Questions you should ask your MIS about GDPR

The below is our take on the questions you should ask your suppliers, including your MIS to ensure you’re GDPR compliant. Just copy and paste!

Why should schools & MATs care about GDPR?
GDPR introduces significant new compliance obligations for schools and new requirements for the processing of children’s data, notably increased governance requirements and much higher fines if schools & MATs fail to comply (up to the greater of €20m or 4% turnover). Ensuring compliance is unfortunately a good deal of work, but you can lean on your systems providers to do a lot of the heavy lifting for you. With server based systems, it can take up to 6 months to fix data breaches, as a recent story has highlighted, but with a cloud-based system fixes can be instant (although they should never happen in the first place!).

Questions to ask your MIS
Your MIS is the key source of student and staff information you have in your school, including most of what GDPR would constitute ‘personal data.’ It’s important when preparing for GDPR that you ensure that your MIS is compliant, then you can switch attention to other suppliers and systems that feed off the data in your MIS.

What GDPR Introduces

Why should schools & MATs care?

Questions for your MIS

  • Extends the definition of personal data

  • Increased data protection processes and procedures to document

  • What is your current MIS’ Information Security Management System (ISMS)?

  • Does your MIS have any current data protection and cyber qualifications (e.g. ISO 27001, Cyber Essentials Plus)

  • Higher penalties for breaches and non-notification (upto the greater of €20m or 4% turnover)

  • Schools need to audit their systems and suppliers to check compliance

  • Increased risk, especially for MATs who are data controllers for multiple schools

  • Do your data protection terms flow down to sub-processors so you’re covered?

  • Is your MIS liable for any act or omission by these sub-vendors?

  • Extends the rights of individuals to their data

  • Parents and students can request a greater amount of information from schools, and schools need to be able to give it to them easily

  • Can your MIS export a full list of fields for student and guardian data?

  • What is your MIS data retention policy? Does it only keep the necessary data, or does it retain all data forever? 

  • New breach reporting requirements

  • Additional governance requirements

  • Appointment of a Data Protection Officer who is up-to-date on legislation and can respond appropriately

  • If you as a MAT pool your data centrally in a dashboard or central schoolview, does that meet GDPR requirements around permissioning and data pooling?

  • Has your Data Protection Officer audited your MIS to ensure compliance and assess risk using the questions above?

  • Does your MAT central data meet GDPR requirements ensuring that data is permissioned and each school’s sensitive data is kept separate?

What should your schools be doing now?
There’s a lot of scaremongering by third parties, but Iain Bradley (Head of Data Modernisation) at the DfE has written what I think is a very useful blog that discusses the steps schools should be taking now.
Think where personal data is captured during school life – this is likely to include admissions, parental forms, assessment, school trips etc
Think about where that data is used – generally it’s for contacting people, for tracking education, or for maintaining regular school facilities and activities like libraries and canteens.  Several, but not all of your systems, may interconnect with the core management information system (MIS)
Think who you share that data with – for schools this commonly includes local authorities, multi-academy trusts, the DfE and beyond.
Start to ask questions to your system providers – you can use our list above for MIS. 
The above steps are often best captured in a data mapping exercise which we’ve done at Arbor, and which Iain from the DfE has done at the primary school where he’s a governor. A copy of the picture is below.
How Arbor can help
We’ve worked hard to ensure that Arbor exceeds current data security recommendations. We’re ISO 27001 compliant (the standard in data protection certification), on the government’s G-Cloud framework and accredited to hold sensitive data. We also stress test our processes and procedures by getting tested by third parties and holding cyber qualifications. You can click here to read our FAQs that answer common questions about how Arbor is GDPR compliant.
We’ve put a presentation together that sums up these points which you can read below. All in all, GDPR is something that schools should consider seriously, but you should lean on your providers to help alleviate the burden.