There has been much said about the new GDPR, some of it true, some exaggerated and some used simply as a scare-mongering tool.
In November 2017 the ISC started a research project in conjunction with Think IT into the reality around GDPR.
We set a number of willing schools three simple tasks to see how hard preparing for GDPR compliance really was.
Think about & list the types of suppliers you use?
Think about & list the types of processes you might need consent for?
Think about whose that’ll need training & how you’ll document the process?
It’s all very well knowing that with all challenging projects you need to ‘eat the elephant one bite at a time’ but it’s still difficult knowing where to begin.
The GDPR is one such project, and brings with it problems not only of scale and scope, but of new legislation, conflicting advice and many, many ‘advisors’ keen to share their thoughts, mostly for a fee. or sell their products.
At the ISC Digital Strategy Conference in November 2017, a group of school bursars, IT managers and strategists gathered to discuss the GDPR in general and the impact it will have, and in more detail, how schools might approach the essential task of data mapping. We were guided by Stuart Abrahams from Think IT whose knowledgeable and pragmatic approach was helpful.
“My own school had already begun significant work on the GDPR and I sat in the meeting feeling reassured that we were on the right track. As well as drafting policies and privacy notices, we had already begun work on a broad records survey across the whole school. As the day progressed I began to see how the data mapping would fit with this records management work, and was eager to get back to work and start this next phase of the project. I could see how these two pieces of work would not only answer the need for an organisation to understand and account for the data it holds, but might also drive the process of developing procedures which would enable a path to compliance with the new law”
Rachel Evans – Alleyn’s School
What is certain though is that the data mapping process is a guide for so much more than straightforward compliance. It can really help your organisation’s thinking about how to turn your policies into procedures that will work.
At the heart of the GDPR are the rights of the individual, supported by the general principles. In short, as organisations we must:
- be clear about what data we collect, process and retain
- know why we have it and how we are processing it
- know where we are keeping it
- know who has access to it, and limit that where necessary
- know what we’re going to do when we’ve finished with it
- and keep it secure
Without this detailed information we can’t hope to comply with the general principles, let alone assess risk, conduct a DPIA (Data Protection Impact Assessment), answer a SAR or manage secure deletion or destruction. It doesn’t matter whether the data is on paper or a digital system, this detailed knowledge is essential. And of course, it needs to be evidenced.
I think schools are already well-placed to meet these requirements. Schools already have lots of systems and procedures in place. You are used to rules and hierarchies. and usually have excellent institutional memory. You can tap into our school culture to make this knowledge explicit in order to evidence compliance and guide future practice around data protection.
You need to reassure staff that this is not an impossible task or an alien and unnecessary concept.
Last year we’d formed a committee for oversight and decisions on GDPR matters. We then brought together a core group of four people with appropriate skills and knowledge (from the Bursary, IT and Archives in our case). We looked for a combination of seniority, excellent institutional knowledge, super administrative skills and some specialist knowledge if possible.
We already had our records survey and retention schedules in progress. We use a spreadsheet which is combination of the Information & Records Management Society Toolkit for Schools and the document/data discovery forms devised by our legal advisors. We’re fortunate that our School Archivist could advise us too.
Here’s how we did it.
- Divided the organisation into departments (e.g. Administration, Headmaster’s Office, Academic Departments, University Guidance, Events Management etc.) using existing organisational charts and knowledge.
- Decided where one group could stand for the whole – e.g. one tutor representing all tutors.
- Invited suitable individuals from each department or representative group to complete the survey. We looked for seniority, length of service, precision and clarity of thought.
- Sent out the blank records survey spreadsheet with a short document explaining its purpose to a group – about 5 at a time. We asked them to think about all records, whether or not they thought they contained personal data.
- Met with those individuals either in small groups or 1:1 to talk through the project. In some cases, we helped them complete the survey.
- Each spreadsheet was added to our shared Office 365 workbook as it was completed.
- The core group met weekly to go through the completed records surveys. We
- noted the accuracy of the department’s understanding of whether the records contained personal and/or sensitive personal data.
- checked beliefs and practice about retaining data, and set new retention periods in accordance with our legal advice where necessary.
- looked for connections between departments and started identifying where the primary source of the record is held (e.g. every academic department will have public exam results, but the primary copies of this data are on the pupil record and with the Deputy Head Academic.)
- followed up anything that was unclear.
This process allowed us to start engaging staff in the detail required for GDPR and conversations about what it would mean for the school. We developed a thorough understanding of what data was being used across the whole school. We hope that these good, open conversations will help when we come to implement new policies and procedures.
A sample records survey retention schedule page
Once we have finished the survey we can gather all the information into a single worksheet and look for –
1. Duplication – are two people using and keeping the same information in difference places? We can choose the primary record and ensure that retention periods are correct.
2. Inconsistency – are we treating similar information in the same way throughout the school?
3. Sharing – who has access to information and how is it passed on within and outside school?
4. Location. We can ensure that we know the whereabouts of all paper records.
We will then have a pretty robust document that shows what data we collect, process and retain, why we have it and how we are processing it, who has access to it and what we’re going to do when we’ve finished with it.
While two of our core group worked on the records survey, I began on the first stages of data mapping. We had done some work in the previous year about communication channels within the school, and this made a sound basis for the data mapping.
I already had a series of Visio diagrams of all the digital systems we used for staff, pupils and parents showing how they were accessed and the connections between them.
One of our diagrams showing school systems data and access
I extracted the list of systems to a spreadsheet and began adding all other IT systems in use that might contain personal data. In our large school with its extensive development and alumni, outreach, community use and private hire programmes, this list encompassed not only our MIS and similar pupil focussed systems, but theatre ticket booking, alumni records and more.
I now knew were the data was, and started adding the kind of detail that will help us shape procedure and assess risks.
- Who provides the system?
- What is our contract with them?
- Is the data in the cloud or stored on-site?
- Who can access the system and how do they log in?
- Whose data does the system contain?
I shared the worksheet with colleagues in the relevant departments and asked them to check and amend the information. We emailed all staff and asked them to tell us about any digital systems they were using that were outside our mainstream list. Had the languages department signed all the pupils up to an online textbook service? What about UCAS? We started putting together a really comprehensive picture of where our data is stored, where it is going, and who is using it.
The MIS tends to be the key system, however another school taking part in the research project went through a similar process to discover who they share data with. They intentionally excluded their MIS system as well as all services that integrate or extract data from it. They concentrated on provided a list of other, less obvious organisations they share sensitive data with, being:
- HMRC via tax issues
- Local authorities etc via attachments of earnings
- Teacher Pension Agency
- Stakeholder pension provider
- Life assurance provider
- Bank for payroll purposes
- Medical insurance provider
- Legal advisors
- Auditors and professional advisors
- Local media outlets
- Facebook/Twitter for profile raising/marketing
- Alumni society
- Parent Associations
- Atlantic Data for purposes of getting DBS checks
- Trip organisers, particularly residential trips
- Taxi companies taking pupils to and from airports
- Marketing software suppliers such as MailChimp
- Alumni database provider
Sample table listing supplier details
The detailed information feeds into the development of procedure – tasks and processes – that the school can then communicate to staff and use every day.
Working in this way recognises that compliance is a pathway and is not something to be ‘achieved’ and then put to one side. These two documents should become part of the working life of the school, constantly referred to, updated and probably augmented once the GDPR is in force and the ICO finalise their guidance for schools and children’s data.
This diagram shows just some of the issues, ideas, procedures and compliance points raised by the records survey and data mapping exercise.
Here are some examples of the procedures we’ve identified as being a high priority.
- How to use the retention schedule to find out what to do with files once they are no longer needed?
- What to do if we receive a SAR?
- How to record or report a data breach and what to do once that has happened?
- How to risk assess using a new system which stores personal data, or sharing with a third party.
- How to know when we need to carry out a DPIA?
All these concepts are within the GDPR and the ICO’s guidance, but the data mapping process makes it all clearer and provides a starting point for structuring forms and processes.
You may start off with some simple paper forms. This is a low-tech, quick start to the project which will be readily accessible to all colleagues. It requires minimal setup and uses technology familiar to all and easy to use (paper and a pen!).
It’s not a long-term solution, but it will get you started
One area that is causing confusion is the key is to understanding what you need consent for, and under what legal basis you don’t. The recommendation is not to ask for consent unless you have to, Legal basis for processing personal data’ without specific consent can be any of the following:
1. Consent has been given for the processing
2. Necessary for the performance of a contract with the data subject
3. Necessary for compliance with a legal obligation
4. Necessary to protect the vital interests of a data subject or another person
5. Necessary to carry out tasks in the public interest
6. Necessary for the purposes of legitimate interests pursued by the data controller or a third party
State funded schools might argue that it could be No’s: 4 or 5, whilst those in the independent sector might use 2 – Contract with parent or guardian to educate the learner.
We asked schools to think about what they might need to seek request for.
Redcomb College provided this useful feedback:
- Sharing of details between us and alumni body/parents associations
- For staff, sharing with life assurance, pension companies and professional advisors (presuming that legal basics should as HMRC etc we don’t need consent for)
- Sharing medical information with the local doctor surgery?Consent for media use – all media use, or just large scale public places?
- Undertaking DBS checks
- Direct marketing of any kind
- Any biometric data (library, catering etc)
- Anything that does not fit into the ‘fundamental to the running of the school’ category – so for example we wouldn’t ask for consent to take a photo of a child to be on the school’s internal MIS as we need this for identification purposes. However we would ask for consent for a child’s image to be used on the school website front page as the main marketing image.
There’s plenty of work to do around GDPR and this post focuses on some narrow, but key areas. However, doing this work ensures that the organisation develops a really clear understanding of how it is processing data which will lead, I believe, to a much more embedded, sustainable, compliant set of procedures to take us through the early years of GDPR.
Stuart Abrahams (Director) Think IT
With thanks and input from:
Rachel Evans (Head of Digital Strategy), Alleyn’s School, London
Ian Phillips (Assistant Head ~ Director of ICT) Haberdashers Boy’s School
Eleanor Sharman (Bursar) Rendcomb College