The ICO has recently updated its guidance on international data transfers, but how does it apply to independent schools?
It does not take too much thought to identify the circumstances in which independent schools may be transferring data abroad. Just imagine a hypothetical student, let’s call her Megan, who wants to join your school. Megan lives in Australia but her parents would like her to study as a boarder in the UK. Her parents complete an online form on the school’s website to receive a prospectus and further information. You contact them in Australia to provide that information. This could amount to a “restricted transfer” under GDPR. You also contact Megan’s current school in Australia to request a reference. This could also be a restricted transfer.
Megan subsequently joins your school. Your school has a parent portal containing Megan’s and other students’ details. Megan’s parents access this information from Australia; potentially this is another restricted transfer. A few years later Megan signs up for a school trip to South Africa and the school sends her details to the hotel where they will be staying in Cape Town. Again, this is likely to be a restricted transfer under GDPR.
We could go on but you start to get the idea that schools, perhaps more than you think, are likely to make international data transfers on a number of occasions. Our example only highlights when a school might transfer student data abroad, but there may also be instances where the data of staff, volunteers, alumni and other individuals is transferred internationally. Therefore it makes sense for schools to map out their data flows (i.e. where the data goes) and, in particular, when transfers are made to countries not afforded the protection of the GDPR.
When does an international transfer become restricted?
We should say at this stage that the GDPR rules on international transfers – and the ICO’s associated guidance – do not cover all transfers outside the UK. Remember GDPR is an EU law so it covers all EU countries and individuals across the EU are protected by it. What the GDPR restricts is transfers of personal data outside the EU (where the GDPR does not apply) unless the rights of individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.
If, in our example, Megan lived in Ireland – not Australia – the school would not need to consider this as an international transfer where GDPR restrictions would apply. Neither would the school be prohibited by these rules from transferring personal data if Megan and her family lived in New Zealand (or ten other countries or territories). For these countries or territories the European Commission has decided that they provide adequate protection for individuals’ privacy rights.
Exceptions and safeguards
But as Megan lives in Australia, what can a school do to ensure that it complies with GDPR rules on international transfers? Unlike New Zealand, Australia is not one of the eleven countries for which the European Commission has made an “adequacy decision”. Instead, the school will either need to rely on the parents’ explicit consent, which must be both specific and informed, or put in place one of the “appropriate safeguards” referred to in the GDPR.
On the face of it, explicit consent from Megan’s parents is an attractive option. However the ICO quite rightly states in its guidance that “given the high threshold for a valid consent, and that the consent must be capable of being withdrawn, this may mean that using consent is not a feasible solution.” Rather, the school could put in place “appropriate safeguards” which, for a school, is likely to be a standard contract between the school and the companies concerned (e.g. provider of parent portal or website hosting).
The ICO’s updated guidance on international data transfers, which includes a useful series of questions to help you apply the GDPR rules to such transfers, can be found here.
For specific advice or queries, please contact Paul Watkins on 01242 216173 or firstname.lastname@example.org.