GDPR guidance from the Independent Schools' Bursars Association

Posted on: 19 Mar 2018
Posted by: David Woodgate

With the new General Data Protection Regulation (GDPR) due to come into effect on 25th May this year, ISBA offers its advice to support the sector in its preparations.

ISBA has published a number of documents (including template policies) for schools designed to help them become GDPR compliant. Its guidance on the role of the Data Protection Officer (DPO) and whether schools should appoint one can be read here.

Other key guidance published by ISBA recently and available to members includes:

  • a data audit grid to enable schools to work through the process of assessing what data they hold. This is a recommended step before taking any action over relevant policies, and is available in ISBA’s reference library.
  • a template privacy notice and guide available for members.
  • data processing guidance and a template data processing agreement.
  • guidance on biometric data and a template consent form available here.
  • guidance on taking, storing and using of images of children and template policy accessible here:
  • use of images consent forms – pupil and parental.

The association regularly covers data protection issues for schools in detail at both in-person professional development events and webinars. To view recent webinars ISBA members can visit ISBA TV.

Template documents for schools have been reviewed and updated in light of GDPR. These are:

  • ISBA model acceptance form and terms and conditions (parent contract);
  • parent contract frequently asked questions (FAQs);
  • model letter to be sent by the school to parent(s) and third party payer(s);
  • model letter - making a disclosure to the school's insurers [re: the optional Clause 15 in the ISBA Model Parent Contract (force majeure)];
  • model letter - letter to be sent by the school to parent(s) where (in exceptional circumstances) only one parent is allowed to assume responsibility for the payment of the fees;
  • registration form;
  • admissions policy;
  • discipline and exclusions policy;
  • complaints procedure;
  • Zero hours (employee) contract;
  • Zero hours (worker) contract;
  • Visiting music teacher contract;
  • Service occupancy agreement;
  • CCTV policy; and
  • Data storage and retention guidelines

NEW documentation coming soon

The association is finalising a complete guide to GDPR which will shortly be made available to members and will cover the following practical considerations for schools:

  • Introduction and the concept of the Information Governance and Management Organisation (IGMO)
  • Data handling and demands on staff
  • Training and education of data processors and controllers (and questions)
  • Questions on the overall organisation within a school
  • Data streams and pupils
  • Data streams and employees
  • Data streams and governors
  • Data streams and alumni
  • Subject access requests
  • Notifying the ICO on data breaches
  • Privacy impact assessment – a guide to completion
  • Draft privacy notices
  • Data retention
  • Subject Access Requests
  • The school’s GDPR checklist

Also due to be published soon:

- GDPR Fundraising Toolkit - Contracts for engaging third parties (e.g. catering and sports)

UPDATED template documentation due soon:

  • ICT acceptable use policy covering lending of devices, BYOD etc (expected March 2018)
  • E safety policy (expected March 2018)
  • Recruitment policy and template pack (expected April 2018)
  • Employment contracts – head, bursar, support staff & teacher, visiting teachers, zero hours contract and agreement for services of volunteers (expected April 2018)
  • Staff handbook including data protection policy for staff (expected April 2018)

Having completed the publication of a comprehensive suite of documentation relating to GDPR guidance for schools, ISBA now awaits the ICO’s guidance on consent and subsequent legal advice before it can issue the final template documentation listed above. It will be keeping member schools and associations appraised of developments in this area.

ISBA has also been holding briefing sessions on GDPR at every ISBA regional group meeting this year and is encouraging member schools to attend these for the latest information on the subject.

Finally, articles have been published by ISBA in the summer, autumn and spring issues of its member magazine The Bursar’s Review summarising the latest on GDPR.

The ISBA is committed to working closely with schools and its fellow ISC associations to ensure the sector benefits from the very best practical advice and guidance on its journey to GDPR compliance. Please do get in touch with ISBA if you would like to share any thoughts, queries or suggestions as we all move towards May 2018.

About David Woodgate

David Woodgate is chief executive of the Independent Schools Bursars' Association. Prior to this he was Chief Executive of the Institute of Financial Accountants from 2007 to 2015 after which he spent a year as the Strategy Consultant to the Institute of Public Accountants in Australia.