Data Protection Officer

Data Protection Officer

Under new Data Protection legislation, it may become law[1] that schools will need to nominate a Data Protection Officer (DPO). This person is a formal appointment.

The role of the Data Protection Officer will include:

• Working in the school to:
• Educate the staff in relation to Data Protection
• Train staff involved in data processing
• Conducting audits to ensure compliance and address potential issues proactively
• Serving as the point of contact between the school and Data Protection Supervisory Authorities
• Monitoring performance and providing advice on the impact of data protection efforts
• Work with the school in maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request
• Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information

Ifyou give the responsibility to an existing staff member on a part-time basis, they must have:

• Professional duties which are compatible with the demands of the DPO role
• No conflicts of interest with the rest of their job

Conflict of interests

The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.

Conflicting positions within the organisation may include senior management positions but also other roles lower down in the organisational structure.

So, for example, the head of IT should not be the DPO as they are responsible for implementing the IT system, and the DPO will be responsible for checking the system's compliance with the new laws.

It's for schools to decide what would count as a conflict of interest, based on your specific systems and structures.

Appointing an external DPO

MATs or Federations

You can appoint an external DPO for a group of schools.

This may be the best option for multi-academy trusts (MATs) or federations.The DPO could be one person at head office with the official title and oversight. Some school-level duties could be delegated to either the school business manager or the principal at each school.

Bear in mind that the DPO must remain easily accessible for each schooland be able to act as a contact pointon data protection issues.

Athird party

You can also outsource your DPO to a third-party organisation. This might be:

• An independent consultant
• A 'service contract' with a data protection consultancy, for example
• Someone fromyour local authority, if it offers this service

Your school must ensure that your DPO:

• Operates independently and autonomously
• Is not dismissed or penalised for performing their task
• Is provided with necessary resources to meet their GDPR obligations and maintain their expert knowledge
• Is involved in all issues which relate to the protection of personal data

You must also publish the contact details of your DPO.

Until the 31st August 2018 eLIM will offer this service to schools at no extra cost.

This will allow for the law to become enacted and for schools to consider the next steps.

It is likely that SSE will offer this service to schools after this date but there may be a cost.

If you wish eLIM to act as your DPO until August 31st 2018 then please could fil in the form at:

The named person in the form will act as Data Protection Lead for the school receiving information and being the point of contact for all Data Protection issues.

For your records the named person at the LA will be:

Ian Gover

Within this service eLIM will:

• Work with the Data Protection Lead in the school to:
• educate the staff in relation to Data Protection
• train staff involved in data processing
• Support the Data Protection Lead in conducting audits to ensure compliance and address potential issues proactively
• Serve as the point of contact between the school and Data Protection Supervisory Authorities
• Support the Data Protection Lead to monitor performance and providing advice on the impact of data protection efforts
• Work with the school in maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request
• Support the Data Protection Lead in interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information.

Ian Gover

School Development Officer

eLIM

01823 356842

07976 691766

[1]The Data Protection Act 2017 is still passing through Parliament and hopefully will be changes to make this aspect more workable for schools.