Service Specifications

The Data Protection Officer (DPO) Service will ….

1. Inform and advise you of your obligations by providing

  • Advisory support for all GDPR queries via helpline and email
  • Video training and guidance for school staff and governors
  • Updates through the Data Protection Lead Network and termly network meetings

2. Support you in monitoring internal GDPR compliance through:

  • Remote compliance checks and GDPR action plan analysis
  • Advice and recommendations as appropriate
  • Provision of resources and model templates
  • Access to support through monthly 1:1 surgeries

3. Assist your school with Data Protection Impact Assessments (DPIAs) by providing advice, where requested, covering:

  • Whether to carry out a DPIA
  • What methodology to use
  • What safeguards to apply to mitigate any risks to the rights or interests of the data subjects
  • Whether the DPIA has been carried out correctly and whether its conclusions are in compliance with GDPR

4. Advise on handling Subject Access Requests (SARS):

  • Including a dedicated email address to publish for pupils/parents to log requests
  • Acting as a point of contact between you and parents as required

Advise on the handling of data breaches

  • Including making a judgement on whether they should be reported to the Information Commissioner’s Office (ICO)

Engage with the Information Commissioner’s Office on your behalf

  • Reporting serious breaches and acting as a link for any follow up
  • Receiving and responding to any communications from the ICO, such as data subject

Provide reports to the Headteacher and Data Protection Governor

  • Reporting annually to Trust Board/Governing Board through completion of an annual report template.

The School will:

(The term school is used throughout and refers to a maintained nursery/school, academy or multi-academy trust.)

  1. Give the DPO all resources necessary to carry out the functions above
  2. Provide access to records of processing operations
  3. Complete checklist/audits – to support DPO in monitoring compliance
  4. Make contact details of DPO (the dedicated email address) available for data subjects and the supervisory authorities (e.g. inclusion on website)
  5. Adhere to advice given by the DPO
    • where any advice has not been taken into account or where the controller disagrees with advice provided by the DPO this must be recorded in writing (within DPIA documents) (where advice has not been taken resulting in serious breaches, additional costs may be incurred (see Payment))
    • seek the advice of the DPO when carrying out a Data Protection Impact Assessment
  6. Ensure the DPO has access to senior managers.

Term of Agreement and Payment

There is an annual subscription of £595 for the service, payable in full in advance and within 14 days of receiving an invoice.

In order to keep the price as cost-effective for schools as possible, this service does not include any site visits, but these can be arranged by mutual agreement and would be charged at the consultancy day rate, or pro-rata.

This all- inclusive fee is bound by the understanding that school/trust will adhere to advice given by the DPO.  Should advice not be adhered to, resulting in a serious breach, fees to manage the situation would be charged at the consultancy day rate.

If a school wishes to terminate this agreement prior to the end date, 12 weeks written notice is required.

Confidentiality

Confidential information refers to any data or information relating to the business of the school or multi-academy trust that could reasonably be considered to be proprietary to the school or trust, where the release of that confidential information could reasonably be expected to cause harm to the school.

DPO Solutions for Schools will not disclose, divulge or reveal confidential information that it has access to in the course of delivering the Service, except as authorised by the school or as required by law.

We take the protection of your personal data seriously and comply with the UK Data Protection Act 2018.  Our Privacy Notice sets out how we collect and use your personal data, as well as your rights.  For further information, please see our Privacy page.

Indemnity

The school is the data controller and holds the liability for GDPR non-compliance and/or data breach. 

Except to the extent paid in settlement from any applicable insurance policies, and to the extent permitted by applicable law, the school and DPO Solutions for Schools agree to hold one another harmless against all claims, losses and costs of any kind arising out of any act or or omission on either side in relation to compliance with GDPR and other data protection laws.

Governing Law

This agreement will be governed by, and construed in accordance with, the laws of England.