Data Protection Officer

The following advice is provided by the DFE on appointing Data Protection Officers.  The guidance below is for schools but it can help others understand the role and responsibility of a DPO in school.

Who-will-be-your-DPO

 

Data Protection Officer (DPO)

The General Data Protection Regulations (GDPR) makes it a requirement that organisations appoint a data protection officer (DPO)

Purpose

The DPO is responsible for monitoring compliance with current data protection law, and has the knowledge, support and authority to do so effectively. They oversee the school’s data protection processes and advise the school on best practice.

Key responsibilities

(Requirements for the DPO role as set out in the GDPR)

  • Advise the school and its employees about their obligations under current data protection law, including the General Data Protection Regulation (GDPR)
  • Develop an in-depth understanding of the school’s processing operations, information systems, data security processes and needs, and administrative rules and procedures
  • Monitor the school’s compliance with data protection law, by:
  • Collecting information to identify data processing activities
  • Analysing and checking the compliance of data processing activities
  • Informing, advising and issuing recommendations to the school
  • Ensuring they remain an expert in data protection issues and changes to the law, attending relevant training as appropriate
  • Ensure the school’s policies are followed, through:
    • Assigning responsibilities to individuals
    • Awareness-raising activities
    • Co-ordinating staff training
    • Conducting internal data protection audits
  • Advise on and assist the school with carrying out data protection impact assessments, if necessary
  • Act as a contact point for the Information Commissioner’s Office (ICO), assisting and consulting it where necessary, including:
    • Helping the ICO to access documents and information
    • Seeking advice on data protection issues
  • Act as a contact point for individuals whose data is processed (for example, staff, pupils and parents), including:
    • Responding to subject access requests
    • Responding to other requests regarding individuals’ rights over their data and how it is used
  • Take a risk-based approach to data protection, including:
    • Prioritising the higher-risk areas of data protection and focusing mostly on these
    • Advising the school if/when it should conduct an audit, which areas staff need training in, and what the DPO role should involve
  • Report to the governing body on the school’s data protection compliance and associated risks
  • Respect and uphold confidentiality, as appropriate and in line with data protection law, in carrying out all duties of the role
  • Undertake any additional tasks necessary to keep the school compliant with data protection law and be successful in the role

Additional responsibilities

  • Maintain a record of the school’s data processing activities
  • Work with external stakeholders, such as suppliers or members of the community, on data protection issues
  • Take responsibility for fostering a culture of data protection throughout the school
  • Work closely with other departments and services to ensure GDPR compliance, such as HR, legal, IT and security

Recommendation (Schools should either)

  • Appoint a DPO team consisting of a member of the Admin team and a Teacher. This will allow a clearer understanding for the considerations of how data is processed within each department.
  • Outsource the responsibility to an external organisation via an SLA to perform this role.

It is ill advised to appoint the Head Teacher, Deputy Head or the person/s responsible for managing and supporting the IT systems. This is because of the risk of accusations and trust relating to the ability to manipulate data that is processed.