We know it’s coming. The warning bells have been ringing and schools and academies have been preparing for May 25, 2018 – when the General Data Protection Regulation (GDPR) will come into force. To ensure that you and your school’s data are ready to comply Robert Landman, managing director, Spencers Solicitors, sets out what schools need to do and what they need to know
The General Data Protection Regulation (GDPR) comes into force on May 25, 2018. Whilst that may seem some time away, the process of ensuring that organisations are compliant can take a lot of resource so organisations should be turning their attention to this issue now.
Schools are known as ‘data controllers’ under GDPR and, as such, have responsibilities and obligations for ensuring the information held on individuals is handled correctly and is secure.
What do schools have to do?
The first step is to understand what GDPR is and how it impacts you. GDPR is not being introduced as an administrative burden but to protect individuals from having their data disclosed to people and organisations who have no right to access that information.
The key decision-makers in the school need to understand the changes that are being introduced and what changes may need to be made in order to be compliant. Policies and procedures may need to be updated; IT security may need to be strengthened. You will need to appoint a Data Protection Officer and implement on-going monitoring to ensure continued compliance.
An information audit
Once those staff have been appointed, one of their first tasks will be to determine what information you hold, where it is held and why you are holding it – essentially, an information audit. Thought will have to be given to the grounds on which you are processing the data.
There are a number of grounds that can be relied on to retain and process data. However, if there is no lawful basis for holding the data – and if you do not have the individual’s consent – then you have no right to hold the data and will need to delete it. This is, potentially, a huge task – particularly for well-established schools which may hold records going back decades.
If the school shares personal information with third parties it need be satisfied that those third parties have taken the steps necessary to be GDPR-compliant. Where there is personal data that does not fall into the category of a legal basis then schools will have to seek the consent of the individual to process it. Consideration will need to be given to the specific purpose for which the consent is being provided.
Under GDPR, consent must be:
- freely given;
- informed; and
Schools will not be able to use pre-filled tick boxes or assume that a failure to object to their using an individual’s data gives them the right to use it. A process to ensure that consent is obtained, recorded and managed will need to be implemented.
The changes on the horizon
One of the big changes arising from GDPR relates to the information that individuals are entitled to know about; what you are going to do with their data and why? Under the current legislation (Data Protection Act – DPA), there are already certain requirements to be included in a school’s Privacy Notice but these are increased considerably under GDPR. Template Privacy Notices are available but it will be important that time is spent ensuring this document contains the prescribed information in an easy to understand and accessible format.
Ensuring digital safety
GDPR builds on the existing rights provided by the DPA to strengthen and protect individuals’ rights regarding their personal information. Rights such as the right to be forgotten and the right to correct inaccurate information mean that schools need to be aware of their obligations to these individuals.
Subject Access Requests (SARs) – where an individual requests a copy of information held on them – will also change under GDPR. Under the DPA an organisation could charge £10 and had up to 40 days in which to respond. Under GDPR the ability to charge for the request will be limited only to circumstances where the request is ‘manifestly unfounded’ or ’excessive’ and will have to be responded to ‘within one month’. Although there are very limited circumstances in which a SAR can be refused it will still be vital to have a process for dealing with SARs to justify any such refusal.
We’re only human
The above steps deal with preventing data breaches; however, many breaches occur due to human error and all schools will need to develop a process in the event that there is a breach. It is crucial that schools know how to detect a breach and who any such breach should be reported to; that person must then know which breaches need reporting to the ICO and which breaches also need disclosing to the individual(s) involved and why.
The time limit for disclosing a relevant breach to the ICO is just 72 hours so it is really important that an effective process is in place and staff at the school are aware of it.
Arguably the most important aspect of GDPR for schools is the provision for processing the personal data of children. Children are identified in GDPR as ‘vulnerable individuals’ and deserving of ‘specific protection’. If services are being offered directly to a child then privacy notices must be written in a clear, plain way that a child will understand. If online services are offered to children then the consent of the child’s parent or guardian may be required – under GDPR a child under 16 cannot give consent themselves. It is likely that Codes of Conduct will be produced ahead of May 2018 providing further guidance on the issue of children and data protection.
A hot topic
GDPR is a hot topic and, rightly or wrongly, much of the media focus and headlines have been on the increased sanctions available to the ICO (fines of up to €20 million). The more work a school does to be as compliant as possible and maintain on-going compliance the less likely it is that a breach will occur. In the event of a breach, the ICO are likely to look more favourably on a school that has taken their obligations under GDPR seriously and done all they can reasonably have been expected to do to protect the personal data of individuals.