This article has five excellent top tips for strong data compliance in 2022, including; embracing near misses, leading from the top, outcomes-focused training, learning walks, consequences.
I know, possibly the most exciting article you’ll read this year. Ok so I admit that it’s not that exciting, but – as you have heard me say plenty of times – this stuff is important. It can also be time consuming and with data protection compliance it is often a matter of prioritising effectively to make the most of your finite time.
Let this article help you with that focus and ultimately save you time and money.
Tip 1: Embrace near misses
Once your heartrate is back to normal, take a step back and ask yourself “what can we learn from this near-breach experience to improve our practice?”
Near misses (and for that matter actual breaches) present a good opportunity to learn. What went wrong? What needs to change? How do we avoid it happening again? It’s very easy to thank your lucky stars and move on, but in doing so you are likely to be doomed to repeat the same mistake. Invest some time now in figuring out how to be better, put those changes in place and see the long-term benefit.
Tip 2: Lead from the top
Evidencing a strong culture of compliance is an important part of the DPO role. The best way to achieve it is to ensure you and your SLT lead from the top. How the leadership are perceived to fall in line with any compliance issue has a serious impact on how the rest of school staff will act. Strong and consistent leadership will send a clear message to more junior staff; a dismissive approach that suggests it all doesn’t matter will pretty much end your chances of creating a strong culture of compliance. So, start at the top.
Tip 3: Outcomes focussed training
The ICO expects organisations (including schools) to be able to measure the outcomes of data protection training. This means proving staff knowledge, not proving that they attended some training you put on during the inset day. So, make sure your staff training outcomes can be evidenced, that you then review that evidence to identify knowledge gaps and then plan how to plug those knowledge gaps to improve staff knowledge and data protection practice.
Tip 4: Learning walks
Learning walks should form part of your regular review of staff compliance – it’s one of the best ways to review everyday compliance and it doesn’t have to be a big job. All it requires is a wander around school with your eyes open to look out for key physical risks – screens left unlocked, USB sticks in use, personal data left lying around, cabinets unlocked and so on.
A quick learning walk will help you identify the areas of risk in your setting which you can then build into staff training and updating. Soon enough, those risks will be managed and reduced.
Tip 5: Consequences
This is a big one. In May this year we’ll be four years in to the GDPR regime. Is it time for there to be consequences for staff not completing data protection training and/or not doing what is required of them? Spoiler alert: it is. I’m suggesting we go straight to the ‘stick’; by all means use the carrot too. However, if there is no real consequence for a staff member not completing training or not complying with policy, then what is their motivator for complying? Perhaps it is now time to look at making these issues a disciplinary matter or, at the very least, a difficult conversation with the Headteacher. What would happen if we were talking about safeguarding and not data protection? I’m betting there would be consequences.
Bonus tip: Work together, don’t reinvent the wheel
You know me, I like to give you freebies where I can, so here’s a free tip – work together. Being a DPO can be a lonely job, so look to networks, forums and make connections with other DPOs in your area so you have a support network around you. That way you can share learning/documents/experiences and take those benefits back to your school. As part of that, don’t forget the DPO Peer to Peer Support Forum in the LASBM online community.
I’ll be expanding on these tips and providing some more at the LASBM East Conference on 9 February.
This article was first published by LASBM on 27 January 2022
Partner
dai.durbridge@brownejacobson.com
+44 (0)330 045 2105
As well as providing day-to-day support to help you focus on managing your settings, we also provide training and professional development on a range of topics to keep you and your staff up-to-date.
Browne Jacobson’s education team has been named as winner of the ‘Legal Advisors to Education Institutions’ category at the Education Investor Awards 2022 for a record sixth time.
Over 3000 young people from across the UK and Ireland took part in a virtual legal careers insight event, aimed at making the legal profession more diverse.
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
The Digital Services Act (the “DSA”) has today (27 October) been given the go-ahead by the EU Council and will enter into force by early 2024.
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
The new set of Legal 500 directory rankings have been published and we are proud to once again be recognised as one of the country’s leading firms advising the Education sector.
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.
National law firm Browne Jacobson has grown its team behind its dedicated Space + Time executive coaching programme with the addition of two more qualified coaches who will work with clients in the education sector.
Public bodies will be pleased to hear that another significant court decision (Ali v Luton Borough Council [2022] EWHC 132 (QB)) has been made that is favourable to data controllers.
This article has five excellent top tips for strong data compliance in 2022, including; embracing near misses, leading from the top, outcomes-focused training, learning walks, consequences.
The cases summarised give considerable comfort to data controllers seeking to defend themselves against claims that relate to breaches arising as a result of a failure rather than a direct act and/or are based on assertions of damage or distress that are exaggerated, unsubstantiated or bear little relation to the breach itself.
The Supreme Court has unanimously overturned the Court of Appeal’s 2019 decision in the case Lloyd (Respondent) v Google LLC (Appellant) which allowed the claimant, Mr Lloyd, to serve a representative action on Google on behalf of over four million iPhone users who were seeking damages for ‘loss of control’ of personal data.
Tomorrow, (Wednesday 27th October), national law firm Browne Jacobson will host its second FAIRE: virtual work experience and legal careers insight event, in partnership with Young Professionals.
Cookies and similar technologies are a useful and often necessary tool for online businesses, but their use is governed by both the Privacy and Electronic Communications Regulations (PECR) and the GDPR.
The Confederation of School Trusts (CST), as the sector body for School Trusts, today releases a salary benchmarking service for executive roles in School Trusts, in conjunction with partners XpertHR, Cendex and Browne Jacobson.
Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation as “special category” data).
In February 2021, the High Court handed down judgment London Borough of Lambeth v AM (No. 2) [2021] EWHC 186 (QB), in which Browne Jacobson LLP acted for the Claimant Council. The judgment is critical reading for public bodies who are required to take action to restrict the use of confidential information in circumstances where that information has been inadvertently disclosed to a third-party.
The Supreme Court’s pending decision could potentially open the floodgates for data privacy litigation going forward.
Watch our on-demand video for our popular Claims Club where we discussed the risk of data sharing, risks in a changing climate, highway claims and what we can see on the horizon.
The Joint Council for Qualifications (JCQ) this week published the appeals guidance for grades awarded this summer.
Schools will now be tasked with reading a vast amount of information to get themselves ready to provide teacher-assessed grades (TAGs) for students following the recent publication of the suite of Joint Council Qualifications (JCQ).
Ofsted has announced that it will begin an immediate review of school safeguarding policies. It is now time that you take steps to ensure your policies and procedures are up to date.
In the absence of exams, the Department for Education (DfE) and Ofqual have confirmed that the 2021 GCSE, AS and A level and vocational and technical qualification grades will be determined by centre assessment.
The ‘Everyone’s Invited’ movement has over 9,000 testimonies on its website and, whilst it has recently taken the step to anonymise everything on the platform, a number of schools have been named.
Catch up for part 2 of our education training videos, exploring the role of digital transformation on our education system.
This judgment is critical reading for public bodies who need to take action to restrain the use of confidential information in circumstances where that information has been inadvertently disclosed to a third party.
UK organisations need to comply with the UK GDPR and continue to be subject to the EU GDPR where EU data is being processed, so there may be two versions of the GDPR to comply with for some personal data processing.
Catch up on our on-demand video to see the latest in our series looking at how the education sector is rising to the challenge and should look forward with optimism.
Education providers have become more innovative with their delivery of lessons to ensure all students are able to and are participating. Delivery of lessons include live teaching sessions through video conferencing platforms, but it does create a number of additional issues.
Compliance is a broad term and covers the three Ps – paper, people and practice. Be it safeguarding, GDPR or health and safety, there is a direct link between high-quality, outcomes-focused training and the impact on staff and children in your setting and to help you get it right, here are my eight tips for excellent compliance training.
The government has issued updated guidance for schools during the 2021 national lockdown. Find out more here.