Our lead article this term focuses on the General Data Protection Regulation, or GDPR, which comes into effect in May 2018. Now is the time to ensure that your School, Academy or Trust is aware of the changes in legislation and is ready to implement them.
We also talk about our recently issued terrorism advice note and lockdown procedure template, and tell you where you can get further advice for staff and students on these topics.
A short article reminding you to re-register with the HSE if your school has ionising radiation samples is then followed by safety alerts about ladders and security gates.
Lastly our regular Learning By Example section summarises three very different incidents that remind us what can happen when mistakes are made, corners are cut or procedures are not followed.
GDPR - General Data Protection Regulation
The much publicised General Data Protection Regulation comes into effect on 25th May 2018, replacing the Data Protection Act 1998. The new law has three main aims:
- To reinforce and enhance the rights of individual data subjects
- To increase the accountability of organisations that control and process personal data
- To simplify the regulatory environment
Whilst organisations that already comply with the current Data Protection Act are already well on the way to complying with GDPR, there will still be work to be done.
Some of the key changes are:
- Increased territorial scope
- Strengthening of the standard of consent
- Introduction of a positive opt-in rather than an opt-out
- Higher penalties
- Mandatory data breach notifications to be submitted within 72 hours
- Data subjects’ increased right of access, data erasure and data transfer
- Improved privacy
- Appointment of Data Protection Officers
Whilst this does seem onerous at first, the UK Information Commissioner’s Office (ICO) has produced a 12 step plan to help organisations prepare:
- Awareness: ensure decision makers and key people are aware of the regulation and understand its impact.
- Information you hold: document personal data held, where it came from and who it is shared with.
- Individuals’ rights: check procedures cover all the rights of individuals, including deleting personal data or providing data electronically and in a commonly used format.
- Communicating privacy information: review current privacy notices and develop a plan for making any necessary changes.
- Lawful basis for processing personal data: identify the lawful basis for processing activity in the GDPR, document it and update the privacy notice to explain it.
- Subject access requests: update procedures and plan how to handle requests within the new timescales and provide any information.
- Consent: review how you seek, record and manage consent and whether you need to make any changes.
- Data breaches: make sure you have procedures to detect, report and investigate a breach.
- Children: think about whether you need systems to verify individuals’ ages and obtain parental or guardian consent.
- Data Protection by Design and Data Protection Impact Assessments: examine the ICO’s code of practice on Privacy Impact Assessments and the latest guidance from the EU’s Article 29 Working Party.
- Data Protection Officers: designate someone to takeresponsibility for data protection compliance – consider whether you are required to formally designate a Data Protection Officer.
- International: if the organisation operates in more than one EU member state, determine your lead supervisory authority.
Having digested the above, your next step should be a visit to the ICO’s website. Included in the vast resources provided is a Data Protection Self Assessment (also referred to as the “Simple to use SME toolkit”). This will talk you through the specific issues you need to address in order to ensure readiness for GDPR.
Terrorism Advice For Schools And Academies
With the high profile terrorist events that have occurred over the last year in mind, we issued some guidance on school trips in May. Since then the threat may not have diminished, and we are regularly engaged in conversation with our customers to talk about lockdown procedures.
We have just issued a short template to help our customers formulate a lockdown procedure. This is a fairly simple guide that is intended to be used as a framework.
The reality is that schools and academies are more resilient than most premises. Many schools have security fencing, the front door is often locked as well, followed by a secondary door that stops unwanted persons from walking into the school. There are easier targets. However, the threat is still there and the prudent school will have a plan in place to deal with the situation should it arise.
You will probably have seen the “Run, Hide, Tell” publicity that acts as general advice for the public. There is a recently created animated video that can be downloaded from the National Police Chiefs Council along with associated lesson plans for Key Stage 3 and 4 students. These are great resources that can be used for free to spread the message to your staff and secondary school students.
Lockdown procedures need to be bespoke to the premises, so we haven’t written one for you. However, we encourage you to look at our template and see if you can use this to help you create your own lockdown procedure.
Changes to the Ionising Radiation Regulations
Regulations that control the use of radioactive materials, including those held in secondary schools, are changing from January 2018. As a result of the changes, education employers will need to re-register with the Health & Safety Executive.
The current notification cannot be carried over – a new registration is needed. This is a simple process that can be done on the HSE website.
The duty to register lies with the employer (e.g. the Academy or Trust) and will be available from the start of January, with a deadline for completion of 6th February 2018. There is a £25 fee for registration, and a £25 fee for each consent that’s needed.
Full details are available on a dedicated page of the HSE website, which you should read now and ensure that you register if you have to: