The COVID-19 pandemic has brought enormous changes to the daily lives of us all. Many of us have had to use unfamiliar technologies for the first time in order to work from home, communicate and meet with colleagues and clients. For most governing boards, it has meant adapting quickly from holding face-to-face meetings, to using video or teleconferencing applications such as Skype, Microsoft Teams and Zoom.
Working remotely coupled with the use of personal technological devices is likely to increase risk of data protection breaches. It is important therefore as governing boards adapt, that they also continue to comply with the requirements of the General Data Protection Regulation (GDPR) and do not allow their circumstances to create an environment which allows for a lack of care and due diligence.
The data protection policy for the school or trust is likely to include the principles and protocols that, if followed, provide a safe and secure environment for virtual meetings to take place. Where this is not the case, we recommend that governing boards seek the advice of their school’s data protection officer (DPO) as to how the policy needs to be amended. NGA’s guidance on maintaining business continuity and holding virtual meetings includes an example protocol that governing boards can use or adapt. The Information Commissioner’s Office (ICO) has also published data protection and coronavirus guidance to assist those working remotely in adapting to new arrangements whilst ensuring compliance.
The DPO remains responsible for managing compliance with the GDPR and is the main point of contact for all data protection matters. Governing boards, as part of their essential business, will no doubt be seeking assurance that the partial closure of schools does not prevent key responsibilities of the DPO from being discharged as necessary.
On a practical level there are measures that those governing and clerks can take to ensure that personal information is always protected. These include password protecting personal data or confidential information that is shared via email and sending the password separately. Doing this ensures that no one other than the intended recipient can access the information. It’s also important when sharing or storing personal data on electronic devices to ensure that the device is password protected, thus preventing unauthorised individuals from accessing any personal data held on the device.
During this challenging time, we recognise that there may be circumstances that make it difficult to discharge a function operating strictly by the rules. However, it is important to remember that individuals still have legal rights in relation to their own personal data and that all data, regardless of what form it’s kept in, needs to be managed in compliance with the requirements of the GDPR.
Through the ‘advice insights’ series, NGA’s GOLDline advice team are taking turns to explore the themes of some of the most common legal, procedural or practice questions they receive. This insight is based on a general scenario – for advice tailored to your governing board’s circumstances and context, please contact the advice team.
View all of our COVID-19 guidance and resources for governing boards