- A records audit and retention schedule to know what you have got and what to do with it
(sample spreadsheet Sample retention schedule.xlsx based on the IRMS Toolkit for Schools)
- Some record of your IT systems and how you are using them
(sample spreadsheet Sample systems spreadsheet.xlsx or you can use a commercial system like GDPRiS, or you may already have a digital asset register in your IT Support department or Bursary)
This will help you begin to comply with the ICO requirements for documentation.
- A form for staff to notify a data breach
- A flowchart for the DPO to use to take action in case of a data breach (ICO guidance and checklist here)
You should already have a process in place if you are compliant with the DPA1998 which you can adapt.
- A form for staff to complete when they want to do new data processing
- A checklist for the DPO to risk assess new processing, including the need for a DPIA
- Guidance on where to document new processing (retention schedule and systems spreadsheet)
- A form for carrying out a DPIA (available on the ICO site within the Privacy Impact Assessments Code of Practice)
Steps 2-4 can also help with auditing existing practice to ensure compliance.
Rachel Evans (Head of Digital Strategy) Alleyn’s School