Most of you will be aware that since May last year the ICO has been able to carry out inspections of organisations that process personal data but, until this week at least, I have not been aware of them visiting a school... well, I am now!
The school is known to me although it is not one I work with but will remain anonymous for the purpose of this article. This what they were asked about by the two officers who visited the school and who had agreed a schedule in advance:-
Tour
Shredder – is it a cross cut shredder and what happens to the shredded paper afterwards.
Filing cabinets in rooms – are they locked?
Where are the keys kept?
Post – is it left in the tray overnight?
Checked what info was displayed on walls
Whether screens could be seen through windows
Whether a clear desk policy was in place
Whether the windows had restrictors
Access to the building
Whether ID’s are worn
Security
Do spot checks for clear desks & locked screens
Do support staff have GDPR training?
Do outside agencies (e.g. cleaners) have GDPR training?
If possible change screen lock time to 15 or 30 minutes for admin staff
Exercise our right to inspect our data processors & record the inspection as evidence
Laptops & USBs should be encrypted
Keep separate copy of USB data on the network – if lost USBs must be recorded as security incident
Lock down USB ports on computers
Do not take USBs home if unencrypted
Staff should not bring in their own devices – laptops/tablets/USBs - ICO have BYOD guidelines on their website
Update Mobile & Home Working Policy to encourage data protection in a home environment e.g. close windows, screen not on show to family, passwords, not storing student data on home computer
Any device taken out of school has to be covered by Mobile & Home Working Policy
Home working should encourage use of school email and remote access.
Update Acceptable Use Agreement - if required, school can view your network area and school email
School email should be separate from personal email
Wanted to see a copy of our Acceptable Use Agreement
Records Management
Asked what my role was, in addition to DPO tasks
Asked about my history and background in school, work, etc
Have staff been issued with Privacy Notices and asked to complete consent forms where required?
Do we refresh personal data (e.g. addresses, phone numbers etc.) every year?
Do we keep a note of personal files that leave the school (e.g. student records)?
Wanted to see our data retention policy
How do we keep a record of what needs to be disposed of and when?
Do we do a sweep of files on a regular basis?
How we dispose, who do we use, where do they shred - on or off site?
Do we keep a central record of what has been destroyed?
Where are student/staff files kept?
Who has access?
Training
Who led it?
Who received training?
What was the content?
Have you checked staff understand it?
What materials were used to deliver it?
Any follow ups?
How will you ensure staff stay up to date?
SAR’s
What are they?
How do we manage them?
Do staff know what they are, what to do with them and who to go to?
What is the procedure for responding?
Is there a central record?
Nothing was asked on data breaches, supplier compliance (apart from one question on whether the school had updated all the contracts) or CCTV (apart from on the tour they commented that the school had it).
Having read the full report feedback from the ICO I thought some of the content was nit-picking on very minor issues and some suggestions were downright impractical - the ICO suggested visiting data processors to ensure they were compliant which would be a huge task for a small school in terms of resources.
I'm sure that the ICO will strike a balance as time progresses and more school audits are undertaken - it is very early days in their inspection regime after all.
It does however illustrate the need to have evidence of good practice and I'm pleased to say that the Information Governance Health Check visit and termly audit questionnaire that form part of my subscription service cover many of the issues the ICO looked at, and much more too. If you haven't taken out a subscription yet I'm always happy to discuss what it covers and the cost involved. Give me a ring on 07984 838038 or email me at stevecullen@insightmsig.co.uk for more information.