ICO Audits

Some information about ICO Audits and Advisory Visits

Since May 2018 ICO has carried out a number of Audits and Advisory visits in schools and MATs throughout England. These are different since the aim of an Advisory Visit is to give practical advice on how to improve data protection practices. It normally involves a one day visit from the ICO and a short follow up report which is not made public.

An Audit on the other hand provides a real assessment of whether schools and MATs are following good data protection practice. ICO will look at whether effective controls are in place alongside fit for purpose policies and procedures. There is a check against data protection legislation and the resulting report which makes recommendations on how to improve is published.
Below is an overview.

Summary of ICO Audits

This Excel workbook contains the summary of all the ICO Audits that have taken place in MATs and their schools. It will be updated as more are published. Also included is the Executive Summary which includes:
Areas for improvement
Good practice
Updated 13/12/2019

ICO Pre-Audit Preparation

These Excel spreadsheets are sent to MATs before the Audit to allow them to prepare. Whilst not covering all possible Audit areas, they include the most common areas Governance & Accountability, Training & Awareness and Data Sharing

Evidence >>
Interview schedule >>
Crib sheet >>

ICO Audit Tracker

This is a really useful spread sheet which will allow you to get an overview of your compliance journey.

All GREEN and you are on target
All RED and you've much work to do
Most will have a mixture of COLOURS but you'll know the areas to target

ICO Audit Action Plan

This document gives a clear insight into the standards of data protection and privacy to which schools are expected to achieve.
You must remember that ICO audits does not audit all aspects of data protection.

This document is well-worth reading.