GDPR for schools

legislation-3231548_640GDPR is now in effect.   As such I thought I would share some thoughts and advice on how schools might tackle some common issues which might arise.



The issue with USB, or other removal storage device, use in schools is that they are easily lost or stolen, plus even when data is deleted it may be possible to recover it.    In a time now passed, USBs were a near essential piece of kit in allowing sharing of data, lesson materials, etc, however now we have Office 365 and the G-Suite for education there is no need.    Using OneDrive or GoogleDrive users can now easily share files all within the confines of the schools IT systems and control.  As such my prevailing advice would be to include reference to avoiding USBs use for personal data in your Acceptable Usage Policy and in awareness or cyber security training.  I stop short of preventing USB use simply because some resources are still provided on USBs and they are still so very common.    They also continue to be useful for sharing images or video footage or for other large files.

Personal devicesmusic-playlist-2

Before discussing personal devices of staff I think we need to be clear on what constitutes using a personal device for school purposes.   As far as I am concerned, simply setting up email on your phone constitutes its use for school purposes as it will store your emails and any included school data.    Some, at this point, would suggest personal devices should be banned however I think this is a little heavy handed.   The benefits of staff having their email on their phone are huge.   Banning personal devices also totally removes the potential benefits associated with a BYOD (Bring Your Own Device) environment including the personalisation benefits which arise where the device belongs to the user and therefore is set up by them to meet their needs and preferences.    My approach again, like with USBs, is to ensure coverage of personal device use is included in the schools Acceptable Usage Policy plus ensure it is also covered in any training provided to staff.     I would also make sure the appropriate policies indicate a need to ensure personal devices have appropriate security such as device encryption plus passcodes, passwords or biometrics enabled.    There should also be a requirement for staff to report a lost or stolen personal device where it was setup or used to access school data or systems.


I have discussed photography before; you have read the post here.    It continues to be a concern.   The issue for me is that we all now carry a camera with us in our smart phones so it is easy for us to capture images for sharing via social media, email, etc.    There are lots of benefits in this, particularly the potential to capture impromptu photos which can be used in teaching and learning.    Schools need to provide some guidance on what is acceptable around the taking of and using of photographs.  This could be contained in the acceptable Use Policy or in a separate Photography policy.    Where staff use their own phones for taking photos this should be covered by the use of Personal device in the AUP as mentioned above.

Third Party sites

This is most likely the biggest area of concern as far as I see it.   Schools must know where they are sharing data so a process must exist to ensure that any sharing of student data is logged.   Schools must also ensure that the sites to which data is shared are secure.    Generally this will take the form of a review of the sites privacy or data protection policies to ensure key points in relation to security and sharing of data are covered.    Thankfully in most cases the sharing of data will be limited to a pupil’s school email address and name for the purposes of providing them an account to login to a particular service.   As such the risk associated with a breach is low and therefore a simple check of the services policies should suffice.    Records of these checks should be retained.    Where more data is being shared, such as date of birth, age, SEN info, etc, more questions should be asked of a service including if they carry out penetration testing and/or external auditing around their security, what their breach notification policy is, etc.

There a couple of third parties which all schools are likely to have to share with such as examination boards, local authorities or councils, social services, etc.     For these I think consideration should be given as to how data is shared making sure student details are not emailed unencrypted to such bodies.    Where possible an online portal provided by the body should be used and where this doesn’t exist an encrypted email service such as Egress might be considered.    I think schools should also review the data protection policies or privacy notices of these bodies, as they would do for third party websites using in lessons, just to show that they have done some due diligence.

Risk Assessment

I think a very important activity for a school to undertake is a risk assessment.   This should indicate the risks that are perceived and also any mitigation which has been taken, or may be taken in future.    Having a risk assessment in place, which is regularly reviewed and updated, can go some way to show that the schools is aware of risks in relation to IT and school data and is actively seeking to minimize risk where it exists.   This helps to prove “privacy by design”.


There is now single blueprint for being GDPR compliant.  It depends very much on the school and its processes.   The key for schools is to able to show that every reasonable measure is being taken and that decisions around risk associated with data processing or sharing are carefully thought through with evidence retained of the decision making process.

GDPR should not be a panic activity to try and get things “right”.   GDPR is an ongoing process showing a focus on data privacy and security at the heart of a schools operation.    All schools need to show not just how they “have” complied with GDPR but how they will continue to ensure GDPR compliance and treat the data of their students and other stakeholders with the utmost care.



GDPR and photos around school

photographer-424622_640Recently a member of staff popped in to discuss how she would like to share photos of a school sporting event with the various schools which were involved.   This got me thinking about GDPR and the implications for events and photography at such events.

Firstly, let’s consider the photos themselves.   They might show groups of students involved in a sport or gathered at the start or end.   They might also include spectators who attended the event including parents or visitors to the school.   My first piece of advice here is simply to ensure that it is clear to people that photography will be taking place and that such photos may be used by the school for various purposes including newsletters and other marketing or publicity materials plus that they may be shared with other organisations involved in the event such as other schools.    This notification can either be put on programmes or event marketing materials, or can be made clear at the event itself via posters or other displays.   I believe this should be sufficient as gathering specific consent from all in attendance would be impractical plus where consent is not provided, avoiding including individuals in action event photography would be very difficult indeed.    Taking a risk based view, given that no names are attributed to the photos, and therefore individuals are not clearly identifiable I see the risk of taking photos as events to be low.   As such I see the provision of notices of the intention to take and use photos as sufficient.

Once we start identifying individuals in photos, possibly by naming them, or given that the photo is of a small group of individuals who therefore are more identifiable, then I think we would need to look to have consent or some other basis for processing the data.    Schools usually have such a permission form or other method to gather permission from parents to use photos of children in their materials.  Key here is to ensure that a permission form makes clear the purposes for which photos might be used. E.g. marketing purposes, around school for display purposes, etc.

When the staff member popped in, the issue of event photography highlighted the inaccuracy of the frequently used term “GDPR Compliance”.    The term “compliance” to me conveys a sense of a binary outcome, either we comply or we don’t.    The issues in hand when looking at GDPR are not so clear.   Does compliance mean seeking permission from every individual in a photo, including members of the public?    I would think not.    As such I continue to believe in the need to take a measured risk based view on how we manage data and on our preparations for GDPR.   Where a risk exists, we need to decide whether we accept the risk.   If we do not we must seek to mitigate the risk through permission forms and notices in the case of school photography, to the point that we are then happy to accept, either this or we stop taking photos.

GDPR continues to result in confusion and contradictions of interpretation.   We seek the way, the one way, the best way to achieve compliance yet every school is different plus interpretations and attitude to risk vary.    For me the key is simply to consider your own environment, the risks and your schools appetite for risk, and to act from there.



GDPR: Third parties and training

legislation-3231548_640As GDPR approaches I thought I would share some thoughts.   Now I must admit to not being a GDPR expect, instead the below represents my thoughts taken from the perspective of managing the prevailing risks around GDPR.

Two issues which currently occupy my thinking in relation to GDPR are managing the use of third parties which either supply software which is used in school or which provide a service where they store school data outside of the school.    Another issue which is currently at the front of my mind is the issue of awareness training and how we ensure staff are suitably informed and aware of GDPR, its implications and particularly what it means for them.

Third Party solutions

Schools may make use of third party software within the school, some of which is locally hosted and stored in the school and some are cloud hosted.

Locally hosted

Locally hosted solutions might include the school management system.    In these cases, we are relying on the third-party vendor ensuring that the software they have created has adequate security measures in place to protect any data held within it.    From a GDPR point of view schools need to show their efforts to comply and in this case, I would suggest the easiest way is to ask third party software vendors to provide details of how they have ensured the security of their product either through their policies or through independent reviews such as audits, vulnerability or penetrations testing.    Although the school is responsible for the security of the infrastructure on which the solution resides, it is the vendors responsibility to ensure the security of the platform itself, independent of where it is hosted.

Cloud hosted

Where cloud hosting is used we have the same issues as for local hosting, in that the vendor must have ensured the security of the platform, however we have the added issue of the vendor supplying the hosting and the infrastructure on which the platforms sits.  My first port of call in examining third parties is their policy documents looking specifically at any GDPR, Data protection, privacy, data privacy or information security policies they may have.    In the best cases this will address issues around security of data, sharing of data, deletion and retention of data.      In my experience, most vendors will quote the security compliance of their hosting service somewhere in their documentation or in response to questions on security.   This usually addresses physical security concerns in that the larger data centres must have tight security to comply with the relevant standards.   This still leaves a requirement to ask questions around business continuity and disaster recovery, in what processes the vendor has in place in the event of a serious incident.    It also leaves questions around ensuring the security of the network on which the service is hosted.   Like with local hosting we can address this by asking questions around any penetration testing or external auditing which has been conducted.

Breach, security incident or vulnerability notification processes are also an important thing to look for across both local and cloud hosted solutions.   If a service is handling student data it is important to know that they have a process in place for notifying service users if an incident occurs or if a vulnerability is identified plus that they have a clear timeline and method of notifying users.

Awareness Training

I think a key aspect of GDPR is making sure the overall school community is aware of the new legislation and what it means for them.   As such training is a key feature of preparations.    I know many companies and individuals are offering training ahead of the introduction of GDPR however I think it is important to establish the purpose of training.   If the purpose is simply compliance then an annual presentation to all staff will suffice as it will provide that all staff have received training.  The issue here is that staff in schools are very busy and therefore the content presented to them is unlikely to stick.   Equally an online resource in my opinion has the same limitation.   The staff will complete the materials however little will stick.    For me the key is a multi-honed approach using various delivery methods including whole school sessions, sessions where discussions and materials are disseminated to department level, broadcast communications such as email campaigns and online training materials.    An awareness of GDPR and more importantly an awareness of the risks associated with processing data needs to form part of the culture, “the way we do things around here”.


GDPR is now fast approaching and the above are just two issues out of a myriad of issues.   Not mentioned above are the implications around developing appropriate privacy notices, the issue of establishing data retention plans, dealing with subject access requests or requests for limitation of processing, handling requests to be forgotten, handling services where data is stored outside the EU and the issue of identifying the legitimate reason or justification for possessing.   The GDPR rules are complex to implement and my advice on this continues to be to take a risk based approach.   For me, currently, the two items above in third parties and awareness training, represent to of the big risks.




Schools, data protection and online services

As we make greater use of technology in our schools we make greater use of online services.   We might make use of an online communication tool to improve on communications with parents.   We might make use of Google Apps or Office 365 to allow staff and students to have cloud storage so they can access their files when away from the school or on any device.    We might engage with an online maths tutorial site so students can undertake self directed study online and further develop their maths skills.    We might make use of a site to manage trips or resource bookings within our school.    The number of online services we are using in schools is increasing and therefore we are sharing more and more data with online service vendors.

The above is important to note given the new general data protection regulations are speeding towards us.    These new regulations will come into operation in May 2018 and will put a focus on all organisations to prove that they comply.     It is therefore important that all organisations including schools get a handle on the data which they have and how it is stored and processed.     For schools part of this includes examining where third party services are being used such that the schools data is processed and/or stored by these service providers.    We need to be asking what these service providers do to ensure the security of our data.

To aid the above, the need to review third parties, and the increasing use of third party online sites, the government has created their Self Certification process for vendors to self-certify their provision in relation to data protection where they offer cloud software services for schools.    You can view this here.     The thing that worries me is that as I write this there are only 38 vendors listed which appear to have submitted a self certification.     This represents only the very very tip of the iceberg which represents the vast range of services being used by school.

We all need to push vendors to answer questions in relation to the protection of our school data.   We need to push them to self-certify and to share what they are doing.   We need to ask the difficult questions now before they are asked of us later.

Have you considered the data protection of school data on third party services lately?    It is time you did!