Kate Grimley Evans’ background as Head of Information Law at the education specialist law firm Stone King means that she has an in depth knowledge of both education law and information law. This means that whatever service is offered, it is always tailored to the education context. Kate can always speak from experience with plenty of practical examples.

Kate offers both training and data protection compliance auditing services for all types of educational institution e.g. academy trusts, maintained schools, independent schools, FE Colleges, universities and university colleges

Training

Audit

Kate Grimley Evans can provide training in all areas of Information Law, particularly the GDPR, Data Protection Act and the Privacy and Electronic Communications Regulations (relevant to any fundraising or marketing).

In the state sector, there is an inevitable overlap between Data Protection and Freedom of Information and whilst training will normally focus on one or the other, this overlap will be explained when relevant.

If you don’t see what you need, bespoke training tailored to your needs can be provided. Simply contact Kate by clicking the button for a discussion of your requirements.

Training is usually delivered in school. We usually only operate within around 2 hour drive or 2 hour train journey from Cambridge, Cambridgeshire. A greater distance may be possible but is likely to mean an additional charge to reflect the need for overnight accommodation.

Kate Grimley Evans

Managing Director

Contact Kate

Example training sessions offered

Next steps in GDPR compliance


Format: Presentation followed by discussion

Target audience: Academy Trust Board

Content: The GDPR accountability principle and its implications often aren’t well understood and it has been an obvious weak point in the recent spate of ICO audits of academy trusts. This training will explain the principle and what is required in order to comply.

Time allocation: 1.5 to 2 hours

The Ultimate DPO support


Format: One to one training

Target audience: a DPO of any level of knowledge

Content: This will usually include:

  • reviewing what the DPO has done so far
  • explaining anything the DPO is not clear about
  • making suggestions for improvements in compliance.

Therefore this session is not just training but also a means to improve compliance.

Time allocation: flexible but at least half a day recommended

Basic Data Protection


Format: as agreed, either seminar format or lecture format according to numbers of attendees.

Target audience: basic training session suited to teachers, TAs, admin staff who do not have direct responsibilities for data protection but still have regular access to the personal data of staff and pupils.

Content: Much of the commercially available training will not be school specific or will focus primarily on the common sense approach to keeping personal data safe. This training session will be designed for schools and, whilst it will not ignore the need for common sense, it will give a better all round idea of how data protection works and some of the common errors that occur.

Time allocation: half a day

Beginner Freedom of Information training


Format: one to two participants

Target audience: total beginners

Content: Explaining the basics of how FOI works and where to find resources. This session will provide the attendees with a basic framework which they can then add to through their own learning and experience.

Time allocation: half a day

Handling FOI requests


Format: small group seminar suggested

Target audience: those with day to day responsibility for answering requests

Content: It is clear from experience, having helped a very large number of academy trusts with their FOI requests, that sometimes FOI requests are very burdensome for schools. This is a practical training session for those with responsibility for answering requests. It will cover the main areas where errors can occur or where requests can become unnecessarily difficult to deal with.

The GDPR ‘accountability principle’ means that regular auditing of compliance, both internal and external is an expectation.

Two levels of service available

The Basic Audit Package


This is designed to be a pragmatic solution for academy trusts/schools/ FE Colleges which do not have the available funds for the full audit package or who would like an interim audit. It is designed to be a cost effective way of identifying issues and therefore improving compliance.

This involves:

Around 2-2.5 hours sitting with the DPO to look at what is in place already.

Some further review of documentation as agreed.

A detailed report with recommendations which can be presented to the audit and compliance committee or full Board meeting as required.

Note that this does not include a review of IT security which we consider requires particular IT expertise. It will, however, flag IT issues which may be problematic where they are within our knowledge and expertise.

The Full Audit Package


The full audit is always a bespoke offering, following discussion with the DPO. A larger Academy Trust or College with multiple sites is likely to benefit from us visiting more than one site to see how well the stipulated data protection practices are implemented in practice. A typical full audit would include:

A meeting with the DPO to discuss the GDPR implementation to date:

A series of interviews with staff, individually or in groups, across as many sites as agreed.

Document review to the level agreed.

A full detailed report with recommendations which can be presented to the audit and compliance committee or full Board meeting as required. Typically, we would attend the meeting to present our findings and answer any questions arising.

Note that this does not include a review of IT security which we consider requires particular IT expertise. It will, however, flag IT issues which may be problematic where they are within our knowledge and expertise.