Data Protection law to be strengthened in 2018: Impact on Schools

18 Apr

Complying with the requirements of the Data Protection Act (DPA) 1998 is daunting.   A problem area is managing sensitive personal data.  Data on ethnicity, religion, union membership, medical information, special educational needs and disability (SEND) status, looked-after children, assistance or bursary recipients and sexual orientation are classed as sensitive. A school must have an operational need and/or explicit consent to process this data otherwise it is in contravention to the DPA.  Only people who need to use sensitive data for professional purposes can access it.  Consequently, such data should be accessed only with a password.

A separate taxing issue is making available all the data the school holds on a person to that person when s/he requests it and do so within one month of the request – part of the Freedom for Information (FoI) Act 2000.

Non-compliance has not led to much trouble so far.  In the second half of 2016, only 40 data security incidents – vis-à-vis the education sector in England – were reported to the Information Commissioner’s Office (ICO).  However, very few school staff members are trained in how to comply with the DPA.  They will now need to be (trained) because the present system of managing data will change with the General Protection Data Regulations (GPDR) coming into force on 25 May 2018. This is a part of the European law which will take effect despite Brexit.

Why is this to be?   In July 1998, when the DPA received the Royal Assent, Google had only just taken off and Facebook was not conceived.  Mark Zuckerman began writing his programme for Facebook as a sophomore at Harvard University only in October 2003.

The GPDR makes the following requirements.

  1. Consent will need to be explicit and you must have a legal basis for processing the data.
  2. Sensitive personal data (such as ethnicity, religion, teacher union membership, medical information and sexual orientation) will require additional protection.
  3. Legally, a school will be required to notify the Information Commissioner’s Office (ICO) of any data breach.
  4. The scope of the term “personal data” is expanded, so it is now defined as “any information relating to an identified or identifiable natural person”.
  5. There will be much heavier fines for breaches, with two specified tiers of at least £8.5 million or £17 million.
  6. Third-party suppliers that process data for a school (such as parent payment platforms) will be jointly responsible for protecting that data.
  7. Every school must be able to prove compliance, by keeping records of processing activities, training, breaches and impact assessments.
  8. For further guidance, you can read the entire GDPR document here.
  9. Accredited training, advice from professional consultants or firms, and guides on the to the regulations may be found on the ICO website.

It would be wise for schools to start taking the following action, according to Toks Oladuti, writing in The Times Educational Supplement on 27 January 2017.

(a)        Appoint someone to be responsible for data protection even though it is not a legal requirement. Such a person should have sufficient seniority at the school and be knowledgeable and/or trained in data protection.  He/she must monitor and keep records of compliance, act as the ICO liaison officer and deal with data enquires.

(b)        Carry out a data audit on all types of personal information held in the different locations – perhaps begin with a questionnaire to staff members.

(c)        For every type of data, ask the following questions.

  • Do we need this information?
  • Is it duplicated?
  • What access controls are there to ensure it is accessible only to the people who need it?
  • Can you log who has accessed and edited it?
  • Can you easily retrieve, edit or delete it on a per-person basis, if you receive a data request?
  • How long will you retain it?
  • In the event of a breach, would you class the information as “low risk” or “high risk”, in terms of damage to the individuals involved?
  • Is consent for holding the data required? If so, has it been obtained?

(d)        Design your data protection by integrating data protection into daily routines.

  • Remove duplication wherever possible.
  • Stop collecting data that the school doesn’t need.
  • Centralise as much data as possible into purpose-built systems, such as a school management information system (MIS).
  • Set clear guidelines for non-centralised and physical data.
  • Encrypt data as protection against potential breaches.
  • Create policies and procedures to guide what all should be doing as part of their normal workflows and what they are responsible for.
  • Ensure the school has explicit, opt-in consent where consent is needed.
  • Update your terms and conditions to include data protection contacts and data subject rights procedures.
  • Run a data protection impact assessment before implementing any new data processing activity.
  • Where data are held or processed on the school’s behalf by a third party, ensure that the contract addresses data protection as the school and third party will now have joint responsibility.
  • Set guidelines for managing and using social media platforms.

(e)        Train and raise awareness among all staff members and organise continual professional development on data protection and procedures at least once annually.  Incorporate this into the induction handbook for new staff members. Review and update whenever necessary.

The journey a school is required to make to ensure it is compliant with the GPDR appears to be long and arduous, but, in the words of Confucius, “Longest journey is completed when man/woman decides to take first step.”  Make a start and take that step towards protecting the school’s data and preparing for the GPDR.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: