Now and again as a trainer you know that someone is ticking a box. This happened to an Act Now trainer recently.
A meeting is held in a school somewhere in the heart of England and someone chirps up “Let’s get some Data Protection Training in school. Er.. Madge can you sort something out? Super.” Madge has no knowledge of information law. She might be the secretary; she might be the playground supervisor but she’s been told to get on with it.
Weeks later Madge does some research on the internet; finds a company that does this and books some online training; a date is agreed and everything seems fine. Madge has opted for online training lasting an hour for a dozen or so admin staff even though for the same price she could have a real expert come to her site and give the school a 3 hour master class in DP (and throw in FOI & EIR for free).
But as the trainer asked to deliver this online training something doesn’t seem right. You email the contact person to introduce yourself and ask for some steer on what they want and you’re met with a wall of silence. Time passes – no contact. Eventually a phone call elicits the information that they just want a general session on DP.
“How about FOI?” suggests the trainer helpfully.
“No we don’t need that.”
The trainer pulls together a general presentation and places a copy of the delegate materials in the online area alongside the link to access the training on the day where such things are held and informs the school.
Time passes.
The day before the training the school rings Act Now Office and asks how do they access the training. We refer them to the email sent a month previously. A flurry of questions are asked and answered and things finally look ready for the following day.
We start the training, Several people with young sounding names are present. They listen without saying anything. They don’t comment on the fact that their notification was a month late for renewal. They don’t find the lack of a privacy policy remarkable (despite the fact that they have a very handy Snow and Ice Policy in their list of 20 school policies). Their prospectus says nothing about any information law or rights of individuals to access information held by the school. The mini case studies towards the end are all met with the response “We’ll ask the head”. The FOI request sent to the school 6 weeks ago was denied. “No we’ve never seen it” (even though they are shown the actual email on screen). There are no questions at all.
After 75 minutes they say thank you and leave. The automated feedback email isn’t returned. It’s as if the training session has become lost in a Sleepy Hollow style black hole.
6 weeks later the trainer has a look for their notification on the ICO site. It’s not there. The school is not listed on the Search The Register database. Presumably they let their notification lapse. The school’s website still doesn’t have a privacy policy, a data protection policy or any mention of freedom of information. Searches on the school website return nothing at all to show they have any idea about information law.
The trainer has an attack of conscience. Maybe Madge organized the training, paid the bill and ticked the box. Maybe an SMT meeting receives a note saying DP training has been done. Maybe no-one in a senior position knows how bad things are. Should the trainer call the school and talk to senior management (if in fact he can get through to them) and say that they’re wide open to a notice being issued (and published on the web) or a prying parent with a grievance exposing their lack of compliance.
But schools like this are rare aren’t they? Schools have heard of DP and FOI and do have policies and procedures and notifications in place don’t they? Don’t they? DON’T THEY?
Are you responsible for schools and their compliance with information law? Do you know if they are aware of information law or how they are complying with it? Act Now offers online training for schools in DP & FOI and have delivered many on site half day workshops covering the subjects at schools all over the UK. Contact us to find out more. Don’t let your schools just tick a box (badly).
The new EU General Data Protection Regulation (GDPR) has now been approved and will come into force in two years time. Everyone, including schools, need to prepare now.
