was not directly taken from CCTV – rather, it was taken by someone pointing their mobile phone at the CCTV monitor, and filming the playback of the footage on their own device.
So what, you may think? Well, the guidance on CCTV use from the ICO states clearly that CCTV monitors should not be in view of people who do not have the right to view them. If the Department of Health had placed their CCTV monitor in a secure area with access limited to only nominated persons, it’s unlikely that anyone would have been able to record the compromising footage on their own phone. There are also reports that someone in the Department deliberately moved a CCTV camera, so it captured images that could be used against the former Health Secretary.
CCTV in schools must be justifiable, and a necessary and proportionate response to a risk e.g. the school have had previous incidents, or there is a likely risk of criminal activity in areas that have poor lighting or are not accessible to staff. It should not used on a ‘just in case’ basis – every camera must be sited with care, and checked annually to ensure that it is still useful and functional. Many schools have dozens of cameras on site, and the CCTV monitor may be in a place where others can see it.
Do check that your CCTV cameras are not infringing on the privacy of others, and make sure that your CCTV policy reflects what is actually happening on site. No school wants to be in the unhappy position of having to explain why school CCTV footage has found its way into the wider world.
More information here: Installing CCTV? Things you need to do first | ICO
|
|
 School's Out - enjoy your summer!
Thank you to all the Data Protection Leads, headteachers, staff and governors who've emailed or phoned, or who we've provided online training or in-school support for this year.
It's been a tough period, and we understand that data protection has been the very last thing that many of your staff want to consider. However, we appreciate all the work you do in schools to engage your colleagues and communicate with the DPO about compliance, to ensure that everyone is playing their part in keeping data safe.
Have a wonderful, well-deserved summer break. See you all in September!
|
|
Issues, questions or myth busting
If you have any questions or issues around Data Protection then please get in contact.
dposchools@somerset.gov.uk
|
|
|
|
|
|
|
| |
