Not surprisingly, with term starting again and many members of school staff working at home, data protection/GDPR and home working has been a common question through my Data Protection Lead support network. In response, I wrote the following guidance for the schools I am working with and I hope that it helps you too.
The GDPR Principles
The General Data Protection Regulation (GDPR) sets out seven principles that should always underpin our approach to processing personal data. The seven principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
For home working (or any remote working) the GDPR principle of integrity and confidentiality (security) is crucial. Both the personal data being used and any devices need to be kept secure, and that includes any paper records, of course.
Schools’ Existing Policies and Guidance
With many members of staff working at home currently, it is an excellent time to remind them about your school’s existing policies and guidance and what they say about safe home working practice. This is likely to be contained in your Data Protection Policy or your E-safety Policy/User Agreements.
If home working, or remote working, is not explicitly referenced, I recommend adding a paragraph to wherever your school has set out the expected working standards and practices required of staff. This paragraph should state that the same standards of working practice must be adhered to at all times when working at home, or remotely.
There is no requirement to have separate working at home/remote working policy and procedures in place, unless you wish to.
Additional Useful Guidance
To complement or supplement your own policies and procedures, there is some information from the National Cyber Security Centre (NCSC), which I think is really useful; especially for a non-technical audience:
NCSC’s guidance on home working Although aimed at IT Teams, much of the content is applicable more widely, such as the recommendations in the sections:
‘Preparing your staff for home working‘; ‘Helping staff to look after devices’ and ‘Removable media’.
There is also a section on spotting emails scams linked to the coronavirus.
This Guidance can be accessed here.
NCSC’s free e-learning on staying safe online – a useful module which takes less than 30 minutes to complete. I highlighted it in a recent post under my News tab.
NCSC’s summary Infographics/Cards – I think these are really handy, one page, visual summaries to share with staff. There is:
- Cyber security cards – practical tips for school staff
- Home working infographic – managing the cyber risks
- Stay Safe Online infographic – top tips for staff. Downloadable here.
There is also my previously published guidance ‘Data Protection and Cyber Security’, under the News tab on this site, which includes practical tips from cyber security experts.
When mistakes happen
It would be a good time to remind everyone (in a positive, blame-free way, of course!) of the importance of promptly reporting any mistakes or data/device losses so that the risk to any personal data can be minimised. Are staff clear who they should report any issues/concerns to?
Record-keeping
Make a record of any actions you take in relation to reminding staff of safe home-working practice (and any actions you ask them to take) as this can contribute to your school’s body of evidence of its compliance with the GDPR; which is required by the Accountability principle.
How SchoolsDPO can help you
For an informal discussion about how I could support your school or trust in ensuring your policies and guidance are fit for purpose, delivering training or providing advice and support with any data protection issue, please don’t hesitate to get in touch. My contact details are at the bottom of the page or you can use this contact form.