SERVICES AVAILABLE TO SCHOOLS

Each of the services offered is broken down into an individual lot. Schools can buy into individual lots, or the entirity of the offering. To obtain a quotation for your School please click on the quotation request above and fill in the form. 

LOT 1 - DATA PROTECTION GAP ANALYSIS 

Audit the culture and practices, in relation to data privacy.

  • We will work with each Contracting Body to nominate a staff member to act as a the Data Guardian (a person nominated by the Contracting Body, to provide organisational insights and offer continuity once the contract has been delivered. Typically, they would be a Business Manager, or ICT lead). They will be trained how to complete our Self-Assurance Tool, so they will be able to participate in the initial compliance check and use it again, once the contract has been delivered.

  • We have developed the DPAS Self-Assurance Tool to monitor and track “as is” versus “GDPR compliance”. It guides the organisation through a series of questions based on the Information Commissioner’s Office (ICO) ‘12 Steps to GDPR Compliance’, which then creates a ‘heat’ map, showing DPAS how compliant the organisation is.

  • Once it has been completed, we will be able to identify the gaps in compliance, enabling us to highlight areas of risk, and form a plan to mitigate those risks.

  • A key part of this initial process is for us to understand each Contracting Bodies organisational culture in relation to data privacy. This will enable us to assertively but constructively challenge negative attitudes: debunking myths about data protection and helping stakeholders to understand the importance and relevance of good practice to themselves and their organisation. Particular attention will be paid to ensuring that senior managers are able to set the tone for good practice and adherence to key data protection principles.

  • Audit Report
    An Audit Report, including a one-page summary, will be produced providing details of all these assessment activities, along with full details of recommendations and expected future actions to enable GDPR compliance. This will be submitted to the Customer for comments, with the submission of the final agreed report indicating the completion of this Lot.
    Although comprehensive, the report will be written in “layman’s terms”, with minimal jargon, ensuring that it is easily comprehensible by stakeholders in the organisation. 

LOT 2 - DEVELOPMENT A COMPLETED  RECORD OF PROCESSING ACTIVITY (ROPA)

A full Data Register will be completed for each Contracting Body, by our senior GDPR Business Analyst.

It will capture information such as (non-exhaustive list):

  • Purpose of processing

  • Data Subjects involved

  • Source of the personal data (i.e. where has it come from)

  • Volume of data processed

  • Data format (Digital, Paper etc)

  • Transfer Methods (Email etc)

  • Data asset owner

  • Categories of personal data (i.e. name, address etc)

  • Organisations role in the processing (i.e. Data Controller)

  •  Automated processing involved

  • Third party processors involved (i.e. Local Authority, Examining Bodies etc)

 

The Data Register contains a risk register, containing:

  • Risk highlighted

  • Risk score

  • Privacy treatment advised

  • Risk owner

  • Target date for completion

The process used within each Contracting Body will follow this methodology:

  1. The appropriate template Record of Processing Activity (ROPA) for the type of Contracting Body will be used

  2. Our BA will have meetings with a staff member from each key area of the Contracting Body involved in the processing of personal data, and will:

Complete the ROPA;

Highlight and categorise the risks associated with each processing activity;

Suggest ways for the Contracting Body to remediate the risks highlighted 

  1. The ROPA will then be signed off by the Data Guardian

  2. We will train the Data Guardian, so they are able to update the Data Register / ROPA on an ongoing basis, following delivery of the contract.

LOT 3 - PRIVACY BY DESIGN

Proposed Approach: Data Privacy Impact Assessments
As a first step, we will assess information contained within the Contracting Body’s Risk Register and look at those areas highlighted as ‘high risk’.

DPAS will identify the need for a DPIA for each activity / business process where data is collected. We will give explicit advice on where there is no need to complete a DPIA as per the legislation. 

Where a DPIA is required, we will create one in consultation with the Data Guardian (a person nominated by the Contracting Body, to provide organisational insights and offer continuity once the contract has been delivered. Typically, they would be a Business Manager, or ICT lead).
 

In order to compile a DPIA, DPAS will:

  • Record the risks to individuals, including possible intrusions on privacy;

  • Assess the corporate risks, including regulatory action, reputational damage, and loss of public trust. Conduct a compliance check against GDPR and other relevant legislation;

  • Maintain a record of the identified risks.

 

We will then:

  • Offer solutions to reduce or eliminate privacy risks;

  • Work with the Contracting Body to assess the costs and benefits of each approach, looking at the impact on privacy and the effect on the project outcomes;

  • Assist the Data Guardian to detail the privacy risk within the Data Register and risk register and provide advice until satisfied with the overall privacy impact.

  • Provide the Contracting Body with a DPIA template and policies to use.

 

Following sign-off by the DPO, we will produce a high-level Privacy Impact Assessment report, reporting on activities we have delivered and making recommendations where appropriate.
 

LOT 4 - RECORDS MANAGEMENT PLAN

A full audit of all the records management system and security within the Contracting Body. This includes the following areas:

  • Governance

  • Admissions

  • Administration

  • HR

  • Financial Management 

  • Property Management

  • Pupil Management

  • Curriculum Management

An individual plan will be created, including a Records Management Policy, based on the specific findings of the audit, will be produced for each Contracting Body. For example, it will clearly specify lines of accountability within Senior Management and will clarify the role of the Data Guardian. We would look to the Contracting Body to work with us to agree a prioritisation of any outstanding issues identified during audit. The remediation will be based on a risk-based approach.

The policy will define (and explain, using examples)  the legislative, regulatory and best practice framework, within which the Contracting Body operates.

In addition to the Policy Statement and in order to support and develop compliance amongst Contracting Bodies, we will provide a series of policy templates via our online portal. These templates will be available to the Contracting Body for five years after the completion of the contract. New and improved policies will be made available to Contracting Bodies during that period.  We will assist each Contracting Body to complete each template policy, specific to their organisation’s needs and provide advice on their update and review. 

Policies will cover areas such as email management, business continuity etc.
 

Training

We will deliver our fully developed Records Management training package to Information Governance leads and the Data Guardian. We are in the process of getting this training accredited by the CPD (cpduk.co.uk/). We envisage this training will be delivered with a minimum of six hours. Delegates will be issued with a certificate on completion of the training.

 

Sustainability

We will establish a Records Management Forum for Contracting Bodies. This will enable them to share ideas and concerns both online and in quarterly meetings and will be designed to become self-supporting.

LOT 5 - INFORMATION SECURITY PRACTICES AND INCIDENT MANAGEMENT

1. Brief Audit

At the commencement of the contract, we will conduct a brief audit in order to develop an overview of information security within the Contracting Body. This will include understanding key risks, previous security incidents and near misses (if applicable). We will liaise with the Data Guardian (a person nominated by the Contracting Body to provide organisational insights and offer continuity once the contract has been delivered. Typically, they would be a Business Manager or ICT lead) to deliver this audit.

An amnesty would be put into effect at this time, giving the opportunity for staff members to divulge unsafe practices regarding Information Security.

2. Develop an Information Security Policy

Using the findings from the audit, our own experience of Information Security and the Cyber Essentials framework (see above), we will develop a bespoke Information Security Policy for the Contracting Body. The policy would be subject to review and sign-off by Senior Managers and the Data Guardian

3. Develop an Incident Reporting Procedure

Based on our understanding of the Contracting Body, we will develop a bespoke Incident Reporting Procedure. Key features of the process will include:
 

  • Identifying the incident:

Giving staff sufficient knowledge to enable them to identify a breach whether by electronic
or other mediums (paper or hardware)

  • Reporting the incident:

The procedure will specify who the incident should be reported to - e.g. a nominated Senior Manager and the Data Guardian, and the process for reporting

  • Categorisation:

The Data Guardian and Senior Managers will be responsible for categorising the incident, e.g. minor, serious, near miss etc

  • Responding:

Depending on the nature of the incident, the Data Guardian and Senior Managers will put into effect appropriate responses, including informing the police; the ICO (via the DPO); affected service users

  • Investigating:

Once the incident has been dealt with, investigating the factors involved

  • Learning:

Using the findings from the incident to learn lessons, identify methods for improvement and develop new messages (to be delivered by training) to staff members

  • Preventing:

Putting steps in place to ensure the risk does not occur again. This should include future arrangements to review and identify similar risks

 

4. Awareness Raising and Training

We will utilise a blended approach to training, combining: staff briefings, Q&A sessions, focussed training sessions, newsletters and articles for the intranet etc to ensure that key messages are understood.

Training materials will be developed that can be replicated in induction packs for new members of staff and for members of governance boards and volunteers. A key element of the training will be to make use of scenarios to make delegates aware of typical Information Security risks.

Additional, more detailed training will be offered to key stakeholders, such as the nominated Data Guardian and ICT Managers, around issues such as using the Incident Management Process.

Delegates will be issued with a certificate on completion of the training. As part of our offering we will provide each Contracting Body with a training log, so the Data Guardian can manage easily who has and hasn’t completed each level of training. We are in the process of getting our Information Security training accredited by the CPD (cpduk.co.uk/).

 

5. Building Sustainability

The purpose of this Lot is to help Contracting Bodies to develop and maintain the correct approach to Information Security over the long term. To do this, we will establish an Information Sharing Forum for Contracting Bodies.

LOT 6 - DATA PROTECTION FRAMEWORK

This Framework contains suites with dozens of tried and tested GDPR policies, procedures and guidance. It will be made available to all Contracting Bodies that buy into this Lot. Contracting Bodies will continue to have access to the Framework for an additional five years, once the contract has been delivered. Furthermore, they will be able to download new and revised policies, procedures and guidance developed by DPAS in that five-year period.

Many of the suites are specific to certain types of institutions, such as housing organisations, social care teams or third sector organisations. For example, our Education Suites incorporate standard documentation from the Department for Education (DfE), along with our own policies and procedures, which expand upon and complement them. Access to all these suites is via our secure online portal via our website and clients are able to select and download the policies they require. For example, we have a suite for schools with a Special Education Need (SEN) unit, as well as with those without one.


Typical documents and policies contained in the individual suites include organisation-specific templates such as (this is a sample, non-exhaustive list):

  • External Privacy Notice

  • Internal Privacy Notice

  • Data Protection Policy

  • Individual Rights Policies (e.g. Subject Access Requests, Erasure Requests etc)

  • Data Breach and Incident Policy

  • Data Protection Impact Assessment Policy and Forms

  • Records Management and Retention Policy and Schedule

  • General Data Protection Regulation Guidance
    Privacy and Electronic Communications Regulations (PECR) and Electronic Marketing Guidance

  • Photo Consent Forms

  • Bring Your Own Device Policy

LOT 7 - DATA PROTECTION TRAINING FOR ALL STAFF MEMBERS

We offer a combination of both online and classroom-based training (CBT). 

Please note:  Our CBT courses are delivered by members of our team, who have recent and direct experience of dealing with the data privacy issues under discussion. We feel this differentiates us from our competitors, as our knowledge is practical and not theoretical. When planning training delivery, we ensure we have scheduled sufficient time for delegates to ask questions about specific issues they have encountered. We can also offer additional mentoring on request. 

 

The courses we offer are as follows:


1. Online GDPR and Security Awareness Course (1 hour)

This course ensures delegates understand the relevance and importance of data privacy. They will learn about key risks and their personal responsibility regarding the regulation. 

The course contains the following subject areas, it is interactive and takes around 40 minutes to complete. 

 

  • GDPR Principles

  • The rights of the data subject

  • Children’s data and consent

  • Safeguarding student’s data

  • Breach reporting 

  • GDPR sanctions and risks

  • Cybercrime awareness

  • Working at home

  • Protecting assets

  • Password security

  • Records management 

  • Acceptable usage 

  • End of course assessment 

 

One Day Courses
 

We offer a range of day-long courses, where in-depth knowledge is required by the Contracting Body. The scheduled duration of these courses is around 6 hours to complete, but we are flexible on timings as often we will discuss real scenarios to develop understanding.  These courses include a one-hour exam containing 40 multiple choice questions and a 65% pass mark. 

 

These courses include:

Foundation GDPR Course

Data Privacy by Design Course

Data Breach Course

To maximise uptake of courses and to ensure that colleagues from the same Contracting Bodies can take the courses on different days to minimise disruption we would envisage holding 8 GDPR Foundation Courses, 4 DPIA Course and 4 Data Breach Courses per month initially within the Borough, to get as many staff trained as possible. We can take 15 / 20 delegates per course, depending on the course.

 

As part of our offering we will provide each Contracting Body with a training tracker, so the Data Guardian can manage easily who has and hasn’t completed each level of training. This training tracker helps towards accountability auditing. 

LOT 8 - DATA PROTECTION OFFICER SERVICES

Where the Organisation does not have a DPO with sufficient experience to complete the role, DPAS can provide an outsourced DPO.

Our DPO will:

Proactively inform and advise the client and its employees about their obligations to comply with the GDPR and other Data Protection laws. We will do this via a monthly Data Protection newsletter, sent to the Contracting Bodies’ Data Guardian for dissemination.

Monitor compliance with GDPR and other Data Protection laws, including managing internal Data Protection activities and advising on Data Protection Impact Assessments (DPIAs).

Will  be responsible for providing assurance that Privacy by Design is incorporated into all personal data processing functions through the approval of the DPIAs. He will record the DPIAs that have been conducted in appropriate circumstances, and that their conclusions mitigate risk and are assured. Each Contracting Body will have a secure portal that the Data Guardian and the DPO can access to store documents needed to be viewed by both parties. 

Provide advice to projects and business change initiatives where DPIAs are required.

Consult with the Information Commissioner’s Office (ICO) where high risk processes are identified, as well as any matters relating to Data Protection compliance including provision of evidence of compliance, and in relation to breach management.

Our DPO will be available if a breach occurs and will provide advice and guidance immediately. We will provide the Data Guardian with our data breach telephone number which is answered 24/7 should a serious breach occur.

Ayearly report will be provided to the Senior Leadership Team (SLT) and Governance Board to provide assurance and highlight key areas of delivery. Findings from the report will be presented to a meeting of the SLT or Governance Board by our DPO. 

Exception Reports will be produced by the DPO for Senior Managers, in response to serious incidents or risks, as they arise. 


DPAS will create a Working Group within Kirklees, open to all Data Guardians from Contracting Bodies. Members of our team will provide advice, share best practice and discuss concerns.

 

The DPAS team will create a monthly newsletter, specific to Kirklees. It will include the following areas:

  • Privacy News 

  • Training opportunities 

  • Data Protection Awareness in the Industry 

  • Do’s and Don’ts 

 

DPO Annual Report 

The DPO will submit an annual report which will highlight compliance concerns, time spent, 
DPIAs completed, staff awareness, SARs received and returned and breaches dealt with.

 

This report will provide assurance and highlight key areas of delivery. Many of the suites are specific to certain types of institutions, such as housing organisations, social care teams or third sector organisations. For example, our Education Suites incorporate standard documentation from the Department for Education (DfE), along with our own policies and procedures, which expand upon and complement them. Access to all these suites is via our secure online portal via our website and clients are able to select and download the policies they require. For example, we have a suite for schools with a Special Education Need (SEN) unit, as well as with those without one.

01484 910020

©2019 by Kirklees Data Protection Services. ALL RIGHTS RESERVED.

Data Privacy Advisory Service

The Media Centre,

7 Northumberland St,

Huddersfield,

HD1 1RL.