GDPR guidance from the Independent Schools' Bursars Association
With the new General Data Protection Regulation (GDPR) due to come into effect on 25th May this year, ISBA offers its advice to support the sector in its preparations.
ISBA has published a number of documents (including template policies) for schools designed to help them become GDPR compliant. Its guidance on the role of the Data Protection Officer (DPO) and whether schools should appoint one can be read here.
Other key guidance published by ISBA recently and available to members includes:
- a data audit grid to enable schools to work through the process of assessing what data they hold. This is a recommended step before taking any action over relevant policies, and is available in ISBA’s reference library.
- a template privacy notice and guide available for members which can be downloaded here.
- data processing guidance and a template data processing agreement available here.
- guidance on biometric data and a template consent form available here.
- guidance on taking, storing and using of images of children and template policy accessible here:
- use of images consent forms – pupil and parental, available here.
The association has covered GDPR in detail at four professional development events held this academic year including a new ISBA Data Protection & Cyber Security Conference in October (ISBA members can view the day’s sessions on ISBA TV).
Template documents for schools have been reviewed and updated in light of GDPR. These are:
- ISBA model acceptance form and terms and conditions (parent contract);
- parent contract frequently asked questions (FAQs);
- model letter to be sent by the school to parent(s) and third party payer(s);
- model letter - making a disclosure to the school's insurers [re: the optional Clause 15 in the ISBA Model Parent Contract (force majeure)];
- model letter - letter to be sent by the school to parent(s) where (in exceptional circumstances) only one parent is allowed to assume responsibility for the payment of the fees;
- registration form;
- admissions policy;
- discipline and exclusions policy;
- complaints procedure;
- Zero hours (employee) contract;
- Zero hours (worker) contract;
- Visiting music teacher contract;
- Service occupancy agreement;
- CCTV policy; and
- Data storage and retention guidelines
NEW documentation coming soon
The association is finalising a complete guide to GDPR which will shortly be made available to members and will cover the following practical considerations for schools:
- Introduction and the concept of the Information Governance and Management Organisation (IGMO)
- Data handling and demands on staff
- Training and education of data processors and controllers (and questions)
- Questions on the overall organisation within a school
- Data streams and pupils
- Data streams and employees
- Data streams and governors
- Data streams and alumni
- Subject access requests
- Notifying the ICO on data breaches
- Privacy impact assessment – a guide to completion
- Draft privacy notices
- Data retention
- Subject Access Requests
- The school’s GDPR checklist
Also due to be published soon:
- GDPR Fundraising Toolkit - Contracts for engaging third parties (e.g. catering and sports)
UPDATED template documentation due soon:
- ICT acceptable use policy covering lending of devices, BYOD etc (expected March 2018)
- E safety policy (expected March 2018)
- Recruitment policy and template pack (expected April 2018)
- Employment contracts – head, bursar, support staff & teacher, visiting teachers, zero hours contract and agreement for services of volunteers (expected April 2018)
- Staff handbook including data protection policy for staff (expected April 2018)
Having completed the publication of a comprehensive suite of documentation relating to GDPR guidance for schools, ISBA now awaits the ICO’s guidance on consent and subsequent legal advice before it can issue the final template documentation listed above. It will be keeping member schools and associations appraised of developments in this area.
ISBA has also been holding briefing sessions on GDPR at every ISBA regional group meeting this year and is encouraging member schools to attend these for the latest information on the subject.
Finally, articles have been published by ISBA in the summer, autumn and spring issues of its member magazine The Bursar’s Review summarising the latest on GDPR.
The ISBA is committed to working closely with schools and its fellow ISC associations to ensure the sector benefits from the very best practical advice and guidance on its journey to GDPR compliance. Please do get in touch with ISBA if you would like to share any thoughts, queries or suggestions as we all move towards May 2018.