It does seem to be technically possible for a governor to be the DPO, but it may not be best practice. Schools must have a DPO as they are public bodies, but they need to ensure the DPO has the appropriate expertise, can avoid conflicts of interest and can report to senior managers.
The DfE state in their Data Protection Toolkit for Schools that it might be possible to “seek volunteers from experts that may exist in the wider school community” so the job does not have to be done by an employee.
However, they go on to say that as a volunteer “their statutory responsibilities remain at the same expectation as a paid DPO. It would be a reasonably big commitment for that volunteer, and they would need to be able to clearly convey risks and views to senior managers.”
The private company GDPR in Schools has produced a guide to who can be the DPO. They advise that governors can be the DPO but only if there is no conflict of interest, they have sufficient time, they can understand the school’s use of data and have input from school staff to help them.
Expert Knowledge of Data Protection Law
It may be unreasonable to expect a volunteer governor to be an expert on the data protection law in addition to all their other duties.
“You should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.”
Guide to the GDPR, Information Commissioner’s Office
“When designating a data protection officer, the controller must have regard to the professional qualities of the proposed officer, in particular the proposed officer’s expert knowledge of data protection law and practice.”
Section 69 of the Data Protection Act 2018
DPOs Must Report to High Level Management
Governors are, of course, high level management themselves – who would they report to if they are not reporting to the school’s governing body?
“DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
“The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
“A DPO can be an existing employee or externally appointed. You must ensure that the DPO reports to the highest relevant management level of your organisation – ie: board level.”
Information Commissioner’s Office
Conflicts of Interest
A governor may find it difficult to avoid conflicts of interest. For example, they may hold confidential data themselves and have access to information in minutes that others do not.
“As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests, you can appoint an existing employee as your DPO, rather than you having to create a new post.”
Guide to the GDPR, Information Commissioner’s Office
“Think through what is best for your school. As yet, there does not appear to be a common approach, but it appears a ‘many schools to one DPO’ model is emerging as the most common, whether that is provided by the local authority, or multi-academy trust.”
DfE Data Protection Toolkit for Schools
“As a rule of thumb, conflicting positions within the organisation may include senior management positions.”
European Commission Guidelines on Data Protection Officers