Apr 17
LA/ Schools E-Circular 13 Monday 23 April 2018

Please note: the Local Authority has not undertaken any quality assurance checks on items relating to goods, services and training events submitted by external organisations in this section.  

If you have any problems opening the links please contact
diane.hunter@halton.gov.uk
CONTENTS 
  • General Data Protection Regulation (GDPR) – Information Asset Register
  •  General Data Protection Regulation - GDPR – Data Protection Impact Assessments - DPIAs
  •  GDPR tool kit for schools
  •  Accent Music Education Hub
 
General Data Protection Regulation (GDPR) – Information Asset Register

 Applies to-All Schools

One of the requirements of GDPR is for all organisations  inc schools is to undertake a data review and produce an Information asset register.

The amount of information schools hold is increasing and if you do not understand your  information you cannot fully protect and exploit it. There is a  practical process that schools need to follow so that you can  understand, assess and document our information and make sure that it supports your business appropriately.

Developing an Information Asset Register (also called conducting an Information review or information inventory) is a useful tool for all schools and can be used for many objectives:

 • to plan the implementation of information security across all information assets.

 • to identify critical systems for disaster recovery and business continuity

 • for risk analysis

 • to identify information management strategy priorities.

Developing this understanding will enable the school  to effectively manage its  information assets through change.

The new General Data Protection Regulations that will come into force on 25th May 2018 requires that schools must have an Information Asset Register in place.

The value of an IAR

An IAR is a key tool for fully exploiting an organisation's assets – it helps identify areas of duplication and encourages greater efficiency. It can be used to spot areas of potential risk – e.g. loss of personal data. By understanding the nature of your information and where it's held, you can mitigate these risks more easily.

Creating an IAR

You  start by listing all of the information assets  that contain personal data that you can think of, noting down what each one does and where it's kept.

Identifying key assets

You need to think about what would happen if you lost the availability of each of the assets in your list. If the consequences are severe – e.g.  school   couldn't function without it – this means it's a key asset. These are critical to your organisation but don't always contain the most sensitive information. You  need to include key assets as a column on your IAR so they can be identified quickly.

Describing assets

There are a number of useful fields which should be recorded on our IAR – e.g. how long assets should be retained, who can access them and whether they contain personal data.  Template available on the schools guidance intranet page.

Assets can be described and managed at a system level if the information contained within the system is the same – e.g. SIMS database. If the systems contain various types of information with different values, risks and sensitivities, each should be noted as a separate information asset.

 Identify owners of the information asset
 Each asset should have an Information Asset Owner (IAO) – in the main this could potentially be the Headteacher or the Bursar/Office Manager.  This is the individual responsible for ensuring that the risks to, and the opportunities for, the asset are monitored. The IAO doesn't need to be the creator or the primary user of the asset, but they must understand its value to the school.

Maintaining and updating the IAR

Keeping your IAR simple is very important and should be reviewed at least once a year, but ideally IAOs should review the assets they are responsible for every six months to keep the IAR relevant.

Many thanks

Peter Richmond

 

General Data Protection Regulation - GDPR – Data Protection Impact Assessments - DPIAs

Applies to-All School

Dear Headteacher

Under the General Data Protection Regulation 2018, it will be mandatory for schools to conduct a Data Protection Impact Assessment (DPIA) for high risk processing of personal data, ie when schools are  undertaking a new way of using person identifiable data, installing a new system or using new technology.   The school  has a duty to consider the impact of the changes they  make as an organisation and their impact on the people whose data they are using. This could be members of staff, service users or the general public.

A Data Privacy Impact Assessment form must be completed at the earliest possible stage of a project so that it can shape the project from the very beginning. This is part of a Data Protection by Design approach which means that all school  projects have to bear privacy in mind.

Projects which may require DPIAs include, but not limited to:

  • a new IT system for storing and accessing personal data;
  • a data sharing initiative between two or more organisations pooling/linking sets of data;
  • a  proposal to identify people in a particular group or demographic and initiate a course of action;
  • using existing data for a new or unexpected/objectionable or more intrusive purpose;
  • a new surveillance system (especially one which monitors members of the public);
  • a new database which consolidates information held by separate parts of an organisation (hub);
  • legislation, policy or strategies which will impact on privacy through collecting information, surveillance or other monitoring.

When any of the above apply schools should carry out a review and complete the Impact Assessment Form provided by the authority to help schools.  The PIA form is available on the schools guidance intranet page.

 

By completing the DPIA form, schools  can help to shape projects in the early stages to make sure it complies with data protection and that you do not need to make changes at the last minute when they could be more expensive or time consuming later on in the project.

Keep a record of all PIAs carried out.  Where you cannot mitigate any risks identified in a PIA, the ICO should be consulted.  Refer to the ICO's guidance/checklist

Peter Richmond

 

GDPR tool kit for schools

 Applies to-All Schools

Dear Headteacher

The DfE have just released a GDPR tool kit for schools.

The DfE have advised that to prepare for the General Data Protection Regulation (GDPR) coming into force in May 2018 all organisations handling personal data, including schools, need to have the right governance measures. This guidance will help schools develop policies and processes for data management, from collecting and handling the data through to the ability to respond quickly and appropriately to data breaches.

https://www.gov.uk/government/publications/data-protection-toolkit-for-schools?utm_source=ef59d902-90f3-4dfc-a1d3-114c4fc7fad9&utm_medium=email&utm_campaign=govuk-notifications&utm_content=immediate

 Peter Richmond

 

External Item

Accent Music Education Hub

Please see below link

 http://www.myschoolservices.co.uk/Article/55839

 Shop with Accent Music Education Hub using the link and we will receive 5% donation from Normans which will be used to support performance and events.  Have a browse and Shop now: 

http://www.accentmusiceducationhub.co.uk/shop

Abigail Boak
Administrator and Events Coordinator
Accent' Music Education Hub
East Annexe
Town Hall
Sankey Street
Warrington
WA1 1UH
Tel: 01925 442097

 

 

 

 

Comments

There are no comments for this post.