Best Practice Update

Lettings and Best Practice in Blue text, hand dangling a bunch of keys. Data Protection Education DPO badge in the bottom left

Lettings Best Practice and Guidance

During our data walks we are looking at data breach risks, in terms of 'Who has access to what data?'.  As part of our walk we may ask who has access to the school other than the employees and children attending, for example, Lettings.  As Lettings usually occur outside of the school working day, physical security can be overlooked or not thought about and so raises the risk of a data breach.  This article is launching our Lettings Checklist for schools which is shown at the end of this article.

Key considerations when thinking about who has access to the building are:

Due Diligence about the organisation and initial checks
Ensure you have done some due diligence on the organisation - although you may not be sharing data with them directly from your organisation they may have free access to your building when you are not there.  Just because they don't use an area of the building, it does not mean that it may not be accessed if left unlocked.

Physical Security
Review what the letting organisation has physical access to on your site and lock any rooms that are not required.  Often we are told that the Letting may just have access to the hall but that may not take into account that they need to walk around the building to use the toilets, or that the hall leads onto the kitchen area which can often have photos of children and details about allergies.  Private allergy/medical information comes under special category data and so requires extra security - is this information locked away?  Is the kitchen locked?
Consider having a physical security policy that includes a statement about lettings that includes guidance for staff on what should be locked away:
document DPE Model Physical Security Policy (179 KB)
Consider what is required around physical access and access codes, and what needs to happen at the end of a letting.

Systems Security
While the letting organisation may not be granted permission to your systems per se, they may request access to your Wi-Fi, so consider a BYOD policy and Wi-Fi Guest network:
pdf DPE Model Bring Your Own Device Policy (15 KB)
Access Control (Wi-Fi/Network Access)

If the letting also employes staff from your organisation, this does not give them automatic right to use the school's systems to obtain personal data, i.e. a parental contact from the MIS, so ensure there is guidance in place for staff.
Are any of your devices left out, including the server, which could be at a risk of tampering from an external source?
Third parties are a known cyber attack risk.

Continually reviewing what is on display and the need for it, especially regarding lists, will help to mitigate any risks of a data breach.  Review:  pdf DPE Quick Reference Guide (1.64 MB) for practical guidance for schools on ideas about classroom displays.

We've published a Lettings checklist to help with this process (you will need a Data Protection Education subscription to view/use this):

Search