Data Protection – important issues affecting your school
There has been a recent 40% increase in reported data breaches in the education sector according to the Information Commissioners Office (“ICO”) yet a Government report showed that out of 13 sectors, the education sector spend the least on data security.
How does it apply to schools?
GDPR will apply to all schools (including independent schools) and academies and it will also apply to any supplier you use to manage your data. Relevant data you may hold includes:
Staff and student files – both paper and online
Academic results and records
Student and Parent contact details
Attendance data
Medical and special education needs information
CCTV or other surveillance including any future use of body cameras
Specific issues for children’s data
Schools are in the unique position of processing large amounts of data about students under the age of 18. The position is relatively straightforward when dealing with younger children as you can get parental consent and engage with parents about how data is used. Once the student gets to a certain age, however, you have to explain to them how their data is used and potentially get their consent. This age is not set by the GDPR – it is to be set by the ICO. We don’t yet know where the line will be drawn but it could be as low as 13. What is clear is that it will be essential for schools to understand when they need to engage with parents and when they need to engage with the student. It will also be essential that your data protection information is clear and understandable to students as well as parents.
Isn’t this European Legislation and doesn’t Brexit mean schools won’t need to do anything?
Even though the GDPR is a European legislation, the government have confirmed that it will still apply after Brexit. If you have put your compliance on hold following the referendum, now is the time to restart it.
What happens if schools don’t comply?
Schools will be liable for breaches of the GDPR and will be subject to fines. Academies, free schools and independent schools will be treated in the same way as businesses and will be subject to potential fines of up to €20 million or 4% of annual worldwide turnover. In some ways schools are in a worse position than businesses as noncompliance with data protection law can be criticised by Ofsted and used as an indicator of poor data management in an Ofsted report.
What are the key changes that will affect schools?
1 Your policies and procedures must be transparent
2 Individuals will have greater rights to request information 3 You must notify the ICO about certain breaches
4 The grounds under which you can lawfully processing information are changing
5 You may have to appoint a data protection officer The GDPR will require that certain data controllers and processors must appoint a DPO. It is not yet clear if this will affect all schools, but even if it is not compulsory, it is best practice to appoint someone with knowledge about and responsibility for data protection who can help you to prepare for the changes.
6 You must be able to demonstrate that you have complied with the new requirements
7 You should train your staff and managers to ensure that they understand how the GDPR will impact on your school
We can help you
The Education Team at Irwin Mitchell have specialist data protection lawyers who are here to help every step of the way to help you understand what the requirements of the GDPR mean for your school and how to achieve compliance.
To learn more about what you will need to do and for a checklist of key things you need to start thinking about now, please contact:
For general enquiries
0370 1500 100
Or we can call you back at a time of your choice
Request a call back
Phone lines are open 24/7, 365 days a year
