The UK Department for Education recently issued a document “Data protection: a toolkit for schools”. It clarifies many issues that have been raised since the GDPR (and the UK’s Data Protection Act 2018) became relevant. Below is a mere summary of the somewhat lengthy, but important document and readers are strongly encouraged to consult the original document here.
Top Tip – The DfE document contains various references, samples and templates which are relevant to schools.
Top Tip – A smart way to engage people is to link data protection to safeguarding children (and child protection). In this way, all stakeholders should see that data protection matters in the context of pupil welfare. The DfE has compiled this introductory video.
The ultimate responsibility and accountability for compliance sits with governors and trustees and they are an important support mechanism for the DPO. Ensure that you have the right communications, at the right time, to the right people – e.g. staff (general awareness), staff with specific roles (access management and data protection responsibilities), senior leadership (sufficient awareness to provide assurance to governors) etc.
Top Tips – always ask – “does it involve personal data?”. Include your team members in this exercise. Some of this information (where data is stored, the security measures and confirmation that there is no onward sharing) may be required via conversations with your suppliers.
Gain a high-level overview by understanding:
Where the personal data comes from – e.g. pupils, parents, local authority, recruitment agencies, social services, healthcare, law enforcement, from a third-party supplier’s system.
How and where personal data is created and used in the school – e.g. admissions, MIS, data integrator software, curriculum tools, payment systems, virtual learning environments, catering, safeguarding, CCTV, trips and transport, identity management, photos, communications, social care, workforce systems, physical storage.
Who the personal data might be passed on to – e.g. students and parents, pupil’s next school, local authority, DfE, a supplier.
In other words, the reasons why you process personal data and what makes the processing lawful.
Top Tips – Look at how and where personal data is created and used in the school. Define your processing purposes so that they are not vague to your data subjects; but remember that being overly descriptive or steeped in legal jargon may also prove distracting and non-informative. Identify which is personal data and which data falls under special categories. In order to lawfully process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked in any way.
With regards pupils, first ask yourself is “Am I required by law to process this data?”
DfE data returns, such as school census (some exceptions where parents are given the option to self-declare or refuse in census) and certain responsibilities to return data to the local authority, means you have compliance with a legal obligation as your lawful basis, and your condition for processing the special category data within that is processing is necessary for reasons of substantial public interest.
If not, then ask yourself “Do I need to process this data in order to safely and effectively run my school?”
If ‘yes’, then the lawful basis of ‘task carried out in the public interest’ may well apply, and again, the ‘public task condition may well apply where the data items are special category data. An appropriate condition from Articles 6 and 9 of the GDPR need to be identified. Remember, the law does not prevent information about children being shared with specific authorities if it is for the purposes of safeguarding. Information that could be relevant to keeping a child safe should be shared so that informed decisions can be made about a child’s welfare.
Where neither of the above apply it is likely you will require specific ‘consent’ of the data subject. Examples could include – consent to use biometric data, or pupil’s characteristics in census data, consent to use photos in a school magazine, gaining opt-in to send non-school marketing material, gaining consent to keep personal data of former pupils to send non-school marketing material.
Of course, most workforce personal data processing may well be covered by ‘performance of a contract’ or ‘in order to take steps prior to a contract’. Or in the case of special categories, ‘in the field of employment law’.
Personal Data Retention
How long can or should you hang on to personal data?
Top Tips – you must be able to justify why you are holding on to personal data. Engage the people who actually use the data – they probably have a deeper understanding of requirements for retention. Incorporate your personal data retention schedule into the school’s overall retention framework. The DfE document contains the relevant templates
Through the principle of storage limitation, personal data should be kept for no longer than is necessary for the purpose for which the data are processed. Implement policies, as well as technical and organisational measures, to adequately prove (through evidence) that you adhere to, and comply with the storage limitation principle. It is important to understand that you cannot easily think about data retention at the most detailed level of individual data items – it is the context they are being applied that is relevant.
Data retention does not have to be ‘all or nothing’ – as data becomes older, there are steps that schools can take to retain the power of pupil level data for analytical purposes, without the need to keep detail such as name and full address – in other words, reducing its sensitivity.
You may discover that the same sets of data could be held for different time periods because of different processing purposes and lawful bases. So, it would make sense to group your data items by areas of activity, as suggested in the earlier section on data mapping. Then, think about 4 periods of data retention:
One month after the event about which you create data is active, in order to ensure any ‘loose ends’ are tied up.
One year after the pupil to whom the data relates is at your school, in order to ensure smooth ‘handover’ activity related to the child is passed on to a subsequent school.
For 5 years after a pupil has left your school, to support longer term but detailed analysis of progress, attainment, support for different pupil groups etc. Reducing the sensitivity of data is particularly relevant here.
Long term, until the child is 25 years of age or older, for instances where detailed information about activities in school may form an important part of safeguarding for that individual.
When setting a data retention policy, consider the questions outlined in the DfE’s document.
Reassurance and Risks
Top Tips – minimisation, is a key factor. Minimise the amount of personal data that is needed for each purpose. Minimise the number of people who need access to personal data.
Proper data mapping can help you identify and mitigate areas of risk. Look out for things such as:
Purposes which may have to be associated with a different lawful basis;
Consent mechanisms which may need updating;
Retention periods which may have to be tweaked;
Areas where excessive personal data is being collected;
Personal data that will require deletion (based on retention periods);
Processing contracts or sharing agreements which may need to be updated;
Whether the systems used in onward sharing of data can demonstrate exactly what personal data is being shared;
Whether the systems you use are able to implement your personal data retention policies. If not, then it is the system that should adapt to meet your needs, not your data retention policies being compromised to meet any limitations of a system;
Fresh publishing of privacy notices;
Workforce training and awareness
Your Data Protection Officer
Top Tips – It is crucial that the DPO, or his/her team, is involved from the earliest stage possible in all issues relating to data protection. Share the DPO function between a group of schools, or share expertise by being the DPOs for each other’s school. The DfE document contains a useful Data Protection Impact Assessment template.
As a data controller, each school must designate a named DPO in order to be comply with new legislation. Currently, schools have leads on data protection but very often they either are, or work very closely with, the person who has established the ecosystem. The new legislation encourages a degree of separation between those in charge of the ecosystem, and the DPO role. The DPO needs to be:
Highly knowledgeable about data protection, GDPR, the school’s operations, technology and security
Well placed to promote a data protection culture within a school
The DPO role involves advising school leadership and staff about their data obligations, monitoring compliance, including managing internal data protection activities, training, and conducting internal audits. The DPO will also need to advise on when data protection impact assessments are required, and be available for data protection enquiries from parents and pupils. Additionally, they need to be able to report directly to the board and be the point of contact for communication with the Information Commissioner.
Communicate with Data Subjects
Top Tips – Understand that there will be times where you need to have privacy notices directed specifically at pupils and not just parents. Educate your staff to recognise and respond to data subject access requests. Inform parents and pupils upfront of possible delays in responses to their requests during the school holidays.
Keep Data Protection Alive
Top Tips – In addition to the right policies, procedures, and processes; you must ensure all contracts and agreements (controller to controller or controller to processor) are compliant with data protection law. Consider taking advantage of the ICO advisory audits. You will benefit from the data protection knowledge and experience of the ICO’s audit team at no expense. It is good practice to record and investigate every data breach, however small.
Note that a generic processor contract, data sharing agreement or data protection amendment may not be adequate for the school environment. The DfE document contains important guidance and templates to this effect.
Operationalising the safe use of data on an ongoing basis requires a strong combination of safe people, safe technology, and safe processes. As such, ensuring that your school complies with the legislation requires looking across a wide number of policies that are used in schools today.
Typically, these policies will include:
Privacy Notice – Pupils
Privacy Notice – Employees
Data Protection Policy
Data Retention Policy/Schedule
IT and Communications Systems Policy
Code of Conduct
Child Protection Policy (the DfE has asked the local safeguarding board to review this)
Business Continuity Policy
Acceptable Use Policy: Employees
Acceptable Use Policy: Pupils
Acceptable Use Policy: Governors
Data Breach Policy
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018