The General Data Protection Regulation (GDPR) has no doubt been well-embedded into your school’s processes and procedures – you will have your data protection officer in place and your school staff educated in what is required to ensure compliance.
There is, in fact, such a height of awareness in schools that the sector has the highest reported number of breaches ever reported. Helen Goldthorpe, an experienced commercial and IT lawyer at Shulmans LLP, explains.
The education sector has received one of the highest numbers of self-reported breaches of any sector according to The Information Commissioner’s Office (ICO) annual report for 2017 to 2018. The report provides a fascinating insight into the ICO’s priorities and the impact that GDPR enforcement will have on the education sector, as well as an indication of how data controllers are changing their approach to notification of breaches.
One of the most obvious impacts of GDPR will be on the number of breaches reported to the ICO. Historically, breach reporting has been optional – with no obligation to tell the ICO – although major breaches have increasingly been reported voluntarily. The annual report figures state that in 2016 to 2017, 2,565 breaches were reported, jumping to 3,311 in 2017 to 18. The annual report covers the period to March 31, 2018 – so before GDPR came into effect – which makes the jump even more striking.
This does not necessarily mean that there were more breaches; it could simply be that a higher proportion of them were notified to the ICO. Carrying out GDPR preparation work may have helped organisations to identify potential breaches more easily and the heightened awareness during this period could have led to the jump in notifications.
In addition, at Shulmans, we have worked with clients who treated pre-GDPR breaches as an opportunity to test their breach response processes and engage with the ICO while the stakes were a little lower, which could also have led to the early increase in notifications. Recent comments from the ICO have confirmed that this is a trend they have seen more widely.
Heightened awareness and over-reporting
Early figures suggest a further increase to 367 reports in April, 657 in May and 1,792 in June 2018. This means that, in June, there were nearly eight times as many reports as in an average month in 2016 to 17. Heightened awareness is still likely to be one cause for this, but there is also the probability of over-reporting at this stage.
Until organisations have a clear understanding of what the ICO considers to be a sufficiently serious breach to require reporting, it is safer to report and hope that the ICO takes no further action, rather than not report and risk criticism for that decision at a later stage.
Another reason for over-reporting is that individuals are also more aware of data protection issues because of the publicity around GDPR. We have advised on incidents arising from data subject complaints relating to instances we considered to be non-reportable, where a voluntary report was made to pre-empt a notification being made by the individual.
Although between 60% to 70% of the reports in the period covered by the annual report resulted in no further action, this proportion is reducing, and it is becoming more common for the ICO to require action from the data controller following a notification. Even if no further action is taken, typically, the ICO will retain a record of the incident on file and reference it in future should any issues within the same organisation arise. For the remainder of reports there were a range of outcomes, from requiring a specific action through to fines; at this stage, appropriate engagement with the ICO can be crucial to reducing the chance of an organisation receiving a harsh outcome.
ICO engagement with data subjects
One surprising outcome of the report is that the majority of calls to the advice line came from individuals rather than businesses; given that the ICO has introduced a new ‘phone line to give advice about GDPR preparation, we would have expected the proportion of calls from businesses to be higher than 32%. Although there were 235,672 calls to the helpline, only 21,019 ‘data protection concerns’ were received, which indicates that a significant proportion of the ICO’s work continues to be advice and guidance rather than investigation and enforcement.
There is also a striking disparity between the number of self-reported incidents (3,311 in 2017 to 18) and the number of concerns raised by the public (21,019 in the same period). Around 40% of these relate to subject access requests which have, historically, been the key issue that individuals are aware of when it comes to data protection. This is likely to continue to be a high-profile issue, but it will be interesting to see the number of complaints arising in future relating to other new data subject rights, or the legitimacy of data processing, both of which have been the focus of commentary in recent months.
It is unsurprising that around 30% of complaints result in no action for the data controller, as sometimes complaints to the ICO will not be worthy of further investigation; indeed, organisations may not ever know that these complaints have been made against them. Furthermore, around three per cent do not raise Data Protection Act issues.
However, the report indicates that there is then a wide range of outcomes including requiring action, giving advice to the data controller and agreeing an action plan. These outcomes all involve the ICO working with organisations to explain how to improve their data handling and the data controller then implementing action points; together, these amount to around 35% of cases. Cases which result in a financial penalty are a small proportion of the total and often involve either a major breach or a failure to engage with the investigation. Therefore, as with data breaches, engaging constructively with the ICO is critical at this stage in order to achieve the desired outcome.
Privacy and Electronic Communications Regulations
The report also gives an indication of the number of complaints made about marketing and cookies under the Privacy and Electronic Communications Regulations (PECR). The volumes are much higher than data protection complaints, although this is the only area of the ICO’s workload where there has been a decrease in the number of concerns reported in the last year. The majority of complaints relate to telesales calls and it is likely that the ICO receives multiple complaints about specific companies. The report does not indicate how these concerns are resolved, although a large proportion of the ICO’s monetary penalties relate to marketing calls so it could be assumed that this is the more likely outcome for this type of complaint.
We also expect the number of concerns in this category to rise, not only due to GDPR and the tightening of the rules around consent, but also because PECR is likely to be replaced by a new regulation in the near future and this may lead to increased awareness of the issue.