Agenda item

To present a report by the Schools Data Protection Officer.

The report of the Schools Data Protection Officer which provided an analysis of schools’ position in respect of compliance with requirements under data protection legislation, mainly under the General Data Protection Regulations (GDPR) was presented for the Committee’s consideration. The report gave a summary of the Schools Data Protection Officer’s findings following the first visit to primary and secondary schools and outlined the next steps to take to ensure that all schools meet data protection requirements as soon as possible.

The Schools Data Protection Officer provided background information to the evaluation visits to 45 out of 46 primary and secondary schools on Anglesey which took place between October, 2019 and February, 2020 and referred to the outcome of those visits which in summary found that -

•           Day to day information management practices within schools are generally acceptable but the majority of schools have not adopted current key policies and documents as a number of these policies were not created for schools prior to the appointment of the Schools Data Protection Officer. It is essential that current core policies and documents are adopted as soon as possible.

•           There is a need to ensure that specific, effective and robust data protection processes are in place in line with key policies and documents.

•           There is a need to ensure that schools have ROPA (Record of Processing Activities) including data flow maps and an Information Register in place that are kept up to date.

•           There is a need to ensure that schools have suitable and up to date Privacy Notices available and shared with individuals.

•           There needs to be appropriate agreements in place with high level data processors and also with individual schools.

•           More work is required around the use of consent.

•           The training plan needs to be updated and schools need to ensure that their staff have completed the online module.

•           Work needs to be done to ensure that all school governing bodies are aware of their data protection responsibilities and how to ensure that schools comply.

Given that the process of beginning to have policies, processes and practices in place to comply with data protection legislation has started within schools the Schools Data Protection Officer was able to provide Reasonable Assurance in her assessment of the position. However, there remains more work to be done to ensure all schools are on the same level and operating consistently across the Island. Mindful that Covid-19 has had a significant impact on the implementation of the steps to be taken and the work programme for approving and adopting the policies as well as the related training and awareness raising, the Officer updated the Committee on the progress made since July 2020. She also outlined what she had identified as the next steps to be taken (detailed in section 26 of the attached long report) to ensure that all schools operate in accordance with requirements and achieve what is expected of them as Data Controller who is ultimately responsible for ensuring that they process personal data legally.

In response to questions raised by the Committee the Schools Data Protection Officer confirmed the following –

•           That Ysgol Caergeiliog has not signed up to the service of the Schools Data Protection Officer but will nevertheless be expected to ensure that it  has in place  the key documents and policies to comply fully  with the requirements under data protection legislation.

•           That the Plan to deliver the required actions has been discussed with the schools and will be implemented in stages so as not to place too great a burden on them; this is further supported by a training plan to ensure that schools understand the policies and documentation and what is expected of them - the Committee having expressed some concern about the achievability of the action plan in view of the challenging circumstances in which schools find themselves and the  current pressures on them.

•           That in view of current Covid-related restrictions, virtual training sessions for school governors have been arranged on different dates to facilitate attendance. Specific guidelines for school governors are also being developed in the form of the School Governing Body Data Protection Guide which will provide detailed guidance on school governors’ responsibilities under GDPR.

•           That schools have been enthusiastic in their response to the work, are keen to comply with data protection legislation and are grateful for the support provided.

•           That the Data Protection Act 2018 brought the EU’s General Data Protection Regulation (GDPR) into UK law which means that the UK will be following GDPR data protection principles regardless of whether or not  it is a member of the EU. What needs to be looked at are agreements with third party providers who process/store personal data on behalf of schools if the storage is non UK based to establish whether those agreements need to be amended in the event of a no deal Brexit.

•           That the Plan is priority based with the Data Protection Policy being the key overarching policy that will need to be adopted by schools as a matter of priority under GDPR as shown in the Data Protection Policy, Guidance and Key Documents Review Process Framework (Appendix C to the report) – the Committee having voiced some concern that schools may be subject to policy and information overload in light of the range of policies and procedures they are being asked to adopt.

The Committee thanked the Schools Data protection Officer for the informative and detailed report and for the work undertaken in the period to date - sentiments which were echoed by the Portfolio Member for Education.

It was resolved –

•           To accept the report and findings of the Schools Data Protection Officer and,

•           To endorse the School Data Protection Officer’s proposed next steps to ensure that all schools operate in accordance with data protection requirements.

NO PROPOSAL FOR ADDITIONAL ACTION WAS MADE