Finding the time, resources and let’s face it, inclination, to implement measures to comply with the Data Protection Act 1998 (DPA) isn’t easy. With enforcement on the increase, here are 6 things you can do to get started.
1. Get Armoured
The DPA requires the school as “Data Controller” to take technical and organisational steps to keep personal data secure. Technical security is complex and constantly evolving. And, unless there is an ongoing dialogue between your IT Manager and the person in school responsible for data protection compliance, it will be an impossible task. If we had to recommend one single technical security step it would be encryption of all computing devices (computers, laptops, Smart Phones, Tablets and USB memory Sticks etc.) This should apply regardless of whether the device is owned by the school or another person.
The DPA requires the school to take reasonable steps to ensure that all staff that handle personal data are “reliable”. This implies staff data protection training. Remember to include teaching, non-teaching and peripatetic staff and Governors. We recommend basic training on induction and a minimum of 2 hours refresher training at least biennially. Keep a record of who received training (and who did not) and deploy sweep up sessions for “non-attenders”.
3. School Data protection Policy
Having a Data Protection Policy is one of the quickest wins to help meet your statutory obligations. Not only will it help staff to understand what they should (and shouldn’t) do to protect personal data, it is also something that the ICO looks for when investigating a breach. We recommend having separate Policies for Pupils/Parents and Staff. However, if you don’t monitor compliance or turn a “blind eye” to instances where the Policy is ignored, then a Policy will provide little or no protection from enforcement action.
4. Getting Consent
When the school relies upon consent in order to be able to handle pupil personal data (e.g. to publish a pupil image on the school website) that consent must have been freely given and fully informed. The gold standard is Opt-in consent i.e. where parents are given a full explanation of how the data will be used and invited to affirm their consent by signing a form or ticking a box. However, many schools use Opt-out consent i.e. where parents are notified that data will be used for certain purposes unless they formally object (opt-out). Under current law, Opt-out consent remains acceptable in many cases providing parents have been provided with a clear and specific explanation of all the ways in which their data will be used. If you plan to use data for more unusual or unexpected purposes (such as in social networking services to promote the school) the greater the argument for Opt-in consent.
5. Marketing and Fundraising
Most schools use parents’ details for marketing and fundraising purposes. It could be an email promoting a fundraiser or a telephone campaign from an Alumni Association. In some cases the school will transfer personal data to a separate organisation specifically set up to maintain relationships between past pupils and the school community. Under the DPA individuals have the right to object to direct marketing at any time so you should be prepared to action these objections in a reasonable time.
In addition, the lesser known but highly relevant Privacy and Electronic Communications (EC) Regulations 2003 (PECR) also restrict the way in which the school can carry out unsolicited direct marketing by electronic means, e.g. telephone and email marketing. In very general terms, unless an exemption applies, the school will need to get consent before it sends unsolicited email marketing to parents. The standard of consent under PECR is generally accepted to be much higher than under the DPA so Opt-in consent is recommended.
6. Wealth Profiling
“Wealth profiling” usually involves the school gathering wealth intelligence relating to certain individuals (often parents or alumni) such as wealth band, liquid assets, shareholdings, investments etc. in order to identify potential donors and to enhance the school’s fundraising capabilities. The intelligence might come from the individual themselves but sometimes also from public sources or purchased from private organisations. To be DPA compliant, the school should conduct this exercise in a fair and transparent way and where necessary, obtain the relevant consents before doing it. In reality most schools do not obtain Opt-in consent from individuals. However, at the very least, parents should be told that their information may be used for these purposes and that information about them may be obtained from other sources. Suitable places to include this message is in the Parent Contract, in a Privacy Notice or the Data Protection Policy.