fbpx

Merton Schools DPO Leading the way in Data Protection

Back to previous page

An inspiring example of how schools and their LA can work together to achieve compliance with the new Data Protection laws in the UK

Introduction

The GDPR and the DPA 2018 require organisations to carry out detailed investigations of the personal data they process and keep evidence of the outcomes. Schools process large quantities of personal data, much of which is extremely sensitive. Data protection must permeate every part of the school from the leadership team through to the kitchen staff who serve food to children with health problems and allergies.

Background

Derek Crabtree is the Schools’ ICT Support Manager and DPO for schools at the London Borough of Merton. He has a wealth of experience in leading new initiatives and has successfully  introduced systems to manage safeguarding together with implementing safe network solutions and removed cash in his schools by introducing online payments.

Looking back at the lead up to 25th May 2018, Derek recalls “We identified early on that there was a great deal of misinformation out there. Schools were being approached by various consultants and companies eager to benefit from the uncertainty at the time. The ICO tried their best to bust the myths but schools were very uneasy about what they should do. It irritated me that companies and individuals would use scare tactics to try and gain access to public money.”

It was this irritation that sparked Derek into action; he knew that he had to find a cost-effective way to support his schools.

 

The Challenges

Talking about the challenges that schools in Merton would face, Derek admits “We have always been strong on data governance and have worked with our corporate audit colleagues to ensure that our schools were compliant with the previous legislation. Our approach started with some initial guidance around the GDPR that we intended would steady the ship.”

It quickly became clear to Derek’s team, that ‘just guidance’ was not enough, the new and extended requirements brought greater challenges to schools. The new 2018 data protection laws require them to:

  • Appoint a Data Protection Officer (DPO)
    The DPO should be an independent person with expert knowledge of data protection law and practices.
  • Build a data ecosystem
    Record and evidence what personal data they process and map data flows.
  • Maintain detailed records of breaches
    Evidence their investigations and actions within tighter timescales.
  • Carry out focused Data Protection Impact Assessments (DPIAs)
    Particularly for new projects which process personal data and all existing high-risk processes.
  • Review policies, procedures & agreements
    Update their Privacy Policy, implement a clear Data Retention Policy and review Data Sharing Agreements.
  • Deliver and evidence staff training

With no additional funding available to tackle the new challenges, schools were rightly concerned. Derek held consultations with Headteachers across the Borough and it was decided the best way forward was to provide a cost-effective Service Level Agreement (SLA) to help schools meet the new requirements.

The Merton Approach

After testing the market, it became apparent that there would be a strong take up of the SLA amongst schools.

They knew that if it were to be successful they would need a software solution that would allow them to raise awareness, help with training, record and document their compliance as well as track progress.

They also felt it was important that the ideal solution would be paperless and cloud-based. Derek’s team approached the LGfL, their regional broadband provider, who built a mini-framework of products and providers of services that met their criteria.

The team at Merton chose GDPRiS because in Derek’s words “it was the best fit for our schools.” Derek remarked “Once the schools signed up implementation was really quick and easy. The GDPRiS staff were very accommodating and knowledgeable and with their help, we quickly onboarded all of our schools and delivered training.”

Outcomes

More than 12 months into the project, Derek and his team have realised the many benefits of using GDPRiS to monitor and manage data protection across all their schools.

With regards to the success of the project, Derek said “In terms of outcomes, we wanted schools to feel confident that they were doing the right thing and that compliance with a complex set of regulations would not distract them from their core purpose – the business of education. I believe we have achieved this, schools now have a really good idea of what it takes to comply with the new regulations.”

Derek and his team have access to a central dashboard providing Key Performance Indicators (KPIs) across their schools. Highlighting the key areas of GDPRiS that help him as the DPO across a group of schools Derek commented “We can view data maps and data asset registers for each school and the comprehensive reporting allows us to check levels of engagement. Any member of staff, at any of our schools, can report a breach triggering an immediate notification that is sent to myself and my team allowing us to react quickly in-line with ICO requirements.

Derek added; “The audit functionality is very useful, we can carry out a Training Needs Analysis (TNA) to spot gaps in staff knowledge and provide properly targeted training and guidance. In addition, we have a record of what training staff have received and when.”

The project has also enabled Merton to further reduce its carbon footprint with fewer school visits needed and has provided a paperless solution to disseminate information to their schools. Derek also said, “GDPRiS is a living growing product and our requests for reports and additional features are always enthusiastically received. It feels as if we are growing stronger together as the product continues to evolve in-line with DfE and ICO requirements.”

When asked if he had any advice for other LAs, or other education organisations, looking to embark on a similar project, Derek advises “Don’t be afraid to have difficult conversations with your schools. They are all worried about compliance, choosing the right supplier to help you manage this can help to ease the burden.”

As a final piece of advice to others, Derek added “Compliance with Data Protection laws is not something that you can treat as a one-off, keeping people’s data safe is a process and involves a particular mindset – you cannot afford to take your eye off the ball. GDPRiS has really helped to foster this mindset in our schools and has given us a central tool that helps us to monitor each schools journey towards compliance.”

In recognition of his efforts to support schools in Merton, Derek has been nominated for various awards including the ICO award for Data Protection Officer of the Year and the Public Sector Paperless Award for Data and Information Security Project of the Year.

To find out how GDPR In Schools can support your school(s) call 020 3961 0110

    Our members

    Looking for quality education products and services? BESA members sign up to our Code of Practice, so you can be confident you are spending wisely with companies you can trust.

    Code of Practice

    This Code of Practice is a mandatory membership commitment given by members to BESA

    Our Team

    The BESA secretariat is a small, dedicated team that works hard to find channels to market for education suppliers

    Research

    BESA publishes over 20 market research reports each year on a wide range of topics. Access our latest reports and the full research archive.

    UK Education Statistics

    There are currently 32,770 schools in the UK. Of these, 3,714 are nurseries or early-learning centres

    News

    Keep up to date with member news, announcements and BESA activities.

                Policy Updates

                Our weekly roundup of policy news, debate and initiatives.

                Great British Classroom

                Running as part of BESA’s exhibitions programme showcasing the world’s best education products and services

                Resource Our Schools

                The Resource Our Schools campaign has been initiated by the British Educational Suppliers Association (BESA), working with a coalition of organisations and suppliers.

                Summer Business Insight Day 2024

                BESA's annual summer member event returns for 2024 at The Oval Cricket Ground this July!

                Special Interest and Working Group meetings

                BESA recognises the importance of bringing together members with common interests to share ideas, information and maintain a tight focus on each market place.

                GESS Dubai 2024

                Join the UK Pavilion at GESS Dubai 2024 - Unleashing Educational Excellence.

                Special Interest Groups

                With such a diverse market, BESA recognises the importance of bringing together members with common interests to share ideas

                International

                BESA works with UK education suppliers to help maximise their export potential, regardless of their stage in their export journey.

                Discounts and Opportunities

                We work hard to identify high-quality providers to the education suppliers sector, and negotiate discounts on behalf of our members.

                Code of Practice

                This Code of Practice is a mandatory membership commitment given by members to BESA.

                LendED

                LendED enables you to search, preview and test education technology products before you buy them, so you can be sure they will meet your needs.

                Supplier Directory

                Looking for quality education products and services? BESA members sign up to our Code of Practice, so you can be confident you are spending wisely with companies you can trust.

                  Sponsorship

                  Learn more about BESA’s sponsorship opportunities.