To present the report of the Director of Education, Skills and Young People.
The report of the Schools Data Protection Officer incorporating an analysis of the key information governance issues in relation to Anglesey’s schools for the period July, 2020 to November 2021 was presented for the Committee’s consideration. The report provided the Schools Data Protection Officer’s statement along with an overview of Anglesey primary, secondary and special schools’ compliance with legal requirements in handling information including those pertaining to the UK’s General Data Protection Regulation (UK GDPR), Data Protection Act 2018 and relevant codes of practice.
The Schools Data Protection Officer summarised the contents of the report as providing details of actions taken since the last report in July, 2020 to provide schools with policies and documents to support them in complying with data protection legislation as well as details of progress to date against the Schools Data Protection Plan 2021/22. The report also documents what was achieved against the Support Plan for Schools – Schools Data Protection Policies and Procedures 2020/21. She confirmed that the period had been particularly challenging for schools because of the Covid 19 pandemic which has made it difficult for schools to prioritise anything other than keeping open, providing education and dealing with staff shortages and other challenges which are still ongoing hence the yellow or orange status of a number of the actions. The report at 2.2.1 lists those policies, guidance, documents and templates that have been shared with schools for them to adopt and use and at 22.214.171.124 the data protection training delivered to schools is outlined. Training is also provided each time policy documentation is shared with schools to ensure they understand what is expected of them in terms of compliance requirements. The report also makes reference to data mapping work, specifically mapping data processors and data flows between schools and the Council. Taking everything into consideration, it is the Schools Data Protection Officer’s view that schools now better understand their data protection obligations and the importance of data protection and are now giving more priority to ensuring that actions are taken to comply with requirements under data protection legislation. Whilst there is still more work to be done as reflected in the next steps, the Schools Data Protection Officer is able to provide reasonable assurance with regard to schools compliance with data protection requirements.
Points of discussion by the Committee were as follows –
· The arrangements in place to follow up on the implementation of the next steps and to monitor compliance. The Committee was advised that a Data Protection Plan for 2021/22 has been formulated (details provided at section 3 of the report) along with an action plan and timeline; the latter has been reviewed internally to take into account the range of other priorities which schools have and it now sets out clear expectations of when actions are to be fulfilled. All actions needed to ensure schools meet the expectations with regard to information governance/ data protection and GDPR implementation are contained within the action plan. An internal management system whereby schools confirm their adoption of policies forms part of the monitoring arrangements with the Schools Data Protection Officer also meeting regularly with schools to oversee compliance.
· The implications and severity of the secondary schools cyber incident in June, 2021 and the remedial steps taken to safeguard data. The Committee was advised that a team of specialised cyber-technology consultants were immediately brought in by the Council to investigate the incident with the National Cyber Security Centre also providing support to resolve matters. Forensic analysis of the cyber incident found no evidence that ICT systems were infiltrated or compromised. The incident was reported to the Information Commissioner’s Officer as a possible data breach and an investigation has begun which could take up to several months to complete. The Committee requested and it was agreed that it be informed of the findings of the ICO’s investigations including any recommendations as regards lessons to be learnt that may arise therefrom.
· The relationship and level of understanding between Hwb (the digital platform for learning and teaching in Wales) and its responsible body, and the Council’s IT Service. The Committee was advised that the Hwb programme is a national programme implemented across Wales’s schools; the circumstances of the past year and the accelerated move towards digital learning has enhanced the general understanding and appreciation of Hwb and its potential in terms of access to digital services and resources and has also led to a constructive and professional relationship between Hwb officials (Welsh Government) and officers from the ICT and Learning Services. It is envisaged that this relationship and understanding will continue to evolve.
· Whether an estimated date for the completion of the information governance work with schools can be given acknowledging that there is an action plan with target dates to which the Committee is not party. The Committee was advised that whilst the majority of the policies and templates which schools need to have in place will be available to them by the end of the school year some of the implementation work may overspill into the following year depending on the position in terms of schools’ capacity. The Committee asked that target dates be included in the 2021/22 annual report to better enable it to assess performance and achievement.
It was resolved –
· To accept the Schools Data Protection Officer’s Annual Information Governance Assurance Report for 2020/21.
· To endorse the Schools Data Protection Officer’s proposed next steps – the Schools Data Protection Plan – in order to enable schools to fully operate in accordance with data protection requirements.