GovernorHub’s resident GDPR expert, Alex Robinson, talks us through the ins-and-outs of GDPR for Governing boards, six months on.
So, what was the big issue for governing boards?
GDPR became an issue for boards because it was an issue for schools. Historically, governing boards didn’t really consider how to protect the data they were using. It was quite common for documents (board data) to be sent between governors by email attachment, which would then be stored on whichever device the governor was using. A governor might then print out documents using a shared workplace printer. The good thing about GDPR is that it raised awareness about data protection and made us governors think about our own data and the data we use.
But do governors see much personal data?
GDPR is about personal data. At one level, you can argue that governors don’t actually see much personal data (names of children, names of adults). This partly explains why data protection was not a big consideration before GDPR. However, this overlooks the fact that governor details themselves can include personal data, whether that’s their email address or the views they express. Also, we know that some personal data is seen by governors (or at least data which might identify an individual). So, it was definitely time for boards to take data protection seriously.
The first response – school email addresses
Once governing boards realised that data protection for the board was important – one of the first responses was that many schools began to require governors to use school email addresses. This approach has advantages and disadvantages:
Advantages: Email traffic for a governor is all in one place, access can be revoked if there’s a problem, and there is only one place to look if there is a subject access request.
Disadvantages: Most governors already have an email address they use and dislike having yet another one. The more email accounts a person has, the more likely they are to have the same password or note down a password (this begins to erode the benefits). In some cases it’s been too difficult/complicated to log in to school addresses and the school office becomes a reluctant IT Help desk.
What did GDPR mean for us at GovernorHub?
At the start of our preparation we reviewed all the data we use and made sure we knew exactly what was stored, why it was stored and how it was used. GovernorHub is a cloud-based system, we work with several partners to provide the platform to our customers. As part of our preparation for GDPR, we had to review the data protection policies, procedures and practices of all of these partners. We were looking for assurance that everything they did complied with the regulations and that compliance became part of their service level agreement with us.
We also had to renew our internal policies and procedures and train our staff. We were able to show compliance well ahead of the deadline and give our customers assurances.
Do we use personal data for marketing at GovernorHub?
GovernorHub doesn’t use customers’ data for marketing purposes so that bit was easy for us. This certainly meant extra work for other organisations when it came to consent and opt-outs.
Data protection hygiene
GDPR highlighted the importance of this for everyone – the use of good practice with passwords, storage, encryption, knowing what data you hold and how long you hold it for.
An unexpected benefit of GDPR for us at GovernorHub was a surge in customer enquiries from boards looking for cheap and simple ways to meet their own data protection needs.
No germs on us!
- GovernorHub offers encrypted cloud storage of board documents and communication. Information is held in data centres in the UK and the EEA
- GovernorHub eliminates the need to send personal data in documents sent as email attachments. Governors have access to documents via an encrypted link on the GovernorHub server
- You don’t have to use a school email address to get the benefits of GovernorHub (because no documents are sent as attachments to your email address)
- GovernorHub keeps all the Governing Board data and information in one secure place (this also improves transparency). There is only one place to look if you’re responding to an FOI or subject access request.
The implementation of GDPR doesn’t mean we’re being complacent about security at GovernorHub. We are working on a couple of new features to help customers improve security practices:
- The ability to enforce stronger passwords
- Two factor authentication (i.e. using a code received via text message when you log in.
Finally, we’ve been subject to numerous reviews and questionnaires by several of our local authority and MAT partners. We are always happy to help and answer your questions about GDPR.