Published: 09 May 2018

To download a copy of this document please click here 

In order to comply with GDPR, every BoM should ensure that

1. they are aware of what data they currently hold and the reasons why they are processing it on an on-going basis
2. the relevant School Staff are fully trained for their roles in relation to GDRP
3. all School Staff are fully aware of the importance of Data Protection and that the school is a Data Protection Sensitive and Aware institution
4. that all relevant Policies and Procedures are in place and embedded

On a practical level, this will require the BoM to complete the following:-

Data Audit

It is important that the BoM is aware of all the Data it holds, collects and processes. This will be the first task.

1. List all of the types of data currently held by the school – See Draft School Data Protection Policy section on Personal Data
2. Identify the location of storage of each type of Data
3. Identify the legal basis for processing each type of Data
4. Identify all Data Processing operations currently being carried out on that data:-
   1. Who processes the Data – may be more than one person?
   2. Who has access to the Data?
   3. Security arrangements for the storage of the Data?
   4. Availability of the Data to the Data Subject, if required?
5. List all of the Data Processors contracted by the BoM to process data on its behalf e.g. Aladdin, Databiz, School Accounting etc.
6. Security of the Data while under the control of the BoM

Staff Training

The BoM must ensure that all School Staff are aware of the concept and practice of Data Protection as it applies to them in the course of their work. The contents of this Resource Bundle (PAMS in particular) could form the basis for such training – as it applies to the particular school e.g. not all schools have CCTV.   The object of this training will be to ensure that all School Staff become conscious of Data Protection and implement it in the course of their work  

Embedding of a Data Protection Culture

In order to ensure the success of Data Protection training, the BoM must endeavour to inculcate a culture of awareness of Data P within the school community. To achieve this the BoM needs to have a plan for training in and promotion of Data P among School Staff, Parents and the BoM itself. It could take the form of regular discussions on Data Protection and how it is being implemented in the school at BoM meetings, at Parent Council meetings and at Croke Park hours

Policies, Agreements and Notifications

1. The BoM is advised to have a comprehensive School Policy on Data Protection – PAM*. This should be devised in consultation with Staff and Parents, passed by the BoM and reviewed as required or at least every two years

1. The BoM is required to have a Written Service Agreement – PAM* - with each Data Processor contracted by the BoM to process data on its behalf

1. Where a BoM has deployed CCTV, it is advised to have a separate CCTV Policy– PAM*. There is also a requirement to post notifications in relation to CCTV at each camera’s location

1. The Data Protection Commissioner recommends that a Privacy Statement – PAM* - be placed in a reasonably obvious position on the website homepage

Administration Forms

Schools use Administration Forms e.g. Enrolment Forms, BoM Election Ballot Papers, Permission to use Photographs of a child etc. to assist in the smooth running of the school. In the main these Forms gather information which is then processed by the BoM or by a Data Processor on behalf of the BoM. In order to reassure Data Subjects that the BoM is following Fair Processing procedures, as is required by the Data Protection Legislation, it is important to ensure that all such forms contain a clear and specific rationale for the collection of such Data. Data Subjects have the right to know

1. what Data is being processed
2. the reasons for that processing
3. the name of the Data Controller who is responsible for the processing of their Data

Procedures and Routines

Each BoM should establish clear Procedures and Routines around the collection, processing, storage and disposal of Data under its control. It should also establish Procedures and Routines for engaging with Data Subjects who wish to exercise their rights under Data Protection Legislation. These Procedures and Routines should clearly outline:-

Collection and Processing of Data

The procedure for collection of Data – Forms used, follow up phone calls etc.

Procedures for dealing with Data Subjects who do not wish to provide Data which the BoM is legally authorised to collect

The personnel authorised by the BoM to collect such Data

The personnel authorised to access the Data

Processing

The procedure for processing the collected Data – whether within the school or by a Data Processor

Storage

The BoM must be aware of all electronic devises on which the Data is stored

The BoM must ensure that the Data on each of these devices is secure in event that the device is stolen or lost

The BoM must ensure that the School Employee who controls the electronic device is fully aware of his/her obligations in regard to the protection of the Data on their device

The BoM must ensure that all physical Data is properly stored in a secure filing system

The BoM must ensure that all Data stored physically or electronically is accessible to the Data Controller

Disposal

The BoM should have a clear procedure for the disposal of Data once the Retention Period – PAM* for such Data is reached. The BoM should also ensure that all School Staff are conscious of the safe disposal of any item, physical or electronic, containing Personal Data. This might require the purchasing of a shredder or the collection of sensitive material in a safe location for transport to an industrial shredder on a regular basis

 *PAM PAMs are Principal Aide Memoires which are hyperlinked summary documents accessed from the IPPN Resource Bundle “Getting Data Protection Ready”