Agenda item

To present the report of the Director of Education, Skills and Young People.

The report of the Schools Data Protection Officer setting out the key information governance issues in schools for the period November, 2021 to January, 2023 along with current priorities was presented for the Committee’s consideration. The report provided the Schools Data Protection Officer’s statement and overview of Anglesey primary, secondary and special schools’ compliance with legal requirements in handling information during the period including compliance with the United Kingdom’s General Data Protection Regulations (UK GDPR), the Data Protection Act 2018 and relevant codes of practice.

The Schools Data Protection Officer in presenting her analysis of the position confirmed that since the last report was issued in November, 2021 significant progress had been made in ensuring that schools have the necessary policies and procedures in place to be compliant with requirements under data protection legislation. The day-to-day information management practices within the schools have continued to improve and schools now show that they understand their responsibilities and implications as the data controller and the legal expectations that come as a result. Most school staff have received data protection training in the past year which has supported schools in improving their practices, and twenty school governing bodies have also received a data protection presentation.  Schools have formally adopted the majority of policies and are in the process of adopting the final policies package which should ensure they are able to address the accountability requirements of GDPR. Whilst based on her assessment, the School’s Data Protection Officer is able to provide a Reasonable assurance opinion with regard to school compliance with data protection legislation and requirements, further work needs to be done as detailed within the report specifically in relation to managing the data protection risks arising from the use of different systems and reviewing arrangements with data processors including ensuring that agreements by providers meet requirements.

The Committee welcomed the report as comprehensive and informative, and the following issues were raised during the ensuing discussion –

·      That the inclusion of a glossary of acronyms/terms in future annual reports would be most helpful

·      The timescale for the completion of the further work identified and whether all the Island’s schools have now been assessed and are signed up to receive support and guidance via a Service Level Agreement.

The Schools Data Protection Officer confirmed that the 45 schools to which reference is made in the report covers all Anglesey primary and secondary schools along with Canolfan Addysg y Bont with the exception of Ysgol Caergeiliog Foundation School. She advised that the schedule contained in the Anglesey Schools Data Protection Development Strategy in Appendix B sets out the target completion dates for the activities outlined with the aim being that all the main elements will have been completed by the end of the current school year.

·      What the further work with schools entails in order to ensure they are fully compliant with data protection regulations and requirements.

The Schools Data Protection Officer advised that part of her role involves conducting an annual data protection audit of each of the 45 individual schools to review data protection compliance and arrangements with two such audits of all the schools having been completed to date. For the 2023 audit visit, she would be focusing on ensuring that all schools have an accurate and up to date Record of Processing Activities (RoPA); that they are monitoring and can evidence their compliance with all data protection policies; that they have appropriate data protection agreements in place with data processors i.e. those companies from which they procure systems, programmes and apps and that Data Protection Impact assessments have been completed for high risk data processing areas such as CCTV cameras.

·      The provision of training specifically, the number of school staff who have received the necessary data protection training and whether there are any schools that have not as yet received training.

The Schools Data Protection Officer confirmed that the majority of schools have now been provided with data protection training with most having been conducted online and the schools themselves maintaining a record of attendees for each session. As the arrangements have been made either on a catchment or individual school basis, she could not say how many staff had attended; she was however aware that a few schools had not received the basic session and that she would be following this up to ensure that all remaining schools are provided with training on all the key data protection elements.

·      The role of Cwmni CELyn. The Schools Data Protection Officer clarified that the company is an independent Caernarfon based company which provides specialist advice on information governance and data protection to this and other councils.

·      Whether schools have the autonomy to procure software packages according to their needs and whether in that case there are any measures and/or assessment to ensure such software is appropriate and compliant with GDPR and the Data Protection Act.

1.     

The Schools Data Protection Officer advised that she had completed in-depth assessments on Data Processing Agreements for the systems, programmes and apps that the majority of schools use in order to provide an overall risk assessment for schools regarding the current agreements they have. Normally, should a school wish to sign up to an app the Schools Data Protection Officer would first assess the agreement with the provider to ensure it covers all the required data protection components. She confirmed in response to a further query that although schools do have independence as a data controller because they are connected to the HWB network, the IT Service would have to be consulted before schools are able to upload/install any programme or system.

It was resolved –

·      To accept the Schools Data Protection Officer’s report and statement.

·      To endorse the Schools Data Protection Officer’s proposed next steps – the Schools Data Protection Plan in order to enable schools to fully operate in accordance with data protection requirements.

No further action required.