How the ICO conducts a self assessment
The self assessment programme is aimed at promoting good personal data protection practice within sectors where there are a lot of smaller organisations or public authorities. Currently we are focusing this work on the education sector, but over time we will work with others.
We work with sponsor organisations, for example the local council or education authority, to help us contact schools and ask them to fill out a questionnaire. We use the results of the questionnaire to write a short report indicating areas of improvement and areas of good practice identified in the participating schools.
A recent example of a self assessment
A local council requested our help to raise awareness of data protection in the schools in their area and to provide them with practical advice and guidance on how to comply.
We explained the self assessment process to the council and that there was no cost involved. We also helped them draft a letter to send to the schools to encourage them to get involved.
We sent all the schools an email with a link to an electronic survey focused on the practicalities of complying with data protection. They were given a couple of weeks to complete it. The questions covered a wide range of areas including:
- What physical security provisions do you have in buildings or parts of buildings where personal data is held?
- Do you provide pupils and parents with an explanation, in writing, about what you do with their personal information?
- If you maintain a website, are you satisfied that you are not disclosing any information that staff, pupils or parents would object to?
- Do you have a CCTV system and what do you use it for? Are cameras located so that they do not intrude unnecessarily on privacy?
- Do all staff handling personal information have suitable training?
- What other organisations, including IT providers, process personal data for you?
- Do you know about time limits and fees for subject access requests?
We then reviewed the responses to the questionnaire and wrote a short report detailing the areas of good practice we had identified in the participating schools, as well as areas for improvement. Our report also gave recommendations to help improve the schools’ compliance and highlighted relevant ICO guidance to assist schools in understanding how to meet their obligations. We delivered our report to the council, as well as the participating schools.
The council and participating schools used the report to promote awareness and encourage compliance with the Act and they shared it with other local organisations in the education sector.
The council said that the report was “an excellent resource for schools in order for them to maintain compliance with the Data Protection Act” and “well written, in a style that the Head Teachers and their staff can understand what their responsibilities are, and what they need to do next”.