From 25th May 2018, the Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR) – meaning that the way you manage all data and information within your school will change.  Stuffing paper into filing cabinets, keeping records and databases of student and staff information, monitoring what’s happening day-to-day on the premises through CCTV – today’s educational landscape is packed with data.  Under current legislation you already have a duty of care to ensure that this data is kept safe and secure. And with the GDPR coming into effect you’ll have an increased responsibility to ensure this information – regardless of what form it’s kept in – is managed in the right way in compliance with this new regulation.  Non-compliance can currently see fines of up to £500,000 being imposed from the Information Commissioners Office (ICO), as well as Ofsted ratings being seriously affected if there aren’t correct policies and procedures in place when it comes to data and IT security.  As such, the ICO are urging educational providers to start thinking about the impact the GDPR will have on them and to start putting policies and practices into place ahead of the change.

What does GDPR actually do?

GDPR does a few things:

•      It defines what is meant by ‘personal data’

•      It confers rights on ‘data subjects’

•      It places obligations on ‘data controllers’ and  ‘data processors’

•      It creates principles relating to the processing of personal data

•      It provides for penalties for failure to comply with the above

Who are Data Controllers and Data Processors?

The data controller is the person or organisation which determines the purposes and means of the processing of personal data.  In the UK education this would be the school themselves.

GDPR stipulates that the data controller shall:

“Be responsible for, and able to demonstrate compliance with the principles”

In effect, what this means is that a Data Controller not only has to comply with the six principles of GDPR but must also be able to evidence how they do so.

The data processor is the person or organisation that processed the personal data on behalf of the controller.  In the world of education this would be the providers or 3rd party suppliers.

To comply with GDPR, Data Controllers are obligated to determine:

•      The legal basis for collecting data

•      Which items of personal data to collect

•      The purposes the data is to be used for

•      Which individuals to collect data about

The Six Principles of GDPR

GDPR stipulates six data protection principles that we all have to adhere to when processing personal data to ensure that it is:

1.      Processed fairly, lawfully and in a transparent manner (Lawful grounds for processing, fairly telling individuals what you are doing with their info, transparency be clear)

2.      Specified, explicit and legitimate purposes (Why are doing this and is there a purpose)

3.      Adequate, relevant and limited (Data only to be used if adequate and related to purposes, data limitation.)

4.      Accurate and Kept up to date (Every reasonable step must be used to keep up to date data)

5.      Data to be kept no longer than necessary (Retention / privacy policies)

6.      Appropriate security of the data (Must demonstrate compliance with processors)

The Lawful Basis for Processing Personal Data

These are set out in Article 6 of the General Data Protection Regulation (GDPR). At least one of these must apply whenever you process personal data:

a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

d) Vital interests: the processing is necessary to protect someone’s life.

e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This cannot apply if you are a public authority processing data to perform your official tasks. Public authorities will need to rely on official functions.

Responsibilities of the Data Protection Officer

DPOs will:

·         Advise the school and its employees of their obligations under relevant data protection law, including the GDPR

·         Monitor compliance with data protection law, by:

Collecting information to identify data processing activities

Analysing and checking the compliance of data processing activities

Informing, advising and issuing recommendations to the school

·         Ensure the school’s policies are followed within the school, by: 

Assigning responsibilities to staff members

Raising awareness of data protection law, including the GDPR, across the school 

Training staff

Conducting internal audits

·         DPOs will advise schools of their obligations under data protection law

·         Advise on and assist the school with carrying out data protection impact assessments, if necessary

·         Act as a contact point for the ICO (as the 'supervisory authority'), involving:

Helping the ICO to access documents and information

Seeking advice on data protection issues

·         Act as a contact point for individuals whose data is processed (staff, pupils and parents, for example)

·         Take a risk-based approach to data protection, involving:

Prioritising the higher-risk areas of data protection and focusing on these

Using their common sense to advise the school on whether it should conduct an audit or provide training in certain areas. 

Subject Access Request (SAR)

What are subject access requests?

Individuals have the right to access the personal data and supplementary information you hold about them. This allows them to be aware of, and verify the lawfulness of, you processing this data.   This right applies to everyone whose personal data your school holds, including staff, governors, volunteers, parents and pupils. 

The new rules: in summary

There are a couple of changes to subject access requests under the General Data Protection Regulation (GDPR), in force from 25 May 2018. In most cases, you:

Must provide the information free of charge

Must comply within 1 month

Should provide the information in a commonly used electronic format, if the request was made electronically

The data protection officer (DPO), will deal with all subject access requests in schools. 

Personal Data Breach Requirements

Under the GDPR the following procedures in place to:

Detect, report and investigate personal data breaches

Assess and report any breaches to the ICO within 72 hours where the individual is likely to suffer some form of damage, e.g. through identity theft or a breach of confidentiality

Communicate a breach to individuals concerned, where appropriate 

When reporting a breach, you must set out the nature of the breach, including:

Categories and approximate number of people whose data has been breached

Categories and approximate number of data records concerned

Name and contact details of the data protection officer or other person who can provide more information

Likely consequences of the personal data breach

Measures you have taken or propose to take to address the breach, including measures to mitigate its effects

For more information: 
Site Designed, Hosted and Marketed by BCTec