Role of data protection officers
How data protection officers can help make sure schools are compliant with data protection laws.
All maintained schools and academies must have a designated data protection officer. A data protection officer can cover more than one school.
The data protection officer in your school is responsible for:
- advising school leaders and staff about their data obligations
- monitoring compliance
- conducting regular data audits
- developing and updating data protection policies and procedures
- monitoring who in the school has access to personal data
- advising when data protection impact assessments are needed
- answering data protection enquiries from staff, parents and pupils
- making sure privacy notices are regularly reviewed and updated
- supporting and advising staff who have data protection queries
- communicating with the Information Commissioner’s Office (ICO)
- reporting to the governing board or trustees about data protection
- advising the governing board or trustees on data protection risks
- advising on and co-ordinating responses to information rights requests
- making sure all assets containing personal data are appropriately managed and secure
You have different options for appointing your data protection officer or data protection lead. You could:
- re-align responsibilities in your current team
- share the data protection officer role between a group of schools
- ask for volunteers within the wider school community
- consider procuring a contracted service
Your data protection officer needs to be impartial. Any other duties they perform should:
- be compatible with their duties as a data protection officer
- not lead to a conflict of interest
Your data protection officer should know about:
- data protection
- UK GDPR
- the way your school operates
- the technology and systems you use
- cyber security
The data protection officer role includes a significant level of responsibility. You should make sure they have the appropriate time, resources and support to carry out the role effectively.
The multi-academy trust (MAT) Ark has appointed an information governance manager to serve as a MAT-wide data protection officer. This role supports its 36 schools, ventures and central teams with:
- developing data protection policies and processes
- updating IT and data systems
- being UK GDPR compliant
By providing training and support to the data protection officer, Ark makes sure they can lead schools in protecting staff, pupil and parent data.
To support compliance, all staff learn about UK GDPR and data protection as part of their annual induction in the same way they learn about safeguarding in schools and diversity in the workplace.
Annual safeguarding audits are carried out at every school. This makes sure that day-to-day processes meet data protection requirements.
Pupils are asked to give consent to the use of their data during their time at secondary school. This helps make sure they:
- are educated in their rights as data subjects
- know how to protect their own data
By centralising the role of the data protection officer across its network and sharing resources about how to comply with UK GDPR, Ark is reducing the burden on individual schools.