This article first appeared in the autumn edition of the Magazine of the Boarding Schools’ Association
A hot topic for schools at present is what steps they should take now in readiness for the GDPR which comes into force next May.
By way of background, GDPR will entirely replace our current Data Protection Act 1998 (DPA). Some of the precise detail as to how the GDPR will be implemented has yet to be decided. Hopefully this note will be a useful starting point; further information and guidance will be released as May approaches. Our advice is not to feel overwhelmed by the proposed changes; much of what follows is, I hope, common sense.
Step 1 – Raise Awareness
Key decision makers in schools need to know that data protection law is changing and how those changes will affect how the school is run. Schools should use the lead-in period to get ready and raise awareness of the upcoming changes.
Step 2 – Accountability
One of the main features of GDPR is that compliance alone is not enough; schools, as data controllers, will also have to demonstrate compliance. These measures include Privacy Impact Assessments (PIAs), data protection audits, and policy reviews. The Information Commissioner’s Office (ICO) has produced a Code of Practice on PIAs which will help guide schools through the process.
To get started, schools should review and document the personal data they hold, identify the source, who it is shared with and the legal basis upon which data is being processed. This exercise is commonly called a data protection audit (or data mapping) and can be deployed across the entire school, or confined to distinct areas within it. Unless schools know what personal data is held and how it is being processed, it will be difficult to comply with the GDPR’s accountability principles.
A benefit of a data protection audit is that it maps the flow of personal data into and out of the school, and can be used to measure the degree to which the school complies with the law and identify ‘red flags’ which require urgent attention. High risk areas are likely to be the issue of demonstrating necessary (and clear) consent and the school’s development functions.
Schools will continue to be subject to an obligation to take organisationalsteps to keep personal data secure and the deployment of staff data protection training will continue to be expected although not mandatory. In our view, new starters should receive data protection training before they have access to personal data and existing staff should receive regular refresher training (perhaps annually).
Step 3 – Communicating Data Protection/Privacy Information
Under the DPA, schools are legally required to provide certain minimum information to individuals (including staff, pupils and parents) about how their personal data is processed. This is commonly provided through a privacy notice which is often incorporated into the school’s Data Protection Policy.
Under GDPR, the list of information which has to be provided to individuals will increase significantly. Some of the information has to be communicated in all cases (mandatory privacy notice information) whilst a second subset of information need only be provided in specific cases e.g. if the school intends to process the personal data for further different purposes than those that existed at the time of collection.
Step 4 – Legal Grounds for Processing Personal Data
Under GDPR, schools will need to know the legal grounds for processing personal data and in some cases explain it to pupils and parents. For example, it is likely that the legal basis for processing pupil images for identification purposes will be because the processing is necessary for the contract. In contrast, the legal basis for using pupil images for school marketing and on the school website is likely to be consent.
Schools should look at the different types of data processing it carries out and identify and document the legal basis for carrying it out via data protection audit.
Step 5 – Consent
Schools should review how they seek and record consent for the processing of personal data and consider if any changes are required under the GDPR.
Just as with the DPA, schools can still rely on ‘consent’ as a legal ground to process personal data e.g. to use pupil images on the website, to send fundraising and marketing messages to parents and alumni, or to publish pupil news on social networking platforms. However, satisfying the criteria for valid legal consent will be harder under GDPR.
Separate consents must be obtained for different processing operations. It must be distinguishable from other matters and not buried in wider written agreements, such as the parent contract, which often incorporates consent for a multitude of processing activities. Under GDPR, consents should be separable from other written agreements.
To Do List
- Review the school’s terms and conditions of the parent contract, acceptance forms and consent forms so they meet the higher standards of GDPR.
- Abandon the use of pre-ticked, opt-in boxes, and carefully consider use of opt-out boxes to ensure they comply with GDPR. The use of the opt-in box is far more likely to result in GDPR compliance.
- Get clear consent for the different uses of personal data. Don’t bundle-up or bury consents within broader contracts.
- Review your systems for recording consent to ensure you have an effective audit trail to demonstrate that consent has been given.
Step 6 – Right of Subject Access (SAR)
As with the DPA, GDPR will continue to allow individuals to ask the school to give them a copy of their personal data together with other information about how it’s being processed by the school. (This is known as an SAR).
Under GDPR, the main changes are:
- Now free in most (but not all) cases (used to be £10)
- Manifestly unfounded or excessive requests can now be charged for or refused
- Deadline reduced from 40 calendar days to “within 1 month”. This deadline can be extended in certain cases
- Additional information to be supplied e.g. school data retention periods and the right to have inaccurate data corrected
- If you want to refuse an SAR, you will need to have policies and procedures in place to demonstrate why refusal of a request meets these criteria.
Step 7 – Personal Data Breaches
All schools will have to adopt internal procedures for detecting, reporting and investigating a personal data breach. The reason for this is that GDPR introduces mandatory breach notification to the Data Protection Authority (the ICO) and in some cases also to affected individuals. You should also maintain an internal breach register.
The good news is that there is time to plan for GDPR and as the ICO releases further guidance, schools may wish to keep an eye on the ICO website for updates.