Applies to-All Schools
One of the requirements of GDPR is for all organisations inc schools is to undertake a data review and produce an Information asset register.
The amount of information schools hold is increasing and if you do not understand your information you cannot fully protect and exploit it. There is a practical process that schools need to follow so that you can understand, assess and document our information and make sure that it supports your business appropriately.
Developing an Information Asset Register (also called conducting an Information review or information inventory) is a useful tool for all schools and can be used for many objectives:
• to plan the implementation of information security across all information assets.
• to identify critical systems for disaster recovery and business continuity
• for risk analysis
• to identify information management strategy priorities.
Developing this understanding will enable the school to effectively manage its information assets through change.
The new General Data Protection Regulations that will come into force on 25th May 2018 requires that schools must have an Information Asset Register in place.
The value of an IAR
An IAR is a key tool for fully exploiting an organisation's assets – it helps identify areas of duplication and encourages greater efficiency. It can be used to spot areas of potential risk – e.g. loss of personal data. By understanding the nature of your information and where it's held, you can mitigate these risks more easily.
Creating an IAR
You start by listing all of the information assets that contain personal data that you can think of, noting down what each one does and where it's kept.
Identifying key assets
You need to think about what would happen if you lost the availability of each of the assets in your list. If the consequences are severe – e.g. school couldn't function without it – this means it's a key asset. These are critical to your organisation but don't always contain the most sensitive information. You need to include key assets as a column on your IAR so they can be identified quickly.
Describing assets
There are a number of useful fields which should be recorded on our IAR – e.g. how long assets should be retained, who can access them and whether they contain personal data. Template available on the schools guidance intranet page.
Assets can be described and managed at a system level if the information contained within the system is the same – e.g. SIMS database. If the systems contain various types of information with different values, risks and sensitivities, each should be noted as a separate information asset.
Identify owners of the information asset
Each asset should have an Information Asset Owner (IAO) – in the main this could potentially be the Headteacher or the Bursar/Office Manager. This is the individual responsible for ensuring that the risks to, and the opportunities for, the asset are monitored. The IAO doesn't need to be the creator or the primary user of the asset, but they must understand its value to the school.
Maintaining and updating the IAR
Keeping your IAR simple is very important and should be reviewed at least once a year, but ideally IAOs should review the assets they are responsible for every six months to keep the IAR relevant.
Many thanks
Peter Richmond
General Data Protection Regulation - GDPR – Data Protection Impact Assessments - DPIAs
Applies to-All School
Dear Headteacher
Under the General Data Protection Regulation 2018, it will be mandatory for schools to conduct a Data Protection Impact Assessment (DPIA) for high risk processing of personal data, ie when schools are undertaking a new way of using person identifiable data, installing a new system or using new technology. The school has a duty to consider the impact of the changes they make as an organisation and their impact on the people whose data they are using. This could be members of staff, service users or the general public.
A Data Privacy Impact Assessment form must be completed at the earliest possible stage of a project so that it can shape the project from the very beginning. This is part of a Data Protection by Design approach which means that all school projects have to bear privacy in mind.
Projects which may require DPIAs include, but not limited to:
- a new IT system for storing and accessing personal data;
- a data sharing initiative between two or more organisations pooling/linking sets of data;
- a proposal to identify people in a particular group or demographic and initiate a course of action;
- using existing data for a new or unexpected/objectionable or more intrusive purpose;
- a new surveillance system (especially one which monitors members of the public);
- a new database which consolidates information held by separate parts of an organisation (hub);
- legislation, policy or strategies which will impact on privacy through collecting information, surveillance or other monitoring.
When any of the above apply schools should carry out a review and complete the Impact Assessment Form provided by the authority to help schools. The PIA form is available on the schools guidance intranet page.
By completing the DPIA form, schools can help to shape projects in the early stages to make sure it complies with data protection and that you do not need to make changes at the last minute when they could be more expensive or time consuming later on in the project.
Keep a record of all PIAs carried out. Where you cannot mitigate any risks identified in a PIA, the ICO should be consulted. Refer to the ICO's guidance/checklist
Peter Richmond
GDPR tool kit for schools
Applies to-All SchoolsDear Headteacher
The DfE have just released a GDPR tool kit for schools.
The DfE have advised that to prepare for the General Data Protection Regulation (GDPR) coming into force in May 2018 all organisations handling personal data, including schools, need to have the right governance measures. This guidance will help schools develop policies and processes for data management, from collecting and handling the data through to the ability to respond quickly and appropriately to data breaches.
https://www.gov.uk/government/publications/data-protection-toolkit-for-schools?utm_source=ef59d902-90f3-4dfc-a1d3-114c4fc7fad9&utm_medium=email&utm_campaign=govuk-notifications&utm_content=immediate
Peter Richmond
External Item
Accent Music Education Hub
Please see below link
http://www.myschoolservices.co.uk/Article/55839
Shop with Accent Music Education Hub using the link and we will receive 5% donation from Normans which will be used to support performance and events. Have a browse and Shop now:
http://www.accentmusiceducationhub.co.uk/shop
Abigail Boak
Administrator and Events Coordinator
Accent' Music Education Hub
East Annexe
Town Hall
Sankey Street
Warrington
WA1 1UH
Tel: 01925 442097