GDPR for schools

legislation-3231548_640GDPR is now in effect.   As such I thought I would share some thoughts and advice on how schools might tackle some common issues which might arise.



The issue with USB, or other removal storage device, use in schools is that they are easily lost or stolen, plus even when data is deleted it may be possible to recover it.    In a time now passed, USBs were a near essential piece of kit in allowing sharing of data, lesson materials, etc, however now we have Office 365 and the G-Suite for education there is no need.    Using OneDrive or GoogleDrive users can now easily share files all within the confines of the schools IT systems and control.  As such my prevailing advice would be to include reference to avoiding USBs use for personal data in your Acceptable Usage Policy and in awareness or cyber security training.  I stop short of preventing USB use simply because some resources are still provided on USBs and they are still so very common.    They also continue to be useful for sharing images or video footage or for other large files.

Personal devicesmusic-playlist-2

Before discussing personal devices of staff I think we need to be clear on what constitutes using a personal device for school purposes.   As far as I am concerned, simply setting up email on your phone constitutes its use for school purposes as it will store your emails and any included school data.    Some, at this point, would suggest personal devices should be banned however I think this is a little heavy handed.   The benefits of staff having their email on their phone are huge.   Banning personal devices also totally removes the potential benefits associated with a BYOD (Bring Your Own Device) environment including the personalisation benefits which arise where the device belongs to the user and therefore is set up by them to meet their needs and preferences.    My approach again, like with USBs, is to ensure coverage of personal device use is included in the schools Acceptable Usage Policy plus ensure it is also covered in any training provided to staff.     I would also make sure the appropriate policies indicate a need to ensure personal devices have appropriate security such as device encryption plus passcodes, passwords or biometrics enabled.    There should also be a requirement for staff to report a lost or stolen personal device where it was setup or used to access school data or systems.


I have discussed photography before; you have read the post here.    It continues to be a concern.   The issue for me is that we all now carry a camera with us in our smart phones so it is easy for us to capture images for sharing via social media, email, etc.    There are lots of benefits in this, particularly the potential to capture impromptu photos which can be used in teaching and learning.    Schools need to provide some guidance on what is acceptable around the taking of and using of photographs.  This could be contained in the acceptable Use Policy or in a separate Photography policy.    Where staff use their own phones for taking photos this should be covered by the use of Personal device in the AUP as mentioned above.

Third Party sites

This is most likely the biggest area of concern as far as I see it.   Schools must know where they are sharing data so a process must exist to ensure that any sharing of student data is logged.   Schools must also ensure that the sites to which data is shared are secure.    Generally this will take the form of a review of the sites privacy or data protection policies to ensure key points in relation to security and sharing of data are covered.    Thankfully in most cases the sharing of data will be limited to a pupil’s school email address and name for the purposes of providing them an account to login to a particular service.   As such the risk associated with a breach is low and therefore a simple check of the services policies should suffice.    Records of these checks should be retained.    Where more data is being shared, such as date of birth, age, SEN info, etc, more questions should be asked of a service including if they carry out penetration testing and/or external auditing around their security, what their breach notification policy is, etc.

There a couple of third parties which all schools are likely to have to share with such as examination boards, local authorities or councils, social services, etc.     For these I think consideration should be given as to how data is shared making sure student details are not emailed unencrypted to such bodies.    Where possible an online portal provided by the body should be used and where this doesn’t exist an encrypted email service such as Egress might be considered.    I think schools should also review the data protection policies or privacy notices of these bodies, as they would do for third party websites using in lessons, just to show that they have done some due diligence.

Risk Assessment

I think a very important activity for a school to undertake is a risk assessment.   This should indicate the risks that are perceived and also any mitigation which has been taken, or may be taken in future.    Having a risk assessment in place, which is regularly reviewed and updated, can go some way to show that the schools is aware of risks in relation to IT and school data and is actively seeking to minimize risk where it exists.   This helps to prove “privacy by design”.


There is now single blueprint for being GDPR compliant.  It depends very much on the school and its processes.   The key for schools is to able to show that every reasonable measure is being taken and that decisions around risk associated with data processing or sharing are carefully thought through with evidence retained of the decision making process.

GDPR should not be a panic activity to try and get things “right”.   GDPR is an ongoing process showing a focus on data privacy and security at the heart of a schools operation.    All schools need to show not just how they “have” complied with GDPR but how they will continue to ensure GDPR compliance and treat the data of their students and other stakeholders with the utmost care.


May reflections

It has been a few months since I last wrote a reflections post.   As such I thought it was about time I once again put things in writing for review by my future self.   In reviewing how things are going, I am going to make use of the titles from my pledges post to structure my thoughts.

Family Memories

It is apt that I write this reflection this week now the weather has been nice although I note that the current bank holiday weekend sees the predictable rain.   Last weekend, when it wasn’t raining, I spent time with the youngest playing football at the local football park.   A nice way to spend the day however am not as happy with the sunburn I ended up with.

Going forward we have also decided to book a family holiday.   It has been a number of years since we last did a family holiday so it is about time.  I am already looking forward to it as surely this will generate a whole range of family memories.

Professional Development (PD)

I think professional development is something which I am progressing well with.   On the IT side of things in particular this is driven by my CISSP and CISA certifications which both require a yearly amount of CPE (continual professional education) hours.   As such I am having to make sure that I get involved in some PD each month in order to meet the annual target and maintain the 2 certifications.

I have now decided to undertake a third certification in the ISACA’s Certified in Risk and Information Systems Control certification.   After some indecision I finally decided to move forward with this certification given my view that GDPR is best addressed through a risk based approach.   As such a certification which focussed on risk management seems like a logical choice.

I also continue to experiment and try new things including further developing my PowerBI skills, playing with a new MS Surface device on loan from Microsoft and also trying out new apps such as Microsoft Whiteboard.


For those who may have read some of my past posts a need to work on fitness has been a long standing item; A long standing item but with very meagre, if any progress.   In the last couple of weeks I may have finally made some progress.    Basically I have started with getting up earlier on most mornings, and going for a 30min brisk walk.    The picture is from one such walk.   This is on top of my walk across campus each morning.  Looking at the data from my Fitbit device this change has meant that my average distance walked per day is steadily increasing as is my calories burned.    I have so far managed this for only three weeks so my challenge going forward is to turn the progress made into a sustained habit.    I suspect my next reflection blog will be telling as to my success or failure in this area.


I continue to be ahead of my book per month target for the year.   My hope is that the summer weather will make this something I can make significant progress in however I do note that my bookshelf is now lacking in books yet to read, so I will need to restock it at some point in the month ahead.


I have made a reasonable habit of journaling now such that I am writing a weekly log of my thoughts and also the events of the week.    The habit is still relatively new so in some weeks I write on a Friday, on others a Saturday and occasionally on a Monday.    I need to ensure I keep journaling and I suspect I would benefit from being able to be consistent with when I do my journaling.


The one thing I will say is that time seems to be rushing by.   We are now in the final term of the year and it feels like it has come around in a flash.   I feel things have been going well however it may be worth reflecting at the end of the academic year as to what has or has not been achieved.

May has seen a few tasks where I have had to overcome difficulties or obstacles.   This has been very frustrating at times however perseverance has brought about progress albeit slower than I would have liked.    The key thing I note is that the obstacles and frustrations come quickly to mind.  I need to take care that these predominant memories do not distort my perception of events.   There were some key wins and progress was made; this is the key factor.

I recently, also, conducted a little leadership survey.   I originally conducted a survey two years ago, after being in post for around 6 months.   It has been interesting to compare the results from them with now, 2 years further on.   The results show a slight positive improvement which is good however more important is the identification of a couple of areas to examine to try and bring about improvement.

As I reach half term I feel I have a large number of tasks which need to be addressed over the half term.  This has left me feeling a little overwhelmed at times.   I think the last week of May, the half term break, will be an opportunity to stop and reflect and re-establish which tasks truly are important and need to be prioritised as well as those tasks which either need to be delegated on simply not undertaken.


May has come and gone quickly as seems to be the way of things for a while now.   I feel I continue to make progress and after much procrastination, I am particularly pleased with my progress on personal fitness.   I feel that as I move towards the end of the 2017/18 academic year I need to re-establish that which is truly important particularly in my work, focusing on these areas.   I wonder if the reason that time seems to be passing so quickly is simply due to not prioritising.   May has seen some frustrations, some difficulties but ultimately seen positive progress.

Onwards and upwards……….

Am I checking my phone too often?

Checky-ReviewA couple of weeks ago I installed an app called Checky on both my Android tablet and my Android phone.   The reason for installing the app was to try to get a handle on how often I checked my devices during the day.   I had a sense that I was possibly checking my devices too often and that as a result I was less focused than I could be, however I was also conscious of the fact that this might be simply an incorrect perception without grounding in reality.   The only way to determine whether my sense of over checking my devices was true was to gather some quantitative data and this is where Checky comes in.    The app is simple – It just logs the number of times you access your device, reporting this daily.

The results;  Well over the last couple of weeks the combined totals from the apps across both the mobile devices I use, a phone and a tablet, suggest I access my mobile devices on average 34 times a day.    This represents checking my devices almost every 28 minutes if we assume 8 hours of sleep per day and therefore only 16 possible hours each day when I could access my device.

Taken in the context of the piece in the Independent (Barr, S. 2017) in relation to the average Brit who  accesses their devices 28 times per day, my personal access over the last couple of weeks of 34 times seems a little high.    It is certainly nothing compared to some teens who apparently check social media 100 times per day (Wallace, K, CNN, 2015).   That said, I cannot see why I should need to be accessing my devices every 28 minutes.

On reflection I must acknowledge that I have slightly different apps sets across both devices.   This may lead me to check both devices at the same time which could be doubling up my statistics.    This is something I may need to look at, either having the same apps on both devices, or having clears sets of apps on each devices, thereby avoiding the need to check each device separately throughout the day.  This may reduce the time taken when I have the urge to check my various apps, as I would only need to check a single device.   I also note that recently I have taken to exercising in the morning which involves using my phone for music as I run, making changes to my music as I go and also reviewing my distance traveled, etc, which all require me to access my phone.   Another factor is I use a tablet device in meetings and in my general work day which again would show up in my access statistics.

I have also put the data into Excel and looked at my usage by day.   It turns out my greatest usage is on a Sunday, then on a Friday and Saturday respectively.    For me this is a little concerning as shouldn’t I be focusing on enjoying the weekend as opposed to checking my devices on a Saturday or Sunday.   I quite often engage in twitter chats on both Saturday and Sunday which may account for some of the statistics.  The question is: Is this the best use of my weekend?

I think the key thing I draw from the activity of gathering some data on my access habits is one simply of conscious awareness.  All too often people are using their devices but not conscious of the frequency or time spent.   They are not conscious of the impact it may be having within their lives.   They do not see how much of their day is spent on social media consumption.    We easily succumb to social media and our mobile devices stealing away valuable time which could be better spent on other activities.    I at least had a feeling that something was wrong and have now gathered data which I can now use to decide on actions and then measure the success of any actions I may take.

Maybe this is something we should all be doing with students in our classrooms?   Ask them to install Checky for a period of time and record their device usage, followed by reviewing it after a couple of weeks as a class activity.   I am sure this would make for some very interesting discussions.