Data Protection – important issues affecting your school
There has been a recent 40% increase in reported data breaches in the education sector according to the Information Commissioners Office (“ICO”) yet a Government report showed that out of 13 sectors, the education sector spend the least on data security.
New initiatives such as use of body cameras in schools will raise new data protection issues.
In light of these findings, data protection compliance will need to be high on the agenda for schools.
The current data protection regime is being completely overhauled by the General Data Protection Regulation (“GDPR”) and you will have until 25 May 2018 to get your data fit for purpose and to comply with the new legislation.
How does it apply to schools?
GDPR will apply to all schools (including independent schools) and academies and it will also apply to any supplier you use to manage your data. Relevant data you may hold includes:
- Staff and student files – both paper and online
- Academic results and records
- Student and Parent contact details
- Attendance data
- Medical and special education needs information
- CCTV or other surveillance including any future use of body cameras
Specific issues for children’s data
Schools are in the unique position of processing large amounts of data about students under the age of 18. The position is relatively straightforward when dealing with younger children as you can get parental consent and engage with parents about how data is used. Once the student gets to a certain age, however, you have to explain to them how their data is used and potentially get their consent. This age is not set by the GDPR – it is to be set by the ICO. We don’t yet know where the line will be drawn but it could be as low as 13. What is clear is that it will be essential for schools to understand when they need to engage with parents and when they need to engage with the student. It will also be essential that your data protection information is clear and understandable to students as well as parents.
Isn’t this European Legislation and doesn’t Brexit mean schools won’t need to do anything?
Even though the GDPR is a European legislation, the government have confirmed that it will still apply after Brexit. If you have put your compliance on hold following the referendum, now is the time to restart it.
What happens if schools don’t comply?
Schools will be liable for breaches of the GDPR and will be subject to fines. Academies, free schools and independent schools will be treated in the same way as businesses and will be subject to potential fines of up to €20 million or 4% of annual worldwide turnover. In some ways schools are in a worse position than businesses as noncompliance with data protection law can be criticised by Ofsted and used as an indicator of poor data management in an Ofsted report.
Schools may also receive complaints from parents and investigation by the ICO for any breaches or improper management.
What are the key changes that will affect schools?
1 Your policies and procedures must be transparent
A key theme of the GDPR is transparency. You need to be clear with individuals how you are using their personal data. The GDPR extends the list of information that must be provided to individuals and how this information is communicated to staff, parents and students must be carefully considered as any communication must be understandable by its intended audience. This is particularly important in the context of students. Your privacy policies and notices will therefore need to be reviewed and are likely to need amending.
2 Individuals will have greater rights to request information
An individual’s right to access their data will be extended and you will be required to respond to requests more quickly.
The information that can be requested will be more extensive than that required under Freedom of Information requests, which we are aware schools are increasingly receiving. In addition, you won’t be able to charge a fee for responding and individuals will also have the right to have their data transferred and the right to have their data corrected.
3 You must notify the ICO about certain breaches
Certain data breaches which impact on privacy will have to be notified to the ICO and the individuals affected within 72 hours of it happening. A data breach can be something as simple as putting the wrong letter in the wrong envelope. You will need to monitor your systems to know whether or not there has been a breach and put a reporting mechanism in place to pick these up.
4 The grounds under which you can lawfully processing information are changing
Under the GDPR you will need to know what data you have, how you use it and be able to demonstrate that your use is permitted by falling within specified “lawful purposes”. One of these is that the individual has given you consent but this will be much harder to get. Under the GDPR any consent must be “freely given and informed”. Individuals will be able to easily withdraw their consent and you will also need to periodically refresh any consents given.
5 You may have to appoint a data protection officer
The GDPR will require that certain data controllers and processors must appoint a DPO. It is not yet clear if this will affect all schools, but even if it is not compulsory, it is best practice to appoint someone with knowledge about and responsibility for data protection who can help you to prepare for the changes.
6 You must be able to demonstrate that you have complied with the new requirements
You not only need to make sure you are doing the correct things to comply with GDPR, but must also have evidence to demonstrate that you have done so. It is essential that you maintain proper records and a clear paper trial to prove this.
7 You should train your staff and managers to ensure that they understand how the GDPR will impact on your school
Staff will need to understand the requirements of GDPR. In particular, key decision makers such as governors and trustees will require training. We recommend that you set aside additional management time and budget to meet the additional training requirements needed to get stakeholders up to speed. Actions required for GDPR compliance will be more burdensome than under the current regime and you can’t afford to be complacent.
We can help you
The Education Team at Irwin Mitchell have specialist data protection lawyers who are here to help every step of the way to help you understand what the requirements of the GDPR mean for your school and how to achieve compliance.
To learn more about what you will need to do and for a checklist of key things you need to start thinking about now, please contact:
Joanne Bone on 0113 218 6429 or by email at joanne.bone@irwinmitchell.com
For general enquiries
0808 291 3524
Or we can call you back at a time of your choice
Phone lines are open 24/7, 365 days a year