School Data Protection Audit

Documents to be seen
Sta / Data Protection Policy / Ess / Online Safety policy
Sta / FoI Publication Scheme / Acceptable User Policies
Ess / Privacy Information Notice(s) / Ess / Learners
Ess / Data Notification Register[1] ( / / ) / Ess / Staff
Ess / Data Asset Audit / Rec / Technicians
Ess / Data Exchange Agreements / Rec / Visitors
Ess / Logs for SAR/FoI/Data Breech / Ess / Use of Pictures Policy
Who is responsible for Information Systems in the schools?
Who is the Data Protection Officer?
Who is the Data Protection Lead?
Are they registered with the ICO? When is this due for renewal?
Policies
How up to date are the policies?
Are the policies clear?
Which AUPs are missing?
Has the school replied to SAR or FoI requests?
Is there a log?
Has the school had a data breach?
Is there a log?
Data Asset Audit
Is the Data Asset Audit comprehensive?
Do the SAR/FoI/Data Breach logs exist?
Sharing data mapped
Other Local Authority Services/ Social Services/Health Services/DfE
Other Schools
How do you tell staff, pupils and parents what you do with their personal information?
Privacy Notice
School Website
Physical Computer Security
Where is the fileserver?
Do all computers have up to date anti-virus software?
Are screens locked if left unattended?
Are the protable computers encrypted?
Does the school allow the use of memory sticks? Are these encrypted?
Can monitors in the office be seen by visitors?
Passwords
How often do staff have to change passwords?
Is there an account for visitors?
Paper files
Where are paper files containing personal data held?
Where are paper files containing SEN information held?
Do classrooms have lockable storage?
What information is posted on the staff noticeboard?
How is personal data distributed/used?
What methods are used for distributing personal data?
Remote Accees/Cloud/email?
Do staff use their own personal computers for school business?
What instructions are staff given?
Are their computers virus protected?
Email
Do you use only secure email systems to send and receive personal information?
What about other staff?
What about Governors?
Data Retention and destruction
Does the school have a Data Retention Policy?
Is their a data destruction log?
Certificates for external companies
When unwanted electronic devices are passed on are the memories scrubbed clean or re-formatted?
Old computers
Memory sticks
CCTV
Where Is there CCTV?
What purposes is the CCTV there for?
How long do you store CCTV footage for?
Who has access to this footage?
Is this noted in the Data Protection Register?
Have the staff received specific training on Data Protection issues
Headteacher
Teachers
Admin staff
Governors
Other notes

lead ▪ learn ▪ protect ▪ engage

[1] for DataProtection Public Register. Also check CCTV