GDPR - The Facts & Useful Links
Be compliant, not complacent
The EU General Data Protection Regulation 2016 (the GDPR) came into effect on the 25 May 2018. It is designed to protect and empower European citizens with regard to their data privacy, and places greater obligations and sanctions on organisations that process (e.g. obtain, use, store, share and destroy) personal data.
This legislation applies to schools and other organisations that process personal data and will continue to do so even when the UK leaves Europe. To ensure that the UK data protection framework continues to work effectively when the UK is no longer an EU member, the Government will make appropriate changes to the GDPR and Data Protection Act 2018 to preserve EU GDPR standards in domestic law and until those changes take place, the EU Withdrawal Act will retain the GDPR in UK law.
This new legislation is the biggest change in data privacy legislation in 20 years. Although, the Information Commissioner (the UK Data Protection Regulator) has stated it is an “evolution…not a revolution” of our current data protection laws, it does still create significant burdens (resources and financial) on schools requiring them to overhaul their existing practices for handling personal data about pupils, parents/carers, staff, governors etc in order to be compliant.
How does GDPR affect schools?
GDPR is large and complex, so here’s an overview of the key areas which affect schools:
Personal Data Breaches
Notification (Articles 33 and 34)
Under GDPR, schools are legally required to notify the Information Commissioner’s Office (the ICO) of any breaches which are likely to result in a risk to the rights and freedoms of individuals. For example, if the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. In such cases, the school must notify the ICO within 72hrs of becoming aware of the breach and carry out a full internal investigation. The school is also required to inform the individual whose personal data has been put at ‘high risk’ as soon as possible
GDPR introduces significantly higher financial penalties to organisations that fail to comply. Failing to comply with the GDPR could be costly with fines up to £17.5 million being enforced by the ICO. The ICO has new powers to levy these hefty fines and is required by law to ensure that these are ‘effective, proportionate and dissuasive’. When considering whether or not to fine and how much, the ICO will take into account (amongst other things) the:
- nature, gravity and duration of the breach
- number of people affected and the level of damage suffered by them
- intention or negligence of the person or organisation who caused the breach
- actions taken by the organisation to mitigate the damage
- previous breaches suffered by the organisation
- co-operation of the organisation with the ICO during their investigation
- the measures the organisation had in place to protect the data
The GDPR sets out the maximum fines the ICO can issue for particular types of breaches. Here are some examples:
Up to £17.5 Million
Breaching any of the data protection principles
Failing to comply with the conditions for obtaining and managing consent
Failing to provide adequate privacy notices
Up to £8.7 Million
Failing to appoint a Data Protection Officer (when required to)
Failing to implement appropriate security controls to protect personal data
Failing to notify the ICO of data breaches likely to result in risks to individuals
In addition to fines for personal data breaches, the GDPR provides individuals with the right to compensation if they suffer damage as a result of a breach involving their personal data. It is therefore imperative that schools review how they handle personal data to ensure it is in line with the GDPR in order to avoid potential fines and compensation claims.
Data Protection Officers
Under the GDPR, schools are legally required to appoint a Data Protection Officer (DPO) for their school; failure to do so could result in a fine up to £17.5 million. Official guidance states this person should have ‘expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR’ (Article 29 Data Protection Working Party Guidelines).
The Data Protection Officer can be an employee of the school or the school can contract out the post to an external person. The legislation states that the DPO must have the freedom to carry out the role independently and must not have a conflict of interest.
Individuals are given several rights under GDPR, here is a quick summary of some of these rights:
Transparency and information (Articles 12-14)
There are new requirements to publish certain types of information in your Privacy Notices, such as the contact details of your Data Protection Officer; the purpose and lawful basis for processing the information you are collecting; how long you intend to keep the data for; who you will share the data with and so on.
Access to personal data (Article 15)
This is known as a Subject Access Request and under GDPR, this right entitles pupils, parents/carers, staff, governors etc to receive a copy of the information the school holds on them for free and within one month.
It should be noted, this right does not affect or replace the existing rights for parents/carers of children in maintained schools to access their child’s education record under the Education (Pupil Information) (England) Regulations 2005 within 15 school days.
Rectification and erasure of personal data (Articles 16 and 17)
As with the current Data Protection Act, individuals are entitled under GDPR to have inaccurate personal data rectified or incomplete information completed.
In addition, individuals are entitled to have their personal data deleted in cases where the data is no longer needed or the individual withdraws consent. This right does not require a school to delete data upon request if the school is complying with a legal obligation in holding it, for example if the school is required under statute to collect and retain the data for a certain length of time.
Object to direct marketing (Article 21)
Parents/carers and pupils have the right not to receive direct marketing which means that schools will have to gain explicit ‘opt in’ consent before sending out marketing material. This will be relevant in cases where schools target parents/guardians for fundraising, advertise their school prospectus or put advertising literature in pupils’ book bags about other organisations!
Most of what schools do, do not require consent from parents/guardians or pupils, however there are some occasions when they must obtain it. For example, if they photograph a school event and publish these images; take pupils on school trips; collect and use biometric information or send direct marketing material to parents/guardians and pupils. Under the new GDPR rules, schools need to demonstrate that consent has been obtained freely, it is specific and not general, the person giving it is fully informed and the consent wording is unambiguous.
Schools are required to keep clear records of all consent they obtain and they must inform individuals of their ‘right to withdraw consent’ at the time, and offer easy ways to do this. When obtaining consent directly from children, schools are required to adapt the wording according to the children’s level of understanding.
There are several obligations and duties for schools to fulfil under GDPR.
- having appropriate and effective data protection policies, procedures and training;
- assessing the suitability of companies and contractors who process personal data on behalf of the school, and issuing written contracts to them setting out their data protection obligations and restrictions on the use of the data;
- keeping a record of the processing activities of the school eg a description of what personal data is collected, why, how long it is kept for, who it is shared with and the security measures in place to keep it safe;
- implementing technical measures, policies and procedures that ensure data protection compliance is built into everyday practices, which includes only processing personal data if it is absolutely necessary to do so, keeping it for appropriate timeframes and limiting access to it;
- carrying out Data Protection Impact Assessments prior to processing personal data, which could result in high risks to the rights and freedoms of people;
- appointing a Data Protection Officer (employee or a contractor) and involving them in all data protection matters and giving them the appropriate resources and support to keep the school compliant.
What should schools be doing now that the new GDPR is in place?
- Ensure senior management understand the significance and impact of GDPR on your school and seek their ongoing support
- Carry out an annual information audit to identify and record what personal data you hold, wher, who you share it with, how long you keep it for and what your lawful basis is for processing it
- Deliver annual GDPR staff awareness training to ALL staff and governors
- Review, update or create policies and procedures which reflect the GDPR changes, particularly in relation to data breach investigation and reporting; privacy notices, obtaining and managing consent and handling requests from individuals exercising their rights.
- Appoint a Data Protection Officer – this person must have expert knowledge of data protection law and practices and be able to fulfil the tasks set out in Article 39 of the GDPR. This person can be an employee or an external contractor.
GDPR Solutions for Schools - Help is at hand!
Babcock LDP have teamed up with an experienced public sector data protection consultancy business, to offer schools unique packages which will support you through the GDPR journey- from preparation to post implementation.
These packages include an experienced Data Protection Officer assigned to your school; GDPR readiness audits with action and recommendations report; staff training; data protection briefings and bulletins; data breach investigation and reporting support and conferences.
We understand schools have tight budgets and in many cases very limited expertise in data protection, so we offer a full range of packages to suit the needs and budgets of different schools.