A current hot topic for schools is GDPR (General Data Protection Regulation), which comes into force next May. GDPR will entirely replace our current Data Protection Act 1998 (DPA). Some of the precise detail has yet to be decided, but here's some advice on steps to take to get ready for it.
Step 1; RAISE AWARENESS. Key decision makers in schools need to know that data protection law is changing and how those changes will affect how the school is run. Schools should use the lead-in period to get ready and raise awareness of GDPR.
Step 2; ACCOUNTABILITY. One of the main features of GDPR is that schools will actually have to demonstrate compliance. These measures include Privacy Impact Assessments (PIAs), data protection audits, and policy reviews. The information Comissioner's Office (ICO) has produced a Code of Practice on PIAs to help guide schools.
To get started schools should review and document the personal data they hold, identify the source, who it is shared with and the legal basis upon which data is being processed. This exercise is commonly commonly called a data protection audit (or data protection mapping) and can be deployed across the entire school, or confined to distinct areas within it. Unless schools know what personal data is held and how it is being processes, it will be difficult to comply with the GDPR's accountability principles.
A benefit of a data protection audit is that it maps the flow of personal data in and out of the school, can be used to measure the degree to which the school complies with the law and identify 'red flags' for urgent attention. High risk areas are likely to be the issue of demonstrating necessary and clear consent and the school's development functions.
Schools will continue to require to take organisational steps to keep personal data secure and train staff on data protection. In our view, new starters should receive training before they have access to personal data and existing staff should receive regular refresher training (perhaps annually).
Step 3; COMMUNICATING DATA PROTECTION/PRIVACY INFORMATION. Under the DPA, schools are legally required to provide certain minimum information to individuals (including staff, pupils and parents) about how their personal data is processed. This is commonly provided through a Privacy Notice which is often incorporated into the school's Data Protection Policy.
Under GDPR, the list of information which has to be provided to individuals will increase significantly. Some of the information has to be communicated in all cases (mandatory Privacy Notice information). A second subset need only be provided in specific cases e.g. if the school intends to process the personal data for different purposes than when it was collected.
Step 4; LEGAL GROUNDS FOR PROCESSING PERSONAL DATA. Under GDPR, schools will need to know the legal grounds for processing personal data and in some cases explain it to pupils and parents. For example, it is likely that a legal ground for processing pupil images for identification purposes will be because the processing is necessary for the contract. In contrast, the legal grounf for using pupil images for school marketing and on the school website is likely to be consent.
Schools should look at their different types of data processing out and identify and document the legal basis for doing so via data protection audit.
Step 5; CONSENT. Schools should review how they seek and record consent for processing personal data and consider if any changes are required under GDPR.
Just as with the DPA, schools can still rely on 'consent' as a legal ground to process personal data e.g. to use pupil images on the website, to send fundraising and marketing messages to parents and alumni, or to publish pupil news on social networking platforms. However, satisfying the criteria for valid legal consent will be harder under GDPR.
Separate consents must be obtained for different processing operations. It must be distinguishable from the other matters and not 'buried' in wider written agreements, such as the parent contract which often incorporates consent for a multitude of processing activities. Under GDPR, consents should be separable from other written agreements.
Step 6; RIGHT OF SUBJECT ACCESS (SAR). As with the DPA, GDPR will continue to allow individuals to ask the school to give them a copy of their personal data together with other information about how it's being procesed by the school. This is known as SAR.
Under GDPR, the main changes are:
- Now free in most (but not all) cases (used to be £10)
- Manifestly unfounded or excessive requests can now be charged for or refused.
- Deadline reduced from 40 calendar days to 'within 1 month'. This deadline can be extended in certain cases.
- Additional information to be supplied e.g. school data retention periods and the right to have inaccurate data corrected.
- If you want to refuse a SAR, you will need to have policies and procedures in place to demonstrate why refusal of a request meets these criteria.
Step 7; PERSONAL DATA BREACHES. All schools will have adopt internal procedures for detecting, reporting and investigating a personal data breach. The reason for all this is that GDPR introduces mandatory breach notification to the Data Protection Authority (the ICO) and in some cases also to affected individuals. You should also maintain an internal breach register.
The good news is that there is time to plan for GDPR and as the ICO releases further guidance, schools may wish to keep an eye on the ICO website for updates.
Kristine Scott, Head of Education, Harrison Clark Rickerbys