Through online meetings, data walks and the Knowledge Bank platform (online support portal), the Vale Federation know where they are with data protection compliance.
The focus for the last two years by Steve Parkinson, the Federation’s Business Director, has been improving the Cyber Resilience. He works with the Finance Manager, Maurice Williams to check data protection compliance and cyber resilience for the organisation.
It’s important to note with special schools that each child must have an EHCP to be able to attend, which means nearly every piece of data about a child is highly sensitive or special category. This type of data warrants extra security and protection through its very nature of sensitivity. With this in mind, the Federation knows how important it is to keep the data secure in any systems they may have. Any new systems are carefully considered following a due diligence process with DPE before being implemented, with an approval procedure in place. Both user access to data and access controls are configured, using multi factor authentication (MFA) where possible and checking access against job role.
The Federation is very aware of the DfE Digital Standards for School and Colleges and has already completed vulnerability testing on their systems. Tightening of physical security has also been considered and reviewed during data walks with DPE which has meant sometimes setting up fob access for certain areas in the schools. Having so many children with such high needs both physically and mentally means that some data does need to be around for safety and practical reasons, so both Steve and Maurice look to do this in the most practical and secure way possible. The Federation have best practice about how they make that information available during the day, and then locked away at other times.
DPE and the Federation have reviewed best practice around printing (using print codes), banning USB sticks and encouraging use of the cloud. This includes working with the Federation to help create awareness by providing feedback resources and onsite training for all staff that have access to personal data.
DPE and the Federation regularly meet to review policies and check compliance. The Federation uses the DPE Knowledge Bank to log data breaches and SARS as per ICO guidance. This way they are able to confidently track any data breach or SAR for both schools and the central Federation team. They have made good use of the checklists in the online portal (Knowledge Bank) to check where they are with all areas of compliance inline with the ICO Accountability Tracker.
During onsite visits when conducting a Making the Rounds (data walk), the risks around data protection are discussed and assessed with the Federation with a view to implementing best practices where possible. The Federation has a compliance friendly ethos and wants to keep data safe and secure and so invests time in appropriate systems, system configuration (with particular attention to user access) but more importantly, training and awareness of their staff. This is crucial when staff deal with so much special category data and are so busy looking after the needs of the children.
The Vale Federation is a great example of how an educational establishment is investing in systems and policy to control data security, manage cyber resilience and follow both compliance and standards within the limited resources currently available to schools.