As we edge ever-closer to spring, we are pleased to bring you this February UPDATE.

Associate & Strategic Leader of Teaching & Research Schools (ESW) Roger Pope CBE reflects on the recent LSSW Connect study visit to The Charter Schools Educational Trust in London with a feature later in this issue.  The simple and succinct vision for the Charles Dickens Primary School is that greatness begins with academic excellence, creativity and social intelligence as Roger reports how he saw this in practice in the school during the study visit. 

In a part one feature, our Director of Teaching School Hubs, Jen Knowles recently met with the SWIFT Diversity, Equity and Inclusion Partnership Group to consider how SWIFT can address DEI across our Golden Thread programme delivery. We will report back once the DEI Group have processed the analysis phase of documents and communications, and share how the SWIFT Teaching School Hubs Team can take action on this important dimension of our work. 

We report back on the joint initiative working with Colyton Foundation and Atom Learning to promote Free Pupil Premium support for Key Stage 2 children across our South West schools. Take-up has been very encouraging and we hope that schools are seeing the benefits. If you are interested in finding out more about Atom Learning, you can watch a short demo video in the feature. 

Working with national Lead Providers is key to our delivery work as Teaching School Hubs and in this February issue, we interview Amy Lingfield, Director of Partnerships at Teach First who shares how we align as organisations. 

You might have spied the new name and logo, but Jon Eaton, Director of the newly rebranded Devon Research School explains what this means for you. 

Our sponsor, SchoolPro TLC shares their expertise and knowledge about data sharing with school immunisation services. You can meet Director, Ben Craig at next week's School Business Management Professional Community on Tuesday 11 February 2025 between 1300 – 1500. Ben will be presenting on Biometrics, Immunisation Data, SAR Guidance and AI. Book your place here This session is FREE to SWIFT Members or £25 for Non-Members. 

Our other sponsors are also here to help life in your classrooms and schools to be even more effective and enjoyable. ONVU Learning have developed Smart Moments as part of their lesson video capture technology that allows teachers to flag seamlessly key classroom moments in real-time designed to make post-lesson review easier than ever. Find out how in their feature. 

Meanwhile Exeter Supply Partnership are heading north of our region and are busy recruiting in North Devon for outstanding primary teachers and Teaching Assistants and working with schools as a not-for-profit organisation who invest in their supply team. 

Endlessly enthusiastic about all things food, Educatering showcase a special "out of this world" themed catering and show how they care about pupils having a hot school meal every day. Not only to benefit the school kitchen, but to boost concentration for pupils’ afternoon learning. 

Similarly, if you are thinking about a change to your school /Multi Academy Trust's catering, you can meet Educatering's Head of Catering, Rob Stevens at next week's School Business Management Professional Community (as detailed above).

It is all here for you.
Thank you for taking the time to read and relish our latest. 

Team Achievements
The SchoolPro TLC Teams have their own expertise and are proud to have excelled in various projects with a commitment to deliver exceptional results and ultimately, to strive to exceed client expectations. Special recognition goes to the Data Protection Office Team for their outstanding performance in supporting schools with:
 
892 data breaches
671 Subject Access Requests
181 data decisions
 
The Data Protection Impact Assessors (DPIAs) saw a 74% increase on last year with 73 completed.
PLUS, numerous compliance checks and audits undertaken by the team and this does not even include an attempt to count the number of emails and phone calls responses!
 
The Training Team have supported (through the SchoolPro TLC online training platform) 11,922 school staff course completions across Cyber Security, Data Protection and Safeguarding training courses.
 
They have also run onsite and remote staff training sessions throughout the year and developed a number of new training courses focused on different Data Protection topics, including Subject Access Requests (SAR) management and How To Be A Data Protection Champion.

Finally, the launch of the ‘After School Sessions’ enjoyed a successful first in a sequence of training events on Safeguarding and Data Protection in the SchoolPro TLC Gloucestershire HQ in November.

Community Engagement
School Pro TLC are proud to have strengthened their commitment to corporate social responsibility, and participated in several initiatives that have made a positive impact on our community.
 
They continue with the SME Climate Hub Commitment and hope to carry on reducing emissions  into the new year and beyond with a target to achieve net zero by 2030.
 
Partnering with The Ocean Network in support of Surfers Against Sewage, this is an exciting relationship as they become a voice for the ocean in helping to protect the UK’s unique coastal environment. A cause that is close to the Team’s hearts.

Click on the logos below to find out more!

Looking Ahead | Strategic Goals for Next Year
Planning is in earnest for the launch of the new portal, which will increase team capacity with the intention of best serving schools and Trusts, whilst building on successes, and exploring new opportunities with partnerships to support SchoolPro TLC clients with even more cost-effective and high-quality services.
 
If you have yet to meet SchoolPro Safety, this new brand was launched in September, and offers a range of Health and Safety services; and will be joined by the upcoming SchoolPro Safeguarding, due to launch early this year.

Our sponsor SchoolPro TLC shares here their GDPR and Data Protection expertise in understanding the Birmingham Children’s Services Data Breach and the implications and guidance for school and Multi Academy Trust (MAT) leaders.
 
In May 2024, the Information Commissioner’s Office (ICO) issued a reprimand to Birmingham Children’s Trust Community Interest Company (BCTCIC) for an inappropriate disclosure of a child’s personal information.
 
This unfortunate incident underscores the critical importance of robust Data Protection practices, especially when dealing with sensitive data related to children and criminal offences.
 
As leaders in schools and MATs, understanding the implications of this reprimand and implementing key actions can help safeguard your institutions from similar breaches.

Overview of the Incident
On 10 November 2022, BCTCIC experienced a significant data breach involving the inclusion of sensitive information about another person in a Child Protection Plan (CP Plan) sent to a family.
This breach occurred within the Child Protection and Review (CP&R) department, which routinely handles both personal data relating to children and criminal offence data.
 
The specific incident involved two neighbouring families.
Family A had raised concerns about interactions between their child and Child X from Family B.
During the formulation of a Child Protection plan, information from a separate strategy meeting with West Midlands Police, containing serious criminal offence allegations against Child X, was inappropriately included and this sensitive data was subsequently disclosed to Family A, resulting in a violation of Data Protection regulations.
 
Key Findings and ICO Reprimand
The Information Commissioner's Office (ICO) found that BCTCIC had violated Articles 5(1)(f), 32(1)(b), and 32(2) of the UK General Data Protection Regulation (UK GDPR).

Articles that mandate personal data must be processed securely to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.
 
Several key issues were identified:

• Inadequate Policies and Procedures | BCTCIC’s existing policies lacked detailed, practical guidance on Data Protection, particularly regarding the inclusion of personal data in documents like Child Protection plans.
• Over-Reliance on Professional Standards | BCTCIC relied too heavily on Social Work England’s standards, which were not specifically designed for Data Protection compliance.
• Insufficient Training | Whilst BCTCIC provided general Data Protection training, it lacked specific, role-related training for social workers, reducing the effectiveness of the training.   

Implications for Schools and MATs
The ICO have highlighted that Schools and MATs must be vigilant to avoid similar data breaches:
 
1. Develop Robust Policies and Procedures 
Ensure that your Data Protection policies include specific, detailed guidance on handling sensitive personal data.
This should cover what data is appropriate to share and under what circumstances.

2. Implement Role-Specific Training
General Data Protection training is essential, but it should be supplemented with role-specific training.
Staff should understand how Data Protection principles apply to their roles within the context of their setting.

SchoolPro TLC are developing SEND and Designated Safeguarding Lead-specific Data Protection training to help boost staff confidence when responding to information requests.

3. Conduct Regular Audits and Reviews
Regularly review and audit Data Protection practices to identify and mitigate risks.
Look at who the school has shared information with, how much and the method for exchange.

4. Regular Records Review
Create time to review the records you hold, checking the quality and accuracy.
Feedback to staff to support the development of a safer culture within the school.
 
Actions and Recommendations
Based on the ICO’s recommendations and the lessons from the BCTCIC incident, there are specific actions for schools and MATs to consider.

• Granular Standard Operating Procedures (SOPs): Develop detailed SOPs for producing and reviewing sensitive documents such as safeguarding documentation. Ensure these procedures include independent checks for personal data.
• Comprehensive Training Programmes: Enhance your training programmes to include specific modules on Data Protection relevant to different roles within the institution.
• Risk Assessments and Mitigation Plans (DPIAs): Conduct thorough risk assessments to identify potential Data Protection vulnerabilities and implement measures to mitigate these risks. These would be in the form of Data Protection Impact Assessments (DPIAs).
• Regular Policy Updates and Staff Briefings: Regularly update your Data Protection policies and conduct staff briefings to ensure everyone is aware of their responsibilities and any changes in procedures.
• Feedback and Continuous Improvement: Create a feedback loop to continuously improve Data Protection practices. Encourage staff to report any issues or suggestions for improvement.

Conclusion
The reprimand issued to Birmingham Children’s Trust serves as a stark reminder of the importance of robust Data Protection practices, especially when dealing with sensitive information related to children.

By understanding the implications of this incident and implementing the recommended actions, schools and MATs can better protect their data, ensure compliance with data protection regulations, and better safeguard their students.
 
As leaders, it is our responsibility to foster both a culture of Data Protection and Child Protection within our settings, by going above and beyond to ensure the safety and privacy of all individuals whose data you handle. Data Protection is Child Protection.
 
By Ben Craig, Director, SchoolPro TLC Ltd

As part of their experience within the education sector, our sponsor SchoolPro TLC provides the role of Data Protection Officer (DPO) as a service for schools.

​The SchoolPro Team have been receiving a number of queries from schools about the issue of sending home flyers for third-party organisations by email or post.

See below for their updated guidance on sending out communications from third-party organisations to parents. The team are able to draw on their knowledge as former school leaders, as well as their DPO expertise.

Your school, for example, might be thinking about sending home a communication about local community events or third-party activity providers. Email is often used by schools for this, although SchoolPro TLC have reservations due to email being subject to Privacy and Electronic Communications Regulations (PECR) and additional consent requirements.

Here are the various implications of each option for sending communication home and what requirement you should meet:

Postal Leaflets in School Bags
The process for sending postal leaflets via school bags is not subject to the privacy and electronic communications regulations (PECR), which means consent is not required.

The school can rely on a Legitimate Interests lawful basis and perform a Legitimate Interests Assessment (LIA) for the overall practice of sending out these mailings. It is crucial that parents are informed about this process and have the clear option to opt-out. The school needs to ensure that parents are aware of their rights and the school’s processing activities through clear communication, such as a statement in a parent newsletter. This approach negates the need for separate LIAs for each third-party organisation's materials being sent out.

In order to notify parents about this processing, the school could add the following into a parent newsletter (or similar) – words to the effect of:

"we will occasionally send home flyers from trusted third parties such as the local authority in pupil bags. This is to make you aware of events, activities, services and products that we think may be of interest to you or your family. Please let us know if you object to this and we will ensure that you don’t receive this information.”

Electronic Communication (including Email)
There are two distinct categories regarding electronic communication:

1. Direct Marketing Messages
These include communications where a paid service is being offered, or there is fundraising or similar activities involved. Examples include services like school photography or extracurricular activities run by external companies that require payment. These types of messages require prior opt-in consent from the recipients, and it must be straightforward for them to withdraw consent at any time.

It is important to ensure that this consent is specific, informed, and unambiguous.
The school should not use opt-out forms for these types of communications; instead, an explicit opt-in mechanism should be in place.

2. Promotional Messages Not Classified as Direct Marketing
This category includes communications that can be considered part of the school's or trust's legal function as a public body and do not have a paid-for element.

Examples might include free educational opportunities from the local library or informational leaflets from the NHS. These messages do not require prior consent but fall under the 'public task' legal basis. While upfront consent is not needed, parents should still be informed about these communications and have the ability to object to receiving them, akin to the opt-out process in legitimate interests. Similar notification to that quoted above for the school bag method could be used to ensure transparency.

In Summary
For non-commercial promotional messages sent by electronic media, and leaflets (commercial or otherwise) in school bags, consent is not required upfront, but there should be an option for parents to opt-out or object. Schools must inform individuals about this processing beforehand, maintaining transparency and adhering to data protection principles.

For commercial promotional messages sent by electronic media, including paid-for services or fundraising, schools must obtain clear, opt-in consent from parents before sending these communications.

By distinguishing between these types of communications and applying the correct legal basis for each, schools can ensure compliance with data protection regulations while keeping parents informed about relevant services and opportunities.

This marketing definition might be helpful clarification for you.
Direct marketing is any type of advertising or promotional material aimed at a particular person.
​Mass marketing, such as an advertisement in a magazine, is not aimed at anyone in particular.

We hope that you find this advice helpful and the SchoolPro TLC Team are available should you need further guidance and support. 

With thanks to Director Ben Craig and the SchoolPro TLC Team.

Our sponsor SchoolPro TLC provide some helpful and current advice about confidential references and subject access requests.   

When it comes to subject access requests and exemptions, it is important to understand the various exceptions that apply to certain types of personal data.

One specific exemption relates to confidential references. According to the Information Commissioner’s Office (ICO) and the Data Protection Act 2018, personal data included in a confidential reference is exempt from the right of access in specific circumstances.

The exemption applies to references given or received for the purpose of prospective or actual education, training, employment, volunteer placement, appointment to office, or provision of services by an individual. It is important to note that this exemption only applies to references that are provided in confidence.

To ensure clarity in your documentation, especially for educational references, it is advisable to state explicitly that all references will be treated as confidential. This should be communicated to both the individuals providing the referees and those providing the reference itself.

For example, instead of a simple instruction like “Please provide details of two referees.”
You can modify it to convey that all references will be treated as confidential.
A revised statement could be: “Please provide details of two referees. All references will be treated as confidential.”

If your references are considered confidential, you will need to ensure staff dealing with subject access requests are aware of, and have adequate guidance to follow in order to prevent accidental release of your confidential references.

Understanding these exemptions and clearly communicating the confidentiality of references will help ensure compliance with Data Protection regulations and maintain the privacy and trust of individuals involved in the process.

By Ben Craig for the SchoolPro TLC Team 

If you are interested in this topic and wish to find out more about working in this area, you can find out more about how you could Make a Difference with SchoolPro TLC.   

Our sponsor SchoolPro TLC provides guidance for schools and MATs following the recent infringements ​by a primary school in relation to the Article 5 (1)(f), Article 24 (1) and Article 32 of UK GDPR.

The unfortunate data breach has emphasised the importance of robust Data Protection practices in schools, colleges and MATs. 

The Information Commissioner's Office (ICO) publicly reprimanded Parkside Community Primary School for infringements of the UK General Data Protection Regulation (UK GDPR).

Whilst this is clearly a concern for the school and data subjects involved, it also provides a valuable opportunity for all schools to reassess their Data Protection strategies.

The incident involved the inappropriate disclosure of personal and special category data in a classroom setting, affecting four data subjects including three children. According to the reprimand published, key contributing factors to the breach included insufficient Data Protection policies, inadequate guidance around email security, and a lack of explicit procedures regarding the use of a case management system.

SchoolPro TLC delve here into the key lessons to be learned from this unfortunate event, and provide a checklist to ensure that you are adequately protecting the personal data of your pupils and staff.

Lessons to Learn
The reprimand presents several key lessons that could apply to other schools in the UK:

1. Ensure Adequate Data Protection Policies
The reprimand highlighted that the school lacked detailed Data Protection policies, specifically on the safe handling of personal data over emails and the usage of a specific case management system.

Policies should clearly outline the procedures for maintaining data security and confidentiality, especially when it involves sensitive or special category data.

Schools should have policies specific to high risk software and platforms they use, created in conjunction with risk assessments or Data Protection Impact Assessments (DPIAs).

2. Provide Clear Procedures and Guidance
The lack of written guidance for employees was a significant issue.
Clear instructions need to be in place for using security and confidentiality classifications on emails, and for the usage of any case management system or software.

Guidelines regarding when and where to open sensitive emails, and how to operate electronic devices securely (like electronic whiteboards), should also be clearly provided.

3. Staff Training
Regular and thorough training for staff is necessary to ensure compliance with Data Protection regulations.

This should include training on the operation of specific software or systems, data breach reporting procedures, operation of electronic devices, and general Data Protection principles.

4. Incident Reporting Mechanisms
In this case, staff failed to report the data breach internally.

An effective incident reporting mechanism should be in place, and staff should be well aware of the process to follow if a data breach is suspected or has occurred.

5. Sensitive Data Handling
Emails or alerts containing sensitive information should be appropriately labelled and only accessed under safe conditions (e.g., not in the presence of children or during teaching hours).

Controls should be in place on who can access highly sensitive information and when.

6. Policy Enforcement and Review
All staff and stakeholders should be familiar with the school's Data Protection policies.

Policies should be reviewed and updated regularly, especially in response to incidents, and staff should be required to affirm their understanding and acceptance of these policies.

7. Testing and Audit of New Processes
Any new processes or procedures introduced in response to a data breach should be tested to ensure they are effective and embedded within the organisation.

Action Plan / Checklist
Taking those lessons into consideration, what key actions can a school, college or MAT take to reduce their data breach risk and improve practice?

Policies and Procedures
Review your Data Protection policies and procedures, ensuring they cover all aspects of data handling, including specific written guidelines for using software and systems that process sensitive data.

Training and Awareness
Develop a regular training schedule on Data Protection for all staff.
Emphasise what constitutes a data breach, the importance of reporting breaches promptly, and the consequences of failing to do so. 

As a guide, staff should receive Data Protection training as part of their induction to the organisation, and refresher training should be completed at least biennially if not more frequently.
Annual refresher training would be best practice.

Email Security
Implement security measures for emails that contain sensitive data, such as security classifications or labels. Provide clear guidelines on when and where such emails can be safely opened.

Where possible, use alternative methods of communicating sensitive data such as access-controlled, secure, shared folders, or internal secure data transfer systems if available to your school.

Software and System Security
Review the security measures for all software and systems that process sensitive data.
Ensure staff are trained on how to use these systems securely such as the use of strong passwords and multi-factor authentication.

Also, include procedures, guidance and training for those systems that could be used to view sensitive data such as electronic whiteboards and screen-sharing from staff members' electronic devices.

Monitoring and Review
Regularly monitor and review your Data Protection measures to ensure their effectiveness and make improvements where necessary.

By following this checklist along with your existing practices, and continually investing in data protection, you can better protect the personal data of your pupils and staff, and ensure compliance with the UK GDPR.

The incident highlighted by this ICO reprimand serves as a stark reminder of the potential repercussions of insufficient Data Protection, and the importance of making it a priority in your school, college or MAT.

Stay safe and healthy.
Report by the SchoolPro TLC Team

​We recently saw the release of the Government’s response to their consultation on the proposed Data Reform Bill.

It is still early days for the proposed legislation and there is a lot to go through from this response. In addition, the timeline for the new legislation and exactly what it will look like based on this response is unclear at this stage.

But our sponsor, SchoolPro TLC, has looked at the consultation outcome and you can read their initial reaction and thoughts about how it might impact on working with schools in the future.

Privacy Management Programmes to be a Compliance Requirement
This is one that we have been expecting and we have built the online audit/accountability tool in the new portal with this possibility in mind.

Essentially, the proposal is to reduce down the accountability requirement to the following six key areas (from the current ten):
 

• leadership and oversight
• risk assessment
• policies and processes
• transparency
• training and awareness of staff
• monitoring, evaluation and improvement

 
This potentially simplifies the process and our audit tool has been developed to be fully configurable.
So, if this change goes ahead as suggested, the existing tool can be adapted to the new Privacy Management Programme and relevant information, actions etc already in the tool, can be ported across as required. The Government have been keen to highlight that this is not to reduce the rigour of accountability and lower standards, but to create a more flexible tool that can scale depending on the risk level of the organisations. This may well ease some of the burden on smaller schools, for example.

Data Protection Officers (DPO) to no longer be mandatory and to be replaced with a ‘senior responsible individual’
This proposal removes the need for an independent DPO with no conflicts of interest and allows the role to be taken on by a senior individual within the organisation. That person will still fulfil many of the existing roles of a DPO, so it is likely that many organisations will simply continue with their existing arrangement. The ‘senior responsible individual’ will be responsible for:

• representing or delegating a representative to the ICO and data subjects
• ensuring appropriate oversight and support is in place for the programme and appointing appropriate personnel
• providing tailored training to ensure staff understand the organisation’s policies
• regularly auditing the efficacy of the programme.

 
At present, it is not fully clear if this will apply to all organisations; or whether it will be only small organisations and those that do not process high levels of sensitive data that are able to drop the requirement for a “DPO”. We are obviously going to keep a keen eye on this one!

Removal of Data Protection Impact Assessments (DPIAs)
The thought here is to provide a more flexible and tailored approach to organisations.

Again, the Government are keen to emphasise that this is not to reduce rigour and lower standards and they state that organisations will still have to identify, assess and manage risk. This may allow for a more risk-based approach where lower risk processing has a simpler risk management approach and higher risk processing still follows a similar DPIA process to what is currently in place.

However this is implemented; thankfully, this should not involve new risk management for legacy systems as the Government has stated that “existing DPIAs would remain valid as a way of achieving the new requirement.

Removal of the Record of Processing Activities (RoPA) Requirement
As with DPIAs, this is to provide a more flexible approach that can be tailored to different organisation depending on size and the nature of their processing activities. This will link to the Privacy Management Programmes and will require organisations to have “personal data inventories” that “describe what and where personal data is held, why it has been collected and how sensitive it is.”

​From what we have read so far, we believe that our existing data mapping tool will allow for these inventories to be created still with very little need to be adapted from their current format.

It is also clear that not everyone is happy with the proposals.

​Reading through the response, the prevailing theme appears to be “we asked about this, most of you weren’t happy with proposed changes… so we’re going to make some anyway;” which is an interesting approach to a consultation.

All we can say is, watch this space…
​
Report by Ben Craig CIPP/E, Director of SchoolPro TLC Ltd