Preparing to implement the General Data Protection Regulations

31 Dec

In Governors’ Agenda, Issue 67 – the summer term issue – we alerted you to the implications of the General Data Protection Regulations that were to come into effect on 25 May 2018.  If your governing board has not begun to address the issue, it is high time that members begin to act.

While it isn’t the function of governors to appoint a Data Protection Officer (DPO), as this is an operational matter, they should offer support and scrutiny on her/his appointment.  It is the role of the Headteacher to propose how best to appoint such a person and then take the necessary action to find a suitable person to discharge the functions of securing the data held at the school/academy.

Some schools/academies have decided to use consultancy rather than make DPO appointments.  If that is what your headteacher is proposing to do, governors should closely question her/him about the rationale and criteria for the choice.

Where the headteacher proposes to appoint an existing staff member to undertake the preparatory work, governors should ensure that this person is suitably qualified to do the job and has the time for it.

The governors should appoint one of their members to oversee the work being done in the area of data protection – for want of a better term, “a data protection champion”, who can, when formally visiting the school/academy in the course of the normal school day satisfy herself/himself that the work is being done well.

Data protection should be an item on the agenda of at least one governors’ meeting in the run-up to 25 May 2018.

Data Protection Bill

Meanwhile, the government is currently debating the Data Protection Bill in Parliament, which will become law later in 2018, replacing the Act that had been promulgated a score of years ago. It will establish the implications of the GDPR and cover areas of data processing not covered by the GDPR.

The Data Protection Bill will:

  1. make it simpler to withdraw consent for the use of personal data;
  2. allow people to ask for their personal data held by companies to be erased;
  • enable parents and guardians to give consent for their children’s data to be used;
  1. require ‘explicit’ consent to be necessary for processing sensitive personal data;
  2. expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA;
  3. update and strengthen data protection law to reflect the changing nature and scope of the digital economy;
  • make it easier and free for individuals to require an organisation to disclose the personal data it holds on them; and
  • make it easier for customers to move data between service providers.

The Information Commissioner Officer (ICO), Elizabeth Denham, has a helpline or ‘live chat’ function.  One can direct questions to the ICO by contacting her here.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: