Information Governance for Schools

The Information Governance for Schools Service assists schools in complying with their legal responsibilities under the following pieces of legislation:

• General Data Protection Regulation 2016
• Data Protection Act 2018
• Freedom of Information Act 2000
• Environmental Information Regulations 2004

The Service includes:

• Access to specialist professionals who can advise on the school’s implementation and compliance with data protection legislation.
• Annual consensual health checks to test GDPR compliance.
• The provision of expert assistance in responding to requests for information under data protection legislation and the Freedom of Information Act.
• Model policies, reviewed and updated annually, including a Freedom of Information Policy, CCTV Policy and a Data Protection Policy which reflects the 2018 changes in data protection law.
• Access to online training for all employees in relation to data protection and freedom of information and the provision of in-house training by the Senior IG Officer if necessary
• Assistance in maintaining a Record of Processing Activities which is a requirement under GDPR.
• Advice on fair processing notices, consent, data privacy impact assessments and data sharing agreements.
• Advice in relation to Records Management.
• Advice on Cyber Security.

The Service also includes BwD’s Senior IG Officer acting as schools Designated Data Protection Officer.

Under GDPR, it is mandatory for schools to appoint a Designated Data Protection Officer. The DPO’s minimum tasks are defined in Article 39:

• To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
• To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
• To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

Please note the GDPR does not specify the precise credentials a Data Protection Officer is expected to have. However, it states you should have professional experience and knowledge of data protection law.