Carrying out a data protection audit

Conducting a data compliance check or learning walk can seem a daunting prospect for data protection officers. Dai Durbridge shares his top tips

Author details

Dai Durbridge is a partner in the education team at Browne Jacobson. He provides advice and training to teachers and other education professionals on relevant legal and practical issues. He has a particular focus on safeguarding issues, having...

‘Conducting a data protection audit’ may sound formal but, to put it simply, it’s about understanding what’s going on in your school or setting in terms of data protection compliance.

Do you know where your risk areas are? Have you created some documentation that shows what’s going on, where the skills gaps are and what you’re going to do about it?

Getting started

Before you even start your audit or compliance check, take a step back: what are you trying to achieve? What’s your objective?

What are the traps that people regularly fall into?

Don’t feel you have to cover all areas at once: it’s fine to take bite-size chunks, especially if you’re in a situation where you have a number of schools to cover.

What did your last audit tell you? If the main issue you uncovered was the number of computers unlocked and passwords on display, then that’s your starting point for the next audit.

Or if you don’t have a previous audit to work from, what do you know to be the biggest data protection issues in education? What are the traps that people regularly fall into? What things have you seen in your own setting that worry you, or what are people asking you about?

What to include in your audit

Policies and paperwork

While it’s important that policies, forms, standard letters and notices get reviewed, it may be done annually, rather than every time you conduct an audit or learning walk.

Your privacy notice is probably more of a ‘living document’, and will need to be amended regularly.

Consult with your IT manager

Your IT manager is a key partner. What are they noticing?

For example, how many emails are being sent or stored? When it comes to data breaches, emails feature high on the list – most commonly emails being sent to the wrong address, or a failure to BCC.

Where is information being saved – is it in the right place? Is material regularly being left uncollected on printers? What do they consider some of the key risk areas to be?

Talk to staff

Start with those who you might consider as being in the ‘higher risk’ group, due to the nature of their work. Reception staff, for example – not only are they the ‘front face’ of your school or trust, but they are also handling and passing on more pupil information than most members of staff.

Are staff familiar with the subject access review (SAR) process?

DSLs are important too, because of the nature of the information they’re working with and sharing. How do they share information externally? What are your security protocols? When they send information to parents, is it password protected?

Talk to your senior leaders

Be aware of the ICO’s expectation that ‘Decision-makers lead by example and promote a proactive, positive culture of data protection compliance’ (see the ICO’s Accountability Framework for organisations). This can be your starting point for discussion:

  • What have they done so far to demonstrate support for data protection compliance?
  • How are they promoting that positive culture?
  • Are they leading by example?
  • When you send out an email requesting something from staff, is it backed up by the headteacher?

Review your processes

For example, do you have a robust process in place for the withdrawal of consent for the use of a pupil’s photograph? Is there a clear system in place for the destruction of data? Are staff familiar with the subject access review (SAR) process – and do they know that SARs don’t have to come in writing?

What do you do with the information you’ve found?

Ask some test questions: what would you do if you sent an email to the wrong person? Do they know that needs to be reported as a breach?

Data protection learning walk

Taking a walk around your school is one of the best ways to see how well data protection processes are understood and being implemented.

Here are some suggestions for your checklist.

  • What’s visible to the visitor signing in at the reception desk? Can they see computer screens in the office? Are privacy screens deployed where appropriate?
  • Can computer screens be seen by someone walking past a window?
  • What’s on the staff room wall? Is any safeguarding or medical information displayed?
  • Is pupil information being displayed on classroom walls?
  • If you have a clear desk policy, is it being implemented?
  • Are any computers unlocked?
  • Are computer or software passwords on display?
  • Are computer passwords on autofill?
  • Are filing cabinets locked? Where are the keys kept?

How often?

The frequency of your data audits might depend on what progress or problems were uncovered in your last audit.

If last month’s learning walk revealed a number of issues to be resolved, you might want to conduct another one in a fortnight to follow up. However, if your last three audits all had positive results with no current issues to resolve, you could wait a while for the next one.

Reporting your findings

What do you do with the information you’ve found? Note that the data protection officer should be reporting to the highest level of management – that’s probably the headteacher or CEO.

It’s a good idea to get buy in from your senior management team for any report and actions you plan to share with governors or trustees.

Give careful thought to the content and format of your report. How are you going to engage and retain the reader’s interest? What level of detail do you need to include?

Don’t feel you have to cover all areas at once

If you’re presenting your board with a 40-page report, is it going to get read? Do you need an executive summary or key bullet points at the top for a quick digest? Are the actions and issues clear and up front?

Don’t feel you have to reinvent the wheel. Is there an existing report format you can adapt? For example, a safeguarding, or health and safety report? It’s probably easier for the governors to receive a report that’s in a format they’re familiar with.

Your report might include:

  • number and type of data breaches, and what’s been done to reduce the likelihood of recurrence
  • number of SARs (possibly including figures for previous year as a comparison)
  • key findings and issues identified from your most recent audit
  • what actions you recommend or have put in place to address these issues
  • highlight improvements and progress
  • training and support provided for staff.

Where you need approval for recommended actions, be clear about what problem the action will solve. What is the extent of the problem, and what are the potential consequences? What’s the timeframe for action, what outcomes do you expect, and when will you report back?

It’s a good idea to have a link governor for data protection. People may not rush to volunteer, but keep pushing the message that data protection should be seen to have a similar importance to safeguarding. The risks and consequences if things go wrong are significant!

Adapted from training sessions delivered as part of the Intermediate Level DPO Continuous Development Programme.


Last Updated: 
28 Oct 2021