The school data protection officer

An overview of the role of a school’s DPO

If your school is a maintained school or academy, then it is classed as a public authority and, under the GDPR, must appoint a DPO. This person is responsible for monitoring the application of the Regulation and advising and guiding the school on data protection. They are the point of contact for all data subjects and the supervisory authority, which is the Information Commissioner’s Office in the UK.

Schools in England and Wales are required to appoint their own DPO. In Scotland, the local authority takes this responsibility, and in Northern Ireland, the education authority is responsible for all schools.

What is a data protection officer?

• The DPO takes an independent monitoring and advisory role to inform you of your data protection obligations and support your compliance.
• They are the point of contact for data subjects and the Information Commissioner’s Office.
• They are expert in data protection law, adequately resourced, and report to the highest leadership level.
• They can be external and shared across a group of schools – including schools with formal relationships such as a trust and those without.
• They can be an employee, but there cannot be a conflict of interest with other roles.
• They provide advice regarding Data Protection Impact Assessments (DPIAs). A DPIA must be carried out where a planned or existing processing operation “is likely to result in a high risk to the rights and freedoms of individuals.”

Choose the data protection officer carefully

The required level of expertise of the DPO is not defined but it must be proportionate with the sensitivity, complexity and amount of data you are processing. The DPO must have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. They should understand your school’s processing, the information systems used and your data security and data protection needs and have a sound knowledge of the school’s administrative rules and procedures.

The benefits of an external DPO

Choosing an external DPO service brings many benefits. The right DPO already has extensive data protection and legal knowledge and can offer a completely impartial service. To ensure value for money, the external DPO can be supported by an internal head of data protection. This person can be known as the ‘responsible person’ but never the DPO. With guidance from the DPO, they manage most of the compliance activities, such as organising and delivering training, implementing the processes and procedures and administering data breaches and subject access requests. Always referring to the DPO’s guidance and detailed expertise.

Assessing the suitability of DPO services

When choosing the service for your school, consider the credentials of the individual or the organisation, remembering that you are ultimately responsible for the data processing in your school and need accurate and timely advice and guidance. Research their data protection experience, if they have a legal background, their availability in an emergency and what other services – such as training and software tools they offer.

GDPR.co.uk’s DPO for service for schools

We are now offering a DPO service for primary schools with support from our law firm, GRCI Law. We have based the service on the needs of schools and the cost is only £395 per primary school.