The GDPR – data protection in schools and academies
The EU General Data Protection Regulation 2016 (GDPR) comes into force on 25 May 2018 and replaces the Data Protection Act 1998. The changes introduced by the GDPR amount to the biggest reform of data protection and privacy law in over two decades.
Schools academies and federations need to be aware of the forthcoming changes because:
- Ofsted will probably continue its policy of heavily criticising schools for data protection breaches under the new legislation.
- Parents are increasingly privacy savvy and expect schools Academies and Federations to be rigidly compliant with the relevant legislation.
- Maximum thresholds in respect of breaching data protection legislation are increasing to the greater of €20m or 4% of group annual turnover.
- Individuals can bring compensation claims for breaches through the courts
This article focusses on the forthcoming reforms to three key areas of data protection law which will affect schools and academies:
- The data protection principles
- The requirement for public bodies and authorities to appoint a data protection officer (DPO)
- The right of subject access
The Data Protection principles
From 25 May 2018, schools, academies and federations will need to be able to demonstrate that they comply with the following data protection principles, which require that personal data is:
- Processed in a lawful, fair and transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate, and where necessary, kept up to date
- Kept in a form which enables individuals to be identified for no longer than necessary
- Processed in a manner that ensures appropriate security
There are three key points for schools, academies and federations to take away from the changes to the data protection principles:
- Schools, academies and federations which are already compliant with the existing DPA legislation are well placed to update their practices to comply with the GDPR
- The requirement of the first principle that data is processed in a ‘lawful’ and ‘transparent’ manner mean schools’ and academies’ privacy policies and certain supplier contracts need to be reviewed and brought up to spec: the GDPR sets out a number of new, mandatory requirements for these legal documents
- the new data protection principles mean schools, academies and federations will need to have a better understanding than ever before of what data they hold, why they hold that data and who has access to it.
Data Protection Officers
Under the GDPR, ‘any public body or authority’ is required to appoint a DPO, but there is no clear-cut guidance as to which institutions qualify as such. Until further guidance is published on this point, all academies (federations and schools which are already subject to Freedom of Information Act legislation) should assume they will be required to appoint a DPO.
Whilst many schools have already appointed a ‘data protection compliance manager’ or similar, under GDPR, the DPO receives protected employment status and must:
- Be suitably qualified, and an expert in data protection law
- Be able to carry out the role independently
- Report to the highest level of management
The DPO can either be engaged as an employee or a sub-contractor, and one DPO can act as the DPO for a number of public bodies.
The rights of individuals
Schools and academies will already be familiar with the right of subject access. This right is changing slightly under the GDPR: a charge can no longer be made for responding to a subject access request (unless particular circumstances apply) and the time for responding to a subject access request is being reduced from 40 days to one calendar month.
The GDPR also grants individuals other additional rights which are outside the scope of this article.
What should schools, federations and academies be doing to prepare?
Schools and academies should:
- Start a ‘data-mapping’ exercise: understanding what personal data is collected from students, parents, employees and management, as well as what that personal data is being used for, is a vital first step.
- Start discussions with governors to determine: (a) how you will demonstrate that you comply with the data protection principles; and (b) whether a DPO needs to be appointed (and if so, build this into your budgets for next year)
- Review your existing policies and training to ensure you are ready to comply with the changes to subject access and other rights granted to individuals under the GDPR.
If you are interested in hearing more about the forthcoming changes, please get in touch with Robert Healey
I am also providing training seminars on the GDPR to schools, academies and federations in the near future. I have also the facility to hold post of consultant DPO for both individual schools, Academies and Federations.