Ultimately, everyone has a responsibility in ensuring data is processed securely in a school. Staff and even students who handle personal data need to prevent it from coming into possession of anyone who hasn’t been given permission to view or process it.
There should be specifically elected individuals who are educated on data protection and who implement and uphold systems and policies.
The Senior Information Risk Officer (SIRO)
All schools should have a senior member of staff who is familiar with information risks and the school’s risk-reduction strategies. This is usually a member of the Senior Leadership Team.
The Senior Information Risk Officer must:
- Ensure appropriate mitigations are in place to minimise risks.
- Foster a culture that values, protects, and utilises information securely and in a way that benefits the organisation.
- Take charge of the information risk policy and risk assessments, and ensure they are implemented by the Information Asset Owner(s).
- Act as an advocate for information risk management.
SIROs should undertake training annually to keep their skills and capabilities up to date and relevant to their organisation. It’s essential that they have the necessary knowledge and skills to fulfil their role and ensure people’s privacy.
The Information Asset Owner (IAO)
The IAO is a member of the school community who is responsible for compiling or working with specific personal information. They must:
- Know what information the organisation holds and for what purpose.
- Understand how information is amended, added to, removed, or moved overtime.
- Know who has access to the data and for what purpose.
- Recognise how the information is retained and disposed of securely.
- Information Asset Owners should:
- Maintain a log of access requests made to the organisation.
- Monitor users’ rights to transfer information to removable media, i.e. USB and external hard drives.
- Negotiate, manage, and approve agreements on the sharing of personal information.
Monitor access to personal information. - Provide an annual written assessment to the SIRO detailing the security and use of their asset.
When appointed to their position, they must undertake information management training, and retake it at least annually.