What Has Your School Done for GDPR?

[Icequeen01]

I am becoming increasingly anxious about the fact that I have had no guidance on what needs to be done to be GDPR compliant in our school. I have raised this in supervision and been told not to worry but as I am the only admin staff I feel the buck stops with me. However, I have tried reading all the information and I'm just getting more confused. If only someone would explain exactly what I need to do I will happily do it but nothing is forthcoming. Can I ask what procedures your school has put in place. I don't want to give too much away about my school but it is tiny and we have no direct contact with parents.

[Gardenpicnic]

Main things: ensure photo consent. If not obtained, no photo.
Changed admission form to include consent for in school eg newsletter

[Gardenpicnic]

...out of school eg website and national (TV/radio) all separate consent.

Shredding bags. Names removed from anything unnecessary. Ensure only those who need to see information do.

[Gardenpicnic]

Do you have a DPO you could ask for guidance? Ours is with the borough.

Good luck!

[Auntpetunia2015]

Has the council got a central person you could ask about it. I’d say be super careful sending stuff out via email and post. Any files to other schools put a received by sheet in with a sae so you know who got it.

[Nothisispatrick]

Sent out a new consent form asking for consent for photos, what we can publish in newsletter or website etc.

Making sure nothing with names is ever given out and is kept securely in the building/on computers.

[Icequeen01]

Thanks so much everyone!

Unfortunately, we don't have a DPO and that's what I find so worrying as we should have one as an organisation.

Due to the nature of our school we always have photo consents signed by social workers as they have parental consent. No photos of the children go on our website and if they appear on any documents they are removed if being shared.

Funnily enough I have been clearing out some archived documents in a cupboard. There is school work from ex children going back over 10 years!! why on earth would anyone keep it all? That's all getting shredded.

Good idea about putting in a received by sheet with a sae if forwarding on files to other schools. When sending emails with documents about the children I always password protect or use Egress.

Have any of you created data mapping and if so what format did this take? I've read a lot about this but still none the wiser about what I need to show and how to show it!

[Auntpetunia2015]

You have to keep school work and records for 7 years after they have left so just check roughly when the kids left.
Data mapping would be v basic info in from ie parents social workers school nurse other schools ; info out to parent social workers lea achooo nurse other schools and any outside agencies you use for tracking etc and how it’s protected. I started ours before the summer ...then retired and left it to Someone else to worry about. !

[Auntpetunia2015]

Whe you do the revived by sheet I made sure to include only the child’s name and upn so that when it came back signed I was just putting them in a file and if anyone ever said they didn’t have them or something went wrong we could prove we’d done our bit right I asked for signature name is full and job title just in case.
Very early on in the gdpr process I got health records for a child not at our school. I rang the hospital to find out which school to forward them on to , it was quite comon to get wrong records as a number of us started with the same word ie Abby.... the guy at the hospital went potty and made me return them to the gdpr security officer... I hope some poor sod didn’t get into trouble ! But that prompted me to make a way to know I’d not got the wrong school and be able to prove it.

[xyzandabc]

As we can't keep data about student for more than 7 years after they leave, we've had to shred all of the historical exam results we had. So now when people phone up asking what O-Level/CSE/GCSE/A-Level grades they got, we no longer have any record of them. You'd be surprised at how many requests we got from people in their 30s/40s/50s, and now we can't help them at all.

[LarryFreakinStylinson]

Well at least you’re trying. I got an email from our school a few weeks ago and instead of BCC all parents they’d CC’d them instead so I now have every single email address for parents/guardians at the school - as does everyone else 🙄

[KeithLeMonde]

Google DFE GDPR toolkit
Are you an academy? If not then ask your LA for support

[Auntpetunia2015]

larry was that since May? That is a major major gdpr fail...as our old head used to say “heads could roll !”

[Icequeen01]

KeithlaMonde - no we are not an academy. We are a special independent school.

@Auntpetunia2015 - when you say keep all school work for 7 years do you mean all the children's exercise books etc? My own DS used to get all his school books sent home at the end of summer. Sorry if I seem ignorant. I worked for 25 years in financial services before I started this role in education. Still picking up what I can as I go along!

[Auntpetunia2015]

It depends what your school keeps but I was talking more about first aid records accident books and safeguarding issues that don’t get passed to next school because they are “closed” etc. Most schools give books back now as it saves them the hassel of disposing of them. I did that job for 15 years feel free to pick my brain while I can still remember what I knew. I’m waiting for month end next week and the inevitable phone calls from the poor lady who took over with 3 days hand over!

[Icequeen01]

Thanks so much @Auntpetunia2015 - that's really helpful. Yes we have kept Accident Books and other logs we have to keep due to the nature of our children. I also keep the children's files which has some very sensitive info and really need some guidance from our organisation as to whether we have to destroy these after 7 years. I'm desperately trying not to give too much info about my school but it may make more sense if I tell you all our children are LAC and residential.

[LarryFreakinStylinson]

Yep, in the last couple of months.

[Auntpetunia2015]

I’d assumed as much. I would say 7 years for those files if the child hasn’t left for another establishment is fine it takes them till they reach 18 and become adults and any statute of limitations is finished. I’m imagining it’s not a huge school so keeping them in years as the finish wouldn’t be too arduous. I drawer in a file cabinet maybe two per year?

Your lea must have a gdpr main officer every council had to appoint one maybe google it or ring the council main number and ask.
I think gdpr is like the Millennium bug and y2k, actually not as scary as you think as long as you are sensible and make sure you think confidentially all the time.

[Icequeen01]

I also meant to say your predecessor was lucky to have 3 days handover. My predecessor had already left. There was no-one to give me a handover. Talk about hit the ground running! To be fair I've been there a couple of years now but as I'm on my own and their really isn't anyone to ask and everyone just assumes I know! I often don't get the time to research some of this stuff although as you can tell it's often on my mind!

[Auntpetunia2015]

larry that is seriously bad news and a huge break of gdpr, what if one parent was separated from a violent partner but both parents still have contact with school ! I hope someone said something to school about that.

[Auntpetunia2015]

ice seriously if anything is bothering you ask I don’t mind. I may not be able to help but will try. X

[Icequeen01]

We are a tiny school and only take children to KS3 but for various reasons our children do move on to other schools a fair bit so definitely not just a draw full but hopefully manageable now I am clearing out 10 years of exercise books from the cupboards! Just to make things even more complicated we have no children from our own LA - all are from outside LA's!

[Auntpetunia2015]

Ok so try speak to those gdpr officers as it’s their records you’re keeping. If kids move on the send all their files with the receipt slip and sae and make their gdpr someone else’s headache !

[Icequeen01]

@Auntpetunia2015 - That is so kind of you and I really will take you up on your kind offer. It is so nice to talk to someone with your experience. I looove working at the school but as all the rest of the staff are teaching staff I do sometimes feel they expect me to know the answer about everything!

[biscuitmillionaire]

Unfortunately, we don't have a DPO and that's what I find so worrying as we should have one as an organisation.

I doubt very much that you need a DPO. This is from wikipedia:

If processing is carried out by a public authority (except for courts or independent judicial authorities when acting in their judicial capacity), or if processing operations involve regular and systematic monitoring of data subjects on a large scale, or if processing on a large scale of special categories of data and personal data relating to criminal convictions and offences (Articles 9 and Article 10,[28]) a data protection officer (DPO)—a person with expert knowledge of data protection law and practices—must be designated to assist the controller or processor in monitoring their internal compliance with the Regulation.

There's so much fear-mongering and over-reaction regarding GDPR, it's just got ridiculous. Someone was saying that you can't have names on children's book bags because of GDPR - that's complete nonsense! For safe-guarding reasons maybe, but it's not data processing!

[Auntpetunia2015]

Haha yeah. Know that feeling !