The way in which personal data about staff, pupils and their families and legal guardians is used and protected at your school, academy or trust is set to change in May 2018.
It may feel like a long time away, but it is fast approaching and you need to start planning for the changes now.
In this article, we will explore what some of the changes mean for your school and how best to prepare.
What is changing?
The EU General Data Protection Regulations (GDPR) will replace the current Data Protection Act.
The UK government has been clear that, despite the result of the Brexit referendum, they will implement the regulations.
Some of the most important changes include:
- In cases of data breaches, for example an accidental loss of data, businesses must notify the relevant data protection authority (in the UK, this will be the ICO) if the breach is likely to result in a risk to the rights and freedoms of individuals. This must be done without undue delay and no later than 72 hours after becoming aware of the breach. Data subjects must also be informed without undue delay about breaches that could pose a high risk to their rights and freedoms.
- A subject may request for their data to be deleted if, for example, there are no legitimate grounds for retaining or processing the data. This is known as the right to be forgotten or right to erasure.
- When a subject’s consent is required, this must be freely given by means of a clear affirmative action, such as a written statement. Silence or inactivity is not a sign of consent. In employment, there is a question as to whether an employee can legitimately consent to most processing, so it will be important to look at why, and how, you process employee information.
- Organisations must appoint a ‘Data Protection Officer’ if they are a Public Authority, process sensitive personal data on a big scale, or regularly and systematically monitor data subjects on a large scale.
- It imposes higher maximum penalties for failure to comply, including fines of up to €20 million or 4% of annual global turnover (whichever is higher).
- The Regulations scrap the option of employers charging a fee for subject access requests. The only exception to the general rule is if the request is ‘manifestly unfounded or excessive’. The employer must respond to a subject access request within one month, which may be extended in certain circumstances, for example, if the employer has to deal with a particularly complex issue or numerous requests.
- One of the biggest changes is the need to show how data controllers are complying with the GDPR – this has been called the “Accountability Principle”. This can be done by, for example, having up to date policies in place, ensuring that staff are appropriately trained on data protection issues, and having data protection at the forefront of your mind when processing data.
How should Schools prepare?
While there are still a number of outstanding matters in terms of guidance on elements of the GDPR, the ICO has laid down some key steps you should be taking now:
- Make sure that the decision makers at your school are conscious that the law is changing.
- Audit what personal data you currently possess, the source of the data and who it is shared with.
- Review your current data security measures to ensure that they are adequate.
- Create a plan for making all the necessary changes in time for May 2018.
- Review your procedures to ensure they cover all the rights individuals have.
- Revise your procedures with regards to managing subject access requests.
- Pinpoint the legal basis for the processing of data.
- Reassess how you acquire, record and manage consent.
- Reflect on whether you need to put systems in place to verify your pupil’s ages and to acquire parental or guardian consent for the processing of data.
- Ensure you have the procedures in place to identify and report breaches.
- Consider whether you need a Data Protection Officer and if so, find someone to take on this responsibility.
Both the ICO and Ofsted will be keen to see that you have the proper policies in place. An e-safety policy will also be helpful to show how you protect the data of staff, pupils, pupil’s parents or legal guardians from viruses, phishing, attacks on networks and systems and the loss or destruction of data.
The ICO have lots of useful guidance on their site, which can be found here.
We support more than 400 schools and education providers with their HR and Employment Law challenges, so give us a ring to find out how we can support you.