Tightening up data processes

While schools are accustomed to complying with the Data Protection Act, they will need to prepare for some changes in the way they obtain, process and manage information once the General Data Protection Regulation (GDPR) comes into force

The General Data Protection Regulation (GDPR) is the biggest change to data privacy legislation in over two decades. It aims to protect citizen’s personal data across Europe, so that all countries operate to the same standards. It also takes into account technological changes in the past twenty years, such as the dominant use of computers, tablets, cloud computing, smart phones and social media.

The regulation comes into force on 25 May 2018 and will replace the current Data Protection Act (DPA). It introduces a number of changes that will impact schools, as well as higher penalties for non-compliance.

Schools hold vast amounts of personal data, not just on pupils (current and former) but teaching staff, assistants, governors, parents, catering staff, cleaners and so on.

Personal data is any information from which individuals can be identified. This therefore covers paper documents, digital records, photos and videos.
The GDPR also extends to third-party suppliers that store or process a school’s information.

Under the GDPR, there will be more emphasis on the rights of individuals, both in terms of consent and access to their own data.

For a long time under the DPA, ‘consent’ was open for interpretation. The new law makes it a lot clearer. There must be unambiguous indication of the subject’s consent which leaves no room for doubt.

Should an individual ever have reason to make a claim against a school, the burden of proof will fall on the school, so it will be essential that they keep audit trails to evidence that specific and unambiguous consent was freely given. This should be in the form of a statement or an affirmative action. It will no longer be acceptable to gain consent via passive ‘pre-ticked’ boxes and inaction.

The new rules place emphasis on shared responsibility, making everybody who handles and processes data liable, not just data controllers. Everybody will need to understand their obligations.

Schools should also be mindful of getting rid of old computer equipment. Under the GDPR, it will be illegal to not have a formal contract or Service Level Agreement (SLA) in place with your IT recycler and the company must also hold the minimum competencies and accreditations for IT asset disposal.

Fines and compliance
Under the GPDR, the amount the ICO can fine has increased from £500,000, which is the current maximum, to £17 million, or four per cent of global turnover (whichever is greater).

Whilst this is great cause for concerns for schools, where budgets are already stretched, the Information Commissioner Elizabeth Denham wrote in a recent blog that headlines on big fines “miss the point”. She wrote: “It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or four per cent of turnover allowed under the new law.
“But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”

Tom Healy, director of risk and compliance software firm CalQRisk adds: “The ICO has said that this new regulation is not about fines. It’s about putting the consumer and citizen first and issuing fines has always been and will continue to be, a last resort. That said, Schools generate and retain a huge amount of sensitive personal data and even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to a school allowing a breach could be significant.”

Taking action
The Information Commissioner’s Office (ICO) has put together a guide on preparing for the GDPR.

The first step is to make sure that all decision‑makers and key people in the school are aware that the DPA is changing to the GDPR and that they understand the impact it will have.
The second step is to get a picture of the information the school holds. This could involve an information audit to help understand what data is held, where it came from and who it’s shared with.

The school should review its current privacy guidance. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice.

Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain if they think there is a problem with the way their data is handled.

Schools should check their current procedures to ensure they cover all the rights individuals have, including how you would delete personal data on request.

The rights of individuals have been enhanced under the GDPR. Pupils and students have the right to see their personal information and they can make a subject access request to see it. They – and their parents – also have the right to see their educational records.

This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?

The right to data portability is new under the GDPR. This means you have to provide the data electronically and in a commonly used format. If you use paper print-outs or an unusual electronic format, now is a good time to revise your procedures.

Schools should update their procedures and plan how they’ll handle requests within the new time scales of one month, rather than the current 40 days. Schools should also question their legal basis for holding data in case this information is requested.

When it comes to consent, schools should review how they are seeking, obtaining and recording permission and whether they need to make any changes. The GDPR is clear that controllers must be able to demonstrate that consent was given freely and unambiguously. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.

For children, schools must have systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

Data breaches
When it comes to data breaches, schools should make sure they’ve got the right procedures in place to detect, report and investigate a personal data breach.

The GDPR will bring in a breach notification duty across the board. Not all breaches will have to be notified to the ICO however – only ones where the individual is likely to suffer some form of damage. Note that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

There may be some instances where a school is required to do a Privacy Impact Assessments (PIA), for example where a new technology is being deployed which is likely to significantly affect individuals. Schools should therefore familiarise themselves with the ICO’s code of practice on Privacy Impact Assessments and work out how and when they would need to implement them.

Finally, schools should designate a Data Protection Officer or someone to take responsibility for data protection compliance.

Further Information: