GDPR – Getting your school Developed, Prepared and Ready!
4 September 2018
We appreciate how much work is involved in ensuring that your school is GDPR-compliant and have therefore developed a Menu of Services for clients to be able to choose those areas where you would like us to assist and where you would prefer to progress things in-house. If you would like us to send you a copy of the Menu, please contact us to request a copy.
Where are we now?
The Data Protection Act 1998 is based on laws written 3 years before Google was even incorporated and when Mark Zuckerberg was 11. We are living in a completely different digital world and the General Data Protection Regulation (GDPR) is intended to update data protection law accordingly.
The GDPR has direct effect in EU member states and its provisions became effective on 25 May 2018. The UK government has confirmed that it will continue to apply regardless of the UK's decision to leave the EU.
In the UK, the GDPR is supplemented by the Data Protection Act 2018.
In terms of guidance, the Information Commissioner's Office (ICO) has produced and is regularly updating its 'Guide to the GDPR' document which sets out the key changes in the law and a summary of individuals' new rights, available here.
Why does GDPR matter to schools?
All schools handle personal data in some form, whether it belongs to parents, prospective parents, pupils, applicants, staff or suppliers. Policies and practices developed under the Data Protection Act 1998 will, unfortunately, not necessarily be GDPR-compliant.
The regulator has the power to issue fines of up to €200 million or 4% of global turnover for a breach of the GDPR.
Most schools will have started their GDPR preparations already but will be at different stages of compliance; none will have fully completed its preparations since GDPR-compliance is an ongoing process. For the moment at least, the ICO is unlikely to impose sanctions on you as long as you have a plan in place to bring you into compliance and are making a good faith effort to put the plan into action. However, as 25 May 2018 recedes into the distant past, the risk of ICO sanction for non-compliance increases as does the risk that your school's inspection rating from Ofsted/ISI could be seriously affected if policies and procedures for managing data are not in place.
Concepts and definitions
The GDPR will apply to the processing of all personal information.
- Personal data is any information relating to an identifiable, living individual (also referred to as a data subject).
- And processing of data means anything you do with personal data, to include collecting, recording, storing, organising, altering, retrieving, using, disclosing and destroying personal data.
- The controller means the person or body which determines the purposes and means of the processing of personal data. Schools will generally be controllers.
- And the processor means the person or body which processes personal data on behalf of the controller. Some of your suppliers will be processors.
The six general principles set out in the GDPR are available here. Controllers (including Schools) must comply with these principles and be able to demonstrate that they have done so.
- Raise awareness internally
It is important to continue to raise and maintain awareness within your school. Governors, senior leadership teams and other key individuals should be aware of the impact of the GDPR on your school.
Staff should be consulted about current practices at your school to ensure that every aspect of your data processing has been considered and included in your Data Audit Process. Changes to policy and procedure should be incorporated into your regular training programmes for all staff. New staff should be trained appropriately before they are permitted to access personal data and you should also consider the training requirements for those staff that will handle personal data and special category data regularly. They will need enhanced training.
- Decide who will be responsible for reviewing policy, practice and practical changes on the ground
In order to implement and maintain GDPR compliance within your organisation, we would suggest appointing an individual or team to be responsible for reviewing the current position and advising on the changes that are needed in order to become, and to stay, compliant. This task may be included in the role of your Data Protection Officer (DPO), discussed below.
- Designated Data Protection Officer
Maintained school and Academies are required to appoint a DPO. There is no such legal requirement at this stage for independent schools to appoint a DPO. We would recommend appointing someone to take charge of implementing the changes in policy and practice at your school, with a suitable alternative job title, such as Data Protection Lead, Data Compliance Officer or Data Manager.
If you do not already have a designated person for managing and dealing with data protection issues, consider how this task will be delegated to an existing member of staff or whether you need to recruit someone to help or outsource the role (see below). In considering this appointment, bear in mind employment angles, such as whether you need to review an existing role or job description or employ a new member of staff. Be aware that the ICO guidance clearly states that you should avoid conflicts of interest here.
On the topic of employment advice, all staff contracts and handbooks will need to be brought up to date with the new legislation. Our Team can advise you on whether this will be a relatively straightforward addendum to an existing contract or whether further action is required.
- Conduct an internal audit of the personal data that you process as a school
If you haven't already done this, you should make it a priority, even if your GDPR compliance is already well underway. You will be required to demonstrate your compliance with the new regulations. A good place to start is to conduct an 'information audit' of all of the personal data you hold. This is not a review of all school records - think about the 5 "W"s:
1. Who – who are your data subjects? Who is receiving the data? Who has access?
2. What – what do you collect/hold/process? What is the source of this data?
3. When – when do you collect data and how? How long do you retain it?
4. Why – what is your purpose for processing and have you identified a lawful basis for processing this information? Will your purpose change in the future? Have you chosen to rely on consent
5. Where – where is the information stored and in what format?
These are just a few of the key considerations. If you need more help with this task, we have prepared a Data Audit Tool to assist you with this review which, once complete, will also satisfy your School's record-keeping obligations under Article 30 of the GDPR.
Schools interact with a number of different categories of data subject: parents, pupils, staff, governors, contractors, website users, etc. Policy documents and Privacy Notices need to be relevant to each category of data subject and this tailoring will be informed by your Data Audit.
- Determine your lawful basis for processing
The 6 lawful bases for processing are that it is:
- Done by consent (note: this needs to be GDPR-compliant consent)
- Necessary for the performance of the contract
- Necessary for compliance with a legal obligation
- Necessary to protect the vital interests of a data subject or another person
- Necessary for the performance of a task carried out in the public interest
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where these interests are overridden by the interests, rights or freedoms of the data subject.
You will need to explain the lawful basis for processing personal data when you issue privacy notices or respond to Data Subject Access Requests, so this is a necessary task to complete.
Where you are relying on the consent of the individual in order to process their personal data, you should review how you obtain and record consent. The GDPR raises the bar for the standard of 'consent' which means offering individuals genuine choice and control. Statements of consent must be clear and specific in relation to the activities covered and will need to be updated if anything changes. You must also keep evidence of consent to include who, when, how and what you told people at the relevant time. Be prepared for the fact that consent can also be withdrawn. For these reasons, we recommend that you avoid relying on consent if you can.
- Children's data
The GDPR generally imposes a heightened compliance threshold in relation to children (for example, privacy information must be particularly clear when it is directed towards children) but introduces few specific rules in relation to the processing of children's personal data.
The exception is where consent is used in relation to the offer of information society services to a child. In these circumstances, the processing is lawful if the child is at least 16 years old. If the child is under the age of 16, they cannot give that consent themselves and consent is required "from a person holding parental responsibility". The GDPR provides for member states to reduce the age at which consent can be given by a child and the Data Protection Act 2018 does lower this age to "13 years" in the UK. Technically, this means that any child aged 13 or over may be able to provide consent themselves.
Schools should consider how you will ensure that you obtain the necessary consent including verifying that it is the parent/guardian with parental responsibility for the child who is giving it, if you choose to rely on parental consent to process information relating to pupils.
Parents should be aware that in some circumstances they may not be consulted on the request or receipt of consent from the child/young adult. This is not a straight-forward area to deal with and it will ultimately depend on the age, maturity and understanding of the child/young adult, the interests of the child/young adult, the parents' rights at law and all the circumstances. Schools should consider the general approach it will take and make sure that this is clear in your updated Data Protection Policy.
- Record-keeping obligations
Under the GDPR, you are required to maintain internal records of the processing activities that you undertake. These must include:
- The name and details of your organisation (and where applicable, of other controllers, your representative and DPO);
- The purposes of the data processing;
- A description of the categories of individuals and categories of personal data;
- Categories of recipients of personal data;
- Details of transfers to third countries;
- Retention schedules; and
- A description of your technical and organisational security measures.
Although there is an exemption from this record-keeping obligation for smaller organisations carrying out low risk processing, our advice is that all schools will need to keep some records, regardless, because you will regularly be processing special category data belonging to children and criminal offence data belonging to staff.
The GDPR imposes additional obligations on all organisations, regardless of size and risk, to record data breaches, consents and processor terms that form part of their contractual arrangements with suppliers.
Clear and careful consideration needs to be given to who will be responsible for maintaining and updating the records. The Governing Body of the School will have ultimate responsibility for ensuring that the relevant checks and balances are in place, so the Chair of Governors and the Board should also be considering these issues and giving some clear direction to their senior management team.
Under the general obligation that you have under the GDPR to show that you have considered and integrated data protection into your processing activities, you should consider whether it is necessary to undertake a Data Protection Impact Assessment (DPIA).You must carry out a DPIA when you are using new technologies, where there is a high risk that an individual's right to privacy may be infringed, or when processing sensitive personal data. Please get in touch with one of our team for further advice and information.
- Prepare for changes in relation to individual's rights
The rights provided to individuals are maintained and enhanced significantly in the GDPR. In summary, individuals will have the right to:
- be informed
- access the data that you hold on them, and have incorrect records rectified
- have data that you hold on them erased
- block or restrict how their data is processed
- obtain and reuse their personal data, and
- object to direct marketing, processing for research or processing based on legitimate interests.
You should ensure that your DPO and those who manage your data systems and deal with subject access requests are aware of the changes. One significant change is that a copy of the information must be provided free of charge – the automatic right to charge a subject access fee of £10 has been removed.
In order to test your systems, consider how you would deal with a data deletion request and ensure that you have the IT capability to comply with a subject access request within the new time limit (of one month of the date of receipt of the request) and in an electronic form.
- Review data sharing arrangements
You should be aware that the GDPR imposes obligations on both 'data controllers' and 'data processors'. Schools will usually be controllers, but there may be instances where you are a joint controller or act as a processor on behalf of another controller.
If you share data with other organisations, outsource particular functions or obtain data from external companies, you should review the contracts that you have in place to document these arrangements. You need to be satisfied the organisations that you work with process data in accordance with the GDPR because the controller and processor will share responsibility for any breaches.
The DfE is aware of the number of data sharing arrangements that schools have with their suppliers. If you are responsible for working with your School's suppliers and updating your contractual arrangements, you might find it useful to have sight of (and refer to) the letter published by the DfE to school suppliers, which can be found here.
- Update Data Protection Policy and Privacy Notices
Documents prepared under the Data Protection Act 1998 will not be GDPR compliant. In particular, the GDPR sets out more specific and detailed rules in relation to privacy notices.
The purpose of a privacy notice is to explain to individuals how your organisation uses their information in clear and plain language (particularly where it is aimed at a child) in a way that is concise, transparent, intelligible and easily accessible. You may need a number of Privacy Notices, depending on your intended data subject – for example: Parents, Pupils, Staff, Governors and Contractors.
It is critical that Privacy Notices contain all essential information, including: the legal basis for processing personal data, how long you retain the data and the right to complain to the ICO if the individual is not content with the way that you are handling their data.
A completed Data Audit will greatly assist with drafting these documents. We would advise you to take the time (and seek advice, if required) to get your Data Audit right before drafting additional policies or privacy notices based on this information.
- Plan for a data breach
It is advisable to plan ahead and have in place a Data Breach Response Plan or procedure that will be followed in the event of a breach. This should include examples of data breaches that would require reporting as well as how and to whom reports should be made (both internally and externally) to ensure that the duties and responsibilities are clear.
The GDPR introduces new mandatory reporting requirements for data breaches. A data breach must be reported to the ICO without undue delay and within 72 hours of your becoming aware of it, except where it is unlikely to result in a risk to the rights of individuals. There is an additional requirement to report a data breach to affected individuals without undue delay where it is likely to result in a high risk to their rights and freedoms.
You should ensure that you have procedures in place to be able to detect, investigate and report a breach within the relevant timescales.
In summary, the GDPR is largely based on the same common sense principles as the old Data Protection Act 1998 and you should now be seeing the practical impact of the GDPR on your organisation.