Agenda item

To present the report of the Director of Education, Skills and Young People.

The report of the Schools Data Protection Officer incorporating an analysis of the key information governance issues and priorities in relation to Anglesey’s schools for the period February 2023 to November 2023 was presented for the Committee’s consideration.

The report was introduced by the Director of Education, Skills and Young People as providing the Schools Data Protection Officer’s statement along with an overview of Anglesey primary, secondary and special schools’ compliance with legal requirements in handling information including with the UK’s General Data Protection Regulations (UK GDPR), Data Protection Act 2018 and relevant codes of practice. Also included within the report were details of actions taken since the last report in January 2023 and achievements under the Schools Data Protection Development Strategy 2022/23 as well as actions identified for the Schools Data Protection Strategy 2023/24 and progress to date.

The Schools Data Protection Officer confirmed the progress made by schools since the previous report to the Committee with schools having formally adopted the majority of policies and begun the process of monitoring and evidencing their compliance with all data protection policies. More schools have received data protection training during the period both individually and by catchment area which has helped schools improve their practices. More school governors have also received training or have received a data protection presentation by the Schools Data Protection Officer with 25 governing bodies having received such a presentation which highlights the main requirements and expectations on schools as regards data protection obligations.  Significant progress has been made in ensuring that appropriate Data Protection Agreements are in place with regard to the systems, programmes and apps used by schools. Most schools now have suitable and up to date Privacy Notices which have been shared with parents or in the case of general and children and young people’s versions, have been posted on the school’s website. The Schools Data Protection Officer continues to undertake audit visits to individual schools to review data protection compliance and arrangements with 44 of the 45 schools having been visited in the period between March and October 2023. The 45^th school has scheduled a visit for next month.

It is the Schools Data Protection Officer’s view that schools continue to show that they understand their responsibilities and implications as the data controller and the legal expectations that come as a result. Schools also continue to demonstrate that they have a better understanding of the data protection obligations and have been giving more priority to ensuring that actions are taken to comply with requirements under data protection legislation. Further specific pieces of work need to be completed to ensure that all schools are on the same level of compliance and are closer to be fully compliant and can evidence this. As such, the Schools Data Protection Officer is able to provide reasonable assurance with regard to schools’ compliance with data protection requirements.

.

In considering the report the Committee noted the following –

·         That most but not all schools have adopted the key data protection policies and are monitoring their compliance with individual policies. The Committee wanted to know what the arrangements were for ensuring that all schools adopt the policies.

The Committee was advised that a data compliance management system is in place whereby the policies adopted by schools are formally recorded. The Schools Data Protection Officer also meets regularly with schools to oversee compliance. Based on the audit visits to schools it can be confirmed informally that most schools have adopted the policies as required and that of those schools that have not as yet reached that point, most are in the process of doing so with some about to submit the final policy documents for adoption by their governing bodies.

·         Accepting that there are many demands on schools, the Committee sought assurance about the arrangements for monitoring and evidencing compliance with data protection requirements in practice on a day-to-day basis as well as the questions elected members in their role as school governors should be asking of schools to ensure that they are complying with data protection legislation and that compliance is evidenced.

The Committee was advised that schools have been provided with a Data Protection Policies Checklist document to support them with monitoring compliance with key actions within individual data protection policies and are expected to use the document as a monitoring tool. The Schools Data Protection Officer will be reviewing the use schools have been making of the Data Protection Policies Checklist during the 2024 audit visits. Likewise a guidance document for school governors has been prepared to help them to understand how to monitor and review compliance. Whilst data protection is one aspect of school life, it is an important one and the Schools Data Protection Officer endeavours to ensure that data protection and the obligations attached to it remain at the forefront of schools’ business. Schools continue to seek advice and guidance on data protection issues from the Schools Data Protection Officer.

·      Whether the key dates for schools to action the tasks in the Schools Data Protection Strategy for 2023-24 are attainable

The Committee was advised that although some actions may not be fully completed by the due date, many are of an ongoing nature and are evolving as more information and programmes are issued meaning that some target dates will need to be reviewed. Most key actions are in progress with the next significant step being to ensure that each individual school has a Record of Processing Activities (ROPA) and to this end a pre-populated ROPA template for primary and secondary schools has been created which schools can adapt to their individual needs.

·      Whether in terms of assurance status, there are individual schools in different categories and at different stages of progress and whether all schools are on track to complete the requirements and become fully compliant.

The Committee was advised that the schools are generally at the same level of achievement and are working to an agreed development plan. Although a few schools may be more advanced in the work than others, the reasonable assurance opinion applies to most and none are a cause of any significant concerns. The annual audit visits are conducted to review progress and compliance. Whilst all schools are currently working towards becoming fully compliant, the day-to-day information management practices within schools have progressed over the last year.

It was resolved –

·      To accept the Schools Data Protection Officer’s report and statement and

·      To endorse the Schools Data Protection Officer’s proposed next steps – the Schools Data Protection Plan – in order to enable schools to fully operate in accordance with data protection requirements.

Additional Action: Schools Data Protection Officer to circulate a copy of the Data Protection Guidance document for school governors to all the Council’s Elected Members.