My GDPR 'To Do' list

[FSFRebecca]

1 hour ago, Mouseketeer said:

I’ve been told today by a parent it’s ‘optional’ if you have less than 250 staff ...damn they could have mentioned that before I spent most of the Easter holiday on it  😱

https://www.parenta.com/2018/04/30/new-gdpr-rules-could-result-in-additional-costs-for-providers/?utm_term=New GDPR rules could result in additional costs for providers&utm_campaign=New GDPR rules could result in additional costs for providers&utm_content=email&utm_source=Act-On+Software&utm_medium=email&cm_mmc=Act-On Software-_-email-_-New GDPR rules could result in additional costs for providers-_-New GDPR rules could result in additional costs for providers

What did they think was optional? The whole GDPR? The having a nominated official data protection officer is optional for smaller businesses - see 11/12 here

[Mouseketeer]

7 minutes ago, Rebecca said:

What did they think was optional? The whole GDPR? The having a nominated official data protection officer is optional for smaller businesses - see 11/12 here

Oh yes, the whole compliance thing didn’t mean us ! 

[Mouseketeer]

With 3 wks to go how is everyone’s prep going? 

I’m on the policy now, I’ve seen a couple of examples but no way is mine going to be that long ! 1 A4 side or 2 at a push or maybe font 6 ;-), I haven’t started on agreements yet, not really sure where to start with those, does anyone have any useful links to websites (I don’t have the PSLA policies etc so can’t look there).

[FSFRebecca]

We (my setting, not FSF!!)

• Have completed audit
• Written to all 3rd parties - (one remains decidedly questionable)
• Re written enrolment form
• Written to all parents re new enrolment form/ financial terms and conditions / privacy notice - in process of getting consent/contracts signed
• Written to all staff re data held and issued new privacy notice
• Audited all procedures re data on display in setting and made necessary adjustments
• Staff training completed 1 = intro to GDPR and 'what is it?', 2 = 'How does it affect you?'
• Staff training to do = changes to policies and working procedures
• Stripped all setting laptops of data and moved to usb storage which is locked away and requires management permission to access
• Changed all passwords and security info on websites, emails etc
• Still to do, policy update - saving this til last as we keep coming up with new things we need to do differently

Anything I've missed? 

[sunnyday]

9 hours ago, Mouseketeer said:

With 3 wks to go how is everyone’s prep going? 

I’m on the policy now, I’ve seen a couple of examples but no way is mine going to be that long ! 1 A4 side or 2 at a push or maybe font 6 ;-), I haven’t started on agreements yet, not really sure where to start with those, does anyone have any useful links to websites (I don’t have the PSLA policies etc so can’t look there).

Mousie - do you mean 'Privacy notices' for Parents or something else?

(I might be able to help)

[sunnyday]

5 hours ago, Rebecca said:

We (my setting, not FSF!!)

• Have completed audit
• Written to all 3rd parties - (one remains decidedly questionable)
• Re written enrolment form
• Written to all parents re new enrolment form/ financial terms and conditions / privacy notice - in process of getting consent/contracts signed
• Written to all staff re data held and issued new privacy notice
• Audited all procedures re data on display in setting and made necessary adjustments
• Staff training completed 1 = intro to GDPR and 'what is it?', 2 = 'How does it affect you?'
• Staff training to do = changes to policies and working procedures
• Stripped all setting laptops of data and moved to usb storage which is locked away and requires management permission to access
• Changed all passwords and security info on websites, emails etc
• Still to do, policy update - saving this til last as we keep coming up with new things we need to do differently

Anything I've missed? 

I think you should go and have a lie down in a darkened room now

[FSFRebecca]

Just now, sunnyday said:

I think you should go and have a lie down in a darkened room now

One day, Sunnyday, one day... being the owner/manager I rarely sleep 

[Hamantha]

12 hours ago, Mouseketeer said:

With 3 wks to go how is everyone’s prep going? 

I’m on the policy now, I’ve seen a couple of examples but no way is mine going to be that long ! 1 A4 side or 2 at a push or maybe font 6 ;-), I haven’t started on agreements yet, not really sure where to start with those, does anyone have any useful links to websites (I don’t have the PSLA policies etc so can’t look there).

Well, so far we have:

• Completed audit
• Updated Privacy Notices for parents/staff and our Committee Members
• Completed staff training (along same lines as Rebecca, although we've also discussed policy/procedure changes)
• Started to clear our laptops of old data
• Password protected everything!!
• Taken off saved password settings.

It has been a lot of work and we still have more to do...

• Update our registration form (only going to ask those staying on with us if they want to fill in new form now. Thought we would get them to do this in Sept when we usually update/check all info)
• Send out all the updated Privacy Notices
• Issue updated policies and procedures
• Contact third parties (doing this last as  I'm hoping they will contact us first...) to check GDPR compliant
• Sharing Agreements - hoping for some inspiration as not really sure what to put in...will have to do some research.
• Review our website privacy notice/cookie policy and get a SSL certificate.

We were not going to write a Data Protection policy as everything is covered by our already extensive policies such as ICT, Tapestry, Confidentiality... (we have so many now!) and our Privacy Notice.

[Mouseketeer]

Good work Rebecca and Hamantha

completed:

• Audit - workforce, committee, chn, parents, others
• Impact assessment
• privacy notices - for all as audit
• covering letters and agreements/consent - all except chn
• childrens permission/consent form - use of names, photos, sun cream, walks (all separate yes/no)
• Registration form updated
• Booking request form updated
• Training + cascade to staff
• Tapestry parent agreement
• Read to pg 26 of Tapestry contract (promise to finish and sign ASAP) 
• password changes
• Policy updated (1 A4 side ) 

to do:

• sharing agreements (also unsure about what these should have in them and what to do with them)
• add a paragraph to prospectus
• Also hoping for 3rd parties to send me evidence of their compliancy .....it’s not happening yet :-/ 
• delete all files from pc & lap top that isn’t really needed 
• ALL the techy stuff  😭 

 

Edited May 3, 2018 by Mouseketeer

[Hamantha]

Wow, you are nearly there! I will have a look around for ideas for sharing agreements and let you know if I come up with anything 

[C1403]

So far I have done:

Excel data audit

Drafted new enrollment form

Drafted privacy notice and letter for parents

Drafted privacy notice and letter for staff

Passed this all to the manager to read/review and then I'll do a final version to send out before half term. If I left it to her I'd still be chasing in September!

Still to do

Get Manager to do GDPR Training

Contact 3rd parties

Update our main data protection and confidentiality policy and other policies that have GDPR reference.

 

Any wonder I'm thinking enough is enough this year, even though DD has a year left! 

 

 

[Stargrower]

What does GDPR training involve?  Is it necessary?  Our LA have said they are not offering training or information on GDPR.

 

[Mouseketeer]

C1403 ...I’ll be looking for a new chair shortly and would be happy to have you ;-), I’m not sure if it was needed as the committee are the controllers really but I also did a Committee letter/consent form and privacy notice separate to the parent one as more of their information is shared eg. Names on the notice board,  newsletters,  minutes, all have each other’s email addresses (officer numbers also) - consent, their details are shared with Ofsted, LA and Charity commission (legal obligation).

Stargrower...ifyou are a PSLA member do theirs it was only £7 and took no time at all, only 10 questions, which you’ll already know from here and there is a guidance module you can then share with other staff

[Mouseketeer]

I think my last task is to come up with a 'data sharing' agreement, I'm sat here staring at the the ICO checklist for sharing but not getting a lot of inspiration, all the templates I've found look very wordy (scary), has anyone come up with a suitable one for the types of sharing we do e.g sen reports, shared setting progress, school transitions etc? thanks :-)

[Tcha]

I'm now trying to put together staff and parent privacy notice - I have had a look at some online but I was wondering if anyone has a template for these at all please, or know where I can find both staff and parent notices please. Thank you

[FSFRebecca]

21 hours ago, Tcha said:

I'm now trying to put together staff and parent privacy notice - I have had a look at some online but I was wondering if anyone has a template for these at all please, or know where I can find both staff and parent notices please. Thank you

Have you looked at the resources we have been posting? You can download them for your own use. I have taken the parent privacy notice down at the moment, but it'll be back up later 

[Tcha]

Thank you Rebecca, I was obviously looking in the wrong place.

 

[Bluebirds]

On ‎03‎/‎04‎/‎2018 at 16:14, Rebecca said:

An encryption key is a little usb thingy that you can use to provide an additional level of security on your computers. We have them here at FSF. Basically they are set so that your computer won't start without the usb in. Then if someone steals the PC they can't get to your data, even if they know your password - the pc just won't start. Once you have started your pc you lock the usb away in a different place to the pc (in the safe?). I'll ask one of the FSF tech genies to put a 'how to' guide up here. I think the usbs themselves cost about £7 each. 

Hello 

Please how can we buy the encryption key. Thanks

[Mouseketeer]

Hi bluebirds, welcome to the forum, that’s a good question, I have been looking at them on a well known auction site,  but no idea which I should get, prices vary greatly so any ‘reasonable’ priced recommendations would be good...and is it a different one for each device? (pc and lap top).

 

[Mouseketeer]

I am still working on the 'agreements', I'm planning on a separate for each processor we share with now, do you think this from the framework is good enough reason to legal Obligation for school transitions? 

3.68.Providers must maintain records and obtain and share information (with parents and carers, other professionals working with the child, the police, social services and Ofsted or the childminder agency with which they are registered, as appropriate) to ensure the safe and efficient management of the setting, and to help ensure the needs of all children are met.Providers must enable a regular two-way flow of information with parents and/or carers, and between providers, if a child is attending more than one setting. If requested, providers should incorporate parents’ and/or carers’ comments into children’s records.

[Tim]

Hi Bluebirds. Any USB drive is fine to use as an encryption key with accompanying encryption software. There are hundreds out there, but you don't need to spend very much at all. I chose one that was as physically small as possible, as I wanted to keep it on my keyring. Also, as I don't store any additional files on the USB drive, I purchased the smallest capacity available. Mouseketeer, dependent on your software, it may be possible to have one usb drive acting as an encryption key for multiple devices, but you could end up continually swapping it between devices. More information from earlier posts:

 

[Mouseketeer]

 woooohhhh back up there..so now as well as a key I need software? 

[sunnyday]

Not sure why I'm laughing - it's all going over my head now 

[Lioness]

Hi all,

Just reviewing GDPR and just wondering if a 3rd party provides their Privacy Notice to you, does this count as not having to contact them now as all the information required by you to prove they are complaint is in their Privacy Notice? Or do you still need to ensure you contact each one individually just to ensure you are proving how you are being compliant?

Many thanks.

[Hamantha]

1 hour ago, Lioness said:

Hi all,

Just reviewing GDPR and just wondering if a 3rd party provides their Privacy Notice to you, does this count as not having to contact them now as all the information required by you to prove they are complaint is in their Privacy Notice? Or do you still need to ensure you contact each one individually just to ensure you are proving how you are being compliant?

Many thanks.

I would also be really interested to know what others think. I have left third party stuff at the end of my GDPR to do list in the hope that they would all contact me first!

Also, has anyone drawn up data sharing agreements with primary schools? I am thinking in relation to transition reports. 

Thanks!

[Piskie]

Can anyone tell me where to get these USB keys from please? I can’t find them anywhere.

A brand name would be even better 

Thanks

[Lioness]

On 25/06/2018 at 14:27, Lioness said:

Hi all,

Just reviewing GDPR and just wondering if a 3rd party provides their Privacy Notice to you, does this count as not having to contact them now as all the information required by you to prove they are complaint is in their Privacy Notice? Or do you still need to ensure you contact each one individually just to ensure you are proving how you are being compliant?

Many thanks.

Anyone any thoughts on this?

 

Many thanks!