"Every Day’s A School Day In Data Protection" – GDPR for the Education Sector: What to expect in 2023
A lot has happened recently in the education space when it comes to data protection and the only thing you can count on is that there will be more change.
Whether it is guidance issued by the Department for Education, the ICO’s updated approach to policing data protection compliance, or the Government’s announcement to replace GDPR altogether, there is plenty to digest. We have examined each of these in turn in during our latest webinar.
Department for Education Guidance – Data protection in schools
The Department for Education’s recent guidance for schools and multi-academy trusts (MAT) goes beyond what the ICO requires in its current guidance in several cases. The key takeaways are as follows:
Special Category Data
The guidance indicates that it is best practice to treat additional types of data such as whether a child is in local authority care as “special category data” which expands upon what is laid down by law and although some may already fall within the category, others don’t automatically fit and should be looked at carefully.
Consents
Under the guidance consent is required when it comes to things such as marketing and fundraising and taking photographs of pupils and staff. Requiring consent for taking photographs goes further than the current ICO guidance. The guidance also goes on to say consent is usually required when sharing data, which is often not the case in practice, there are other grounds permitting the sharing of personal data – for example a school may have an obligation to share personal data e.g. in a safeguarding context. In view of how difficult it is to get GDPR compliant consent and the fact that it can be withdrawn at any point the guidance gives food for thought.
Data Protection Impact Assessments (DPIAs)
DPIAs are a key topic for schools as both pupils and staff often comprise “vulnerable data subjects” from a data protection point of view. Also, schools are increasingly looking to use “innovative technologies” such as facial or fingerprint recognition. Both of these mean that a DPIA needs to be considered – although the approach taken by the guidance is stricter than ICO requirements.
Data Subject Access Rights (DSARs)
These are often very time consuming for schools and can raise complex issues. One of these is whether it is the pupil or the parent who has the right to make the DSAR. The DfE guidance has taken the position that if a child is 13 or over, then they can either request themselves, or provide consent for their parent or carer to make it on their behalf. It is, however, more nuanced than this and the understanding of the child of what a DSAR is and what they will get in response is key. We look at this tricky area in detail in the webinar.
Data Protection Reform
Many schools and colleges struggled with implementing the wide-ranging requirements of GDPR. The Government is now revamping data protection laws and The Data Protection and Digital Information (No. 2) Bill began its journey through Parliament earlier in March. It is framed as a “new common-sense-led UK version of the EU’s GDPR” and positioned to promote innovation whilst preserving adequacy with the EU. It looks at:
- getting rid of the DPO role (but replacing with something similar),
- clarifying where legitimate interests can be used (without the need for completing further complicated legitimate interest assessments), and
- extending the use of ‘soft opt-in’ consent for charitable, fundraising, and other non-commercial objectives.
To find out more about these developments you can catch up on Joanne Bone and Hannah Moran’s most recent webinar GDPR for Schools and MATs: What to Expect in 2023 covering all of the above, plus an overview of the ICO’s strategy when it comes to achieving its objectives and recent investigation into the use of facial recognition technology in schools.
