Public

GDPR Frequently Asked Questions by Schools

Frequently Asked Questions

  1. Are there GDPR compliant 3rd party software supplier contracts in place, for solutions that process personal data supplied, under central Derbyshire County Council contracts to schools?

Derbyshire County Council will ensure all 3rd party software supplier contracts, for solutions that process personal data,procured under a central Derbyshire County Council contract for schools, such as SAP, will be GDPR compliant, there is no need for schools to request that these contracts be updated.

List of Derbyshire County Council centrally procured solutions on behalf of schools:

  • RM Integris
  • SAP for Schools

New!

  1. How does my school access the on line learning courses relating to Data Protection and GDPR on Derbyshire’s Online Learning System?

Contact for further details if your school does not buy Derbyshire Payroll Services

If your school buys Derbyshire Payroll services, follow instructions below:

Your Username is your SAP payroll numbers (if you have a letter at the start of your payroll number replace it with a 0)

Your initial Password is welcome

If you have accessed the Learning platform previously use your own password you changed to when you first logged in.

You will then be forced to change your password. Follow the instructions on the screen to change your password.

For Password resets to the derbyshire.learningpool.com site please call Learningpool on 0845 0744 114.

Any queries about above contact

  1. Do academies have to pay for access to data protection related content on Derbyshire’s On line learning platform (badged Derbyshire LearningPool)?

Currently there is no charge, however after May 2018 this may change,contact for details.

  1. Can schools useDropbox or One Drive to share documents with Governors?

This is a decision for schools, however schools must have policies and procedures in place to ensure any personal data being shared is processed in compliance with new data protection legislation.

  1. What advice can the Council give on allowing a piece of software called ‘Wonde’ to access pupil data on my school’s RM Integris system to extract and share relevant pupil data with 3rd party software companies my school has contracts with?

Audit Services are currently undertaking a security assessment on the above software, the results of the security assessment and further advice will be given once this is complete.

  1. Where do I find the list of 3rd party software supplier solutionsthat process personal information, e.g. ParentHub, thathave passed the Audit Services Information SecurityAssessment?

For a list of companies that Audit Services have completed a security assessment on, open the latest version of the Audit Services Newsletter on the Audit Servicespage and click on the link in the ‘Procurement of IT Systems – Audit Guidance’ section

  1. Would a system or list containing just a pupil’s name be considered personal data?

There is a lot of debate around this question as it would not always be possible to identify a person by name alone, however some people have unique names from which they could quickly be identified, so on balance if you are recording the full name the answer is likely to be yes.

  1. Do you need consent from parents to upload parent contact details to ParentPay system prior to sending out authorisation letters from system?

Yes, the GDPR specifically states that data controllers cannot rely on consent as a condition for services. Therefore the school must ask for parental consent in order to pass their details to ParentPay.

  1. Can Legal Services supply templates for amending 3rd party software contracts involving the processing of personal data on SchoolsNet or S4S?

Advice and guidance on amending contracts can be found on Derbyshire Services for Schools (S4S) in the traded Legal Services section of the site if your school buys legal support from us.

  1. Under a Subject Access Request should details relating to safeguarding or disciplinary investigation be released to subject?

You should take legal advice on this issue on a case by case basis however you should not release any information that may endanger the safety of an individual.

  1. Can schools send unencrypted e mails containing personal data to the Council on the request of a Council employee?

Any unencrypted e mail sent across the open internet is not secure and the Council does not recommend that personal information is shared by this method. Derbyshire schools can use the secure area on the Derbyshire SchoolsNet website (called Perspective Lite) to share personal information securely with the Council.

  1. Why is there not more specific advice about what schools should do to be prepared for GDPR e.g. templates, policies, or checklists on what actions to take to prepare for GDPR and what action to take to ensure ongoing compliance?

The Council’s advice to schools on GDPR can be found on Derbyshire SchoolsNet.

CS Information and ICT V02March 2018