Data is powerful. Modern technologies, ‘big data’ and the Internet of Things (IoT) are revolutionising the way we as educators are tackling major issues facing schools and academies today: from improving attainment and progress monitoring, safeguarding staff & pupils, vetting & barring, improving teacher recruitment and retention to ways of stretching budgets further. But, and it’s a ‘big’ but…..with the General Data Protection Regulation (GDPR) coming into force this May, there are considerable implications and modifications that must be made by schools and academies to ensure that compliance with European standards.
Firstly, to clarify, the aim of GDPR is to have international consistency around data protection laws and rights and to protect an individual’s personal data across Europe. As schools and academies generate and retain a significant amount of sensitive personal data, it is essential GDPR compliance requirements are met and embedded throughout all existing policies, procedures and practice. Whilst there are similarities with the existing UK Data Protection Act 1998 (DPA), this new legal framework updates requirements introducing clear laws with safeguards in place for the growing reliance on digital mediums.
Over the past six months, I have spent considerable time with schools and academies, working closely with leadership to develop a new SSS training course to help support that journey towards GDPR compliance.
Here are some of the top questions I’ve been asked, and some basic pointers to think about.
How important is it that we comply by the deadline?
Critical – there are higher penalties for non-compliance than ever before. Under the GDPR, the amount the Information Commissioner’s Office (ICO) can fine has increased from £500,000 to £17million, or four per cent of global turnover (whichever is greater). In addition, the reputational damage could have a significant impact too if your school or academy creates a breach!
So, where do we start?
The best place to start is to implement an information audit. The information audit will provide you with a comprehensive picture of what data is held by your institution, where it comes from and in what form, who it is shared with, how it is stored and how it is deleted. Completing this audit will help ensure robust procedures are in place to detect, report and investigate a data breach.
Do we need a bespoke GDPR policy?
Yes! Ratified by governance, this policy should as a minimum requirement include the following; an explanation of your legal basis for processing data, your school or academy data retention periods, who will act as the data controller or data protection officer, how your school or academy will seek, obtain and record consent, arrangements for data sharing with 3rd parties, school or academy procedures for the main rights of individuals, how individuals can raise a complaint with the ICO if required, measures in place to detect, report and investigate a personal data breach and annual GDPR audit arrangements. Transparency is key. In addition to publishing your GDPR policy, make your bespoke Data Privacy Notice freely available.
How do we make sure all our staff are compliant?
It is crucial that comprehensive training is provided to every member of staff who comes into contact with personal data. In a school or academy, the reality is that all staff and contracted enhanced provision e.g. clubs, will collect and manage personal data. It is also critical that they are individually assessed to ensure comprehension. Governance should also make their GDPR policy available and ensure staff understand the procedures bespoke to their institution. This should also extend to anyone responsible for data input e.g. supply staff, volunteers and extra-curricular activity contractors.
What should we do about old computer equipment?
Under GDPR, it is illegal not to have a formal contract e.g. Service Level Agreement in place with whoever is responsible for recycling or disposing of school or academy IT equipment. The contractor must be able to demonstrate competencies and accreditations for IT asset disposal. I’d also recommend obtaining their GDPR policy and Data Privacy Notice.
What does the GDPR mean for child protection?
Under the GDPR, children are afforded specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerns and their rights in relation to the processing of personal data. The GDPR raises the age at which a child can give their own consent from 12 to 16 years-old. An example of where this changes things in the school environment; where in the past, 12 to 15-year-olds could give consent to download an app onto their personal device, schools will now need to seek parental approval. The most important take-away is that any information given to, or communication with, a child must be in “such a clear and plain language that the child can easily understand”.
What documents might we hold at school that fall under GDPR?
Personal data, both current and historic, is any information, paper documents, digital records, photos or video footage, from which individuals can be identified. This includes pupil data, HR, CPD and performance management data, parent/carer and staff contact details and SLAs. Under GDPR, the definition of personal data is more detailed and includes a wider range of personal identifiers which constitute personal data, reflecting the changes in technology since the last standard in 1998.
Have we appointed a Data Controller?
As the legal body which determines the purpose and means of the processing of personal data, the Data Controller is legally required under GDPR. In real terms, this is the responsibility of the Governing Body or Trust, with overseeing and coordinating duties delegated to a governor or director. They are responsible for and must be able to fully demonstrate compliance with the principles of the GDPR.
What is a Data Processor and how many do we have?
A data processor is anyone who processes data on behalf of the Controller. In practice, this means anyone responsible for data management, processing and/or who has access to pupil or staff data falls under this remit. As said before, the likelihood is, that at some point, everyone within a school or academy will be a processor so it’s essential that they understand and adhere to the wishes of the Controller.
What is consent all about?
Under GDPR there is a far greater focus on personal consent and the ‘right to be forgotten’. The ICO has a useful checklist, ‘Asking for Consent’ which is worth checking out. GDPR also changes the rules for dealing with Subject Access Requests (SARs). The timescale for complying for instance, has been reduced from 40 days to one month. In most cases, a charge cannot be made for complying with a request, unless this involves excessive requirements.
The ICO has a useful portal updated regularly which can be accessed here.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.