The Data Protection Act (DPA) exists to protect the privacy of individuals. In an educational context, this means students, families, and staff. However, as well as ensuring compliance with the DPA, from May next year, schools will also have to comply with the new General Data Protection Regulation. So SMTs must act now to ensure they are aware of the potential steps, costs, and resources required.
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) has been introduced by the the European Parliament, the Council of the European Union and the European Commission. Its purpose is to strengthen and unify data protection for all individuals within the EU. And, despite the Brexit vote, the UK is still subject to the Regulation. For schools, this means that the way you manage all data and information will have to change.
What are the penalties for non-compliance with the GDPR?
Non-compliance could have a devastating impact on schools. In fact, while under the DPA, non-compliance can result in fines of up to 500,000 (as well as your Ofsted ratings being severely affected), under the GDPR fines could reach a staggering 20 million. So, it’s vital to start thinking about the impact the GDPR will have at your school, and make sure that you have sound policies and practices in place ahead of the change.
How to prepare for the GDPR
Here are just some of the steps your school should take now. You should also keep checking the Information Commissioner’s Office (ICO) website for further advice and support to help you prepare.
At present, the school – as the Data Controller – retains overall responsibility under the Data Protection Act. However, you can get support by appointing specific individuals to help you implement and uphold data protection. If your school doesn’t have established data protection roles, you should remedy this immediately. For example:
- Data Protection Officer to lead this process (for some schools, establishing a DPO will become a mandatory requirement)
- Senior Information Risk Officer to oversee risk-reduction strategies and processes
- Information Asset Owner responsible for compiling and/or working with specific personal information
- Data Processors who act on behalf of the school to help implement security measures and protect personal data
- Information Governance Committee with representation from key functions across the school including IT.
The GDPR requires organisations, including schools, to implement a range of accountability measures. These include:
- Privacy Impact Assessments. These will need to be carried out whenever you are planning to introduce an initiative which involves high-risk data processing activities.
- Data protection audits. Review and document all the personal information you hold, where it comes from, what you do with it, and who it is shared with. Even under current regulations, if you keep data for longer than it is needed, you will violate the DPA. You must also make sure any data held is up-to-date. To help to maintain compliance, carry out an information audit at least once a year. This includes asking parents to check their details are correct (make sure you stay compliant while doing so!), making any changes to your systems, and destroying data you no longer need.
- Policy reviews. As the GDPR increases an individual’s data protection rights, your school’s policies will need to be updated in line with these changes.
- Data transfer review. Schools should review and map the flow of personal data outside the EEA (e.g. via their Cloud Service Provider), consider what transfer mechanisms are in place, and ensure these comply with GDPR.
- Appointing a DPO. Under the GDPR, the appointment of a DPO is mandatory in some schools. This includes public authorities such as maintained schools and academies.
Anyone who takes on a data protection role should receive adequate training to help them with this. But it’s also important that ALL staff understand their responsibilities when it comes to keeping personal data safe. The ICO has a wealth of information to help SMTs put adequate data protection policies and training in place.
Under the GDPR your school will have to provide much more meaningful information to individuals about how you use their data.
At present, this means complying with fair processing/privacy notices. Through these, you must set out the data you require, why you need it, and which third parties it may be passed on to (e.g. other schools, social services, etc.). Primary and secondary schools have different data requirements, so require different notices.
However, under the GDPR, the information that has to be given to individuals about how your school processes data will increase significantly, AND, you will have to provide information on how and why you do this in a concise, transparent, intelligible and easily accessible way. Schools will also have to establish their legal grounds for processing personal data.
As with the DPA, schools will have to continue to obtain consent for the processing of personal data. However, under the GDPR all consent must be “freely given.” This means that it must be a positive and unambiguous indication of agreement, not an agreement inferred from silence, inactivity, or pre-ticked boxes. Likewise, separate consents must be given for different processing purposes. Consent must also be able to be withdrawn at any time. In response, schools should look to review their parental contracts, acceptance forms, consent forms, etc. now.
Data protection legislation sets out the legal rights of individuals and the protections they should enjoy. For example, at present, students have the right to see their personal information should they ask for it. Parents DON’T have the right to access their child’s personal data unless the child has provided consent (or is unable to act on their own behalf). Schools must, therefore, consider whether a pupil is old enough to understand their rights before responding to any request. Parents DO have the right to see their child’s educational records.
With the GDPR, new rules are being introduced for responding to information access requests and schools must make sure they are aware of, and comply with these changes.
Also, children are described as “vulnerable individuals” deserving of “special protection” under the GDPR. And there are new rules and child-specific provisions that must be adhered to.
Your school must establish robust procedures for detecting, reporting, and investigating any personal data breaches. And the ICO must be notified of these violations without “undue delay.” The Regulations can also be unwittingly breached. For example, a student who knowingly goes into another student’s Facebook account without their permission is breaking the law under the Computer Misuse Act. However, many schools are unsure what to do when they uncover unauthorised access to their IT systems.
In addition to the changes set out above, it is also important that your school maintains robust processes under the current DPA. For example, all personal information must be kept safe with security measures that are appropriate to the data held. This could include things like:
- Using strong passwords
- Shredding confidential waste and making sure electronic data is correctly destroyed
- Encrypting electronic data
- Installing firewalls and antivirus software
- Keeping devices locked away when not in use
- Disabling ‘auto-complete’ settings
- Checking any data suppliers comply with the necessary regulations.
Where you fail in your duty to put adequate security measures in place, the ICO can issue fines.