Since 2018 – and possibly before – you’ve probably heard a lot about the General Data Protection Regulation (GDPR). It’s a law from the EU that sets out how organisations can use people’s personal data, and from some of the headlines, it seems like it applies to everyone and everything.
Thankfully, this isn’t the case, but it is an important law and it does apply to schools’ data, so we need to make sure we meet its requirements.
Who is affected?
In school, some people will be more affected than others, but everyone has a role in data protection.
Our leadership team is responsible for making sure school’s data protection activities meet its requirements. The Headteacher and Bursar(s) ensure that everyone else knows how to handle personal data, which means we have policies and procedures that anyone can follow and lead a culture of data privacy. The GDPR leads attend training on GDPR. such as a GDPR Practitioner qualification.
The Data Protection Officer (DPO) is responsible for checking that we are handling data properly and advising us on how to do so. They understand data protection law and how the school uses personal data. In our school the external DPO is Mrs L.Sutton.
Everyone in school needs to understand and follow the policies and procedures for handling personal data and lead by example in how they handle the data in their care. Everyone receives some kind of training so they know where to find the right procedures and when to ask the DPO or leadership team for support. Some roles also have additional duties, such as those involved in child protection, contracts with suppliers, or be asked to help out with data protection activities such as data protection impact assessments (DPIAs).
What do I need to know?
Some of the key facts about data protection in schools:
1. Reporting data breaches
Data breaches are any instance when personal data is accidentally or unlawfully disclosed, destroyed, lost or altered, or if there is unauthorised access to personal data. Where there is a risk to the rights and freedoms of the data subjects whose data has been compromised, these breaches need to be reported to the Information Commissioner’s Office (ICO) within 72 hours of being discovered.
2. Understanding when schools need to report a data breach
All data breaches must be reported as soon as possible to the relevant person in school, such as the DPO. They can decide whether the breach needs to be reported to the ICO. GDPR states that any breaches that could lead to physical, material or non-material damage to an individual should be reported. In the school setting, this includes breaches that could cause: discrimination, including bullying; identity theft or fraud; financial loss; reputational damage; and loss of confidentiality of personal data protected by professional secrecy.
3. Transferring data
Personal data moves around a lot, but there are rules about how this can be done. It’s useful to split this up by who the recipient is:
Processor in the UK
This might include companies that provide Cloud (online) software or apps. Personal data can only be sent to a processor if there is a contract in place that makes sure the recipient will protect the personal data. It’s important to remember that some processors might store the data outside the UK, in which case you need to treat the transfer as if it is going to a processor outside the UK.
Processor outside the UK
A lot of processors are based outside the UK, especially Cloud service providers. As well as making sure there’s a contract to guarantee the personal data will be protected, other measures might be necessary to ensure data subjects’ rights are protected.
The data subject
Data subjects can ask for access to their personal data whenever they like and school will have to provide it. This is normally done through a data subject access request.
Data subjects have a number of rights under the GDPR, including the right to access their personal data via a DSAR. A DSAR can also be used to exercise their other rights.
Possibly the most important part about DSARs is that the data subject can submit them in any way they like. They could ask in person, over a phone call, via email, by sending a letter or any other method they like.
The GDPR says that DSARs need to be responded to within a month (with extensions possible under some conditions), and we will keep a record of the request, as well as how and when it was fulfilled.
Children have the same rights as anyone else under the GDPR, but there are additional requirements to protect their data. Children can consent to processing just like an adult as long as they are considered competent, otherwise consent must be given by their parent or guardian. For most data processing in school, consent is not the lawful basis. Consent applies to processing such as adding a child’s photograph to the school website or sending their details to the local press.
For ‘information society services’ that require consent, however, the child must be at least 13 to consent. Information society services are any service provided over the Internet, such as social media, e-commerce sites, and so on, and may need consent for some of their processing activities. If your school uses any services like this, you should ensure that consent is given by the appropriate person.
Any app that will be used to store or process personal data of pupils or staff needs to comply with the GDPR, and the school will need to ensure that the terms and conditions recognise this. Depending on the app itself, we may need to make sure there’s a contract between the app developers and the school.
What about Brexit?
While Brexit means that EU law doesn’t generally apply in the UK from 1 January 2021, the GDPR has been passed into UK law as the UK GDPR. This is nearly identical to the EU’s version of the law and will make little difference to most schools unless they use processors that are based or store data outside the UK, or have students or staff who spend some part of the year living in the EU.
Under the UK GDPR, the only supervisory authority (data protection regulator) is the ICO, which provides a lot of guidance on data protection.