DPO Newsletter June-July 2025
Professional Data Protection Updates & Guidance
Please press play on the video below for a summary of the key points from this months newsletter.
Interactive PDF Newsletter
Welcome to June/July 2025
Welcome to the June/July edition of my newsletter! Exam season has nearly ended as we enter the last half term of the academic year. It's flown by as usual!
Update on New Legislation
I am continuing to check the status of the UK's Data (Use and Access) Bill. It has passed its final stages and is awaiting Royal Assent. I anticipate that this will happen before the parliamentary summer recess. If it does, I will be reviewing documentation over the summer to present you with updated versions for the Autumn.
Important Update: Data Retention and Deletion Process for Pupil Leavers in Arbor
In my last newsletter, I informed you that it had been brought to my attention that there had been improvements in Arbor bulk data deleting to allow pupil leavers to be removed from the system prior to their 25th birthday. I regret that I was misinformed and there has been no such improvement. I am very disappointed.
It is still only possible to bulk remove pupil leavers from the system once they have reached age 25 or have left more than 6 years ago (whichever is longer). That said, please do check your Arbor to verify that you have no pupil leavers over the age of 25. This increases to age 31 for those who were covered by an EHCP up to the secondary or special schools/SILCs.
Otherwise, it is still only possible to delete a pupil manually if you take every attendance mark out their record. I am absolutely not wishing anyone to have to undertake such a time consuming task!
Subject Access (SARs) and Freedom of Information Requests
The ICO has reprimanded an Academy Trust that inadvertently shared a spreadsheet which contained hidden data when responding to a FOI request. The spreadsheet contained 85,000 lines of pupil data including names, dates of birth and sensitive, special category information including EHCPS and whether the pupils were Looked After.
It was particularly critical of the fact that staff dealing with the FOI request had no knowledge of the "Inspect Document" function in Excel. This applies equally to SAR response. It is crucial that the data privacy obligations placed on us by the data protection laws are not compromised.
Warning: Please can I also highlight that where redactions to documents are undertaken electronically, they can't be easily reversed. A school has responded to a SAR redacting names of other pupils with the highlight function and then sent as a word document attachment to an email. The parent has simply undone the highlighted text and has the names of the other children who have been the witnesses to a bullying incident. Their parents are not at all happy as you can imagine.
Cybersecurity
Cyber Security - If an incident were to happen, is your school cyber secure and are you covered?
A recent blog has been published on Gov.UK and I thought it would be useful for those schools using RPA for their insurance to have a read:
This brings me nicely to a reminder that we produced a micro-course specifically for governing bodies to ensure that they could comply with the requirement imposed by the Governors Handbook 2024 that all governing bodies have a knowledge of cybersecurity and their strategic responsibilities in this ever-increasingly important area. If your governing body has not accessed this course, I would encourage you to draw attention to it. It is not necessary for all governors to undertake it – just sufficient numbers to demonstrate that it is covered nicely in your Governor Skills Audit. Please get in touch with our team to learn more and join the 37 current delegates already signed up. Further information can be obtained by emailing training@bywaterkent.co.uk.
With all the current cyber threats, now's the perfect time to sign up. Please get in touch with our team to learn more.
Data Protection Training
Please can I remind you that the law requires training to be provided to all staff who may handle personal data in any way. Therefore, it must be completed as part of new staff induction and refreshers must be undertaken regularly. The UK GDPR requires "that staff be appropriately trained and kept up to date on data protection matters to ensure ongoing compliance".
The Information Commissioner's Office has determined that this requirement be interpreted to mean that refreshers must be undertaken at least every two years (minimum). Have your staff undertaken refresher training in the last two years? Are you arranging for new members of staff to complete appropriate training as part of their induction programme?
The eLearning provided through the Service Level Agreement is included at no additional cost. Feedback has been positive.
Some statistics for you!
2565 persons have completed the course individually and a number have undertaken as a group session. I am delighted that this training has proved to be beneficial and indeed popular!
🎉 Congratulations!
2,565 GDPR Training Delegates
Successfully Certified!
Thank you for taking the time to read this newsletter
Richard Lewis-Ogden
Data Protection Officer
Bywater Kent Support Services
I hope you find this edition of the newsletter useful. As always, if you have any questions please do not hesitate to contact me at richard@bywaterkent.co.uk or by phone. .
