The General Data Protection Regulations (GDPR) is a major overhaul of EU data protection laws and regulations. Businesses and organisations (including schools) have until 25th May 2018 to comply. What does this mean for your school or Trust and what must be done to comply with the new rules?
In order to understand how GDPR impacts your school, it is probably best to first explain the main points of the new 88-page law:
Clear and concise consent to use data
First and foremost, if you are going to hold data on an individual you must be able to demonstrate that you have consent to use the data and that it was freely given. When asking for data it must be asked for in an intelligible and easily accessible form.
Trace and delete
Every EU individual has the right to ask for and receive every bit of information that you hold about them from A-level results to e-mail addresses. They also have the right to ask you to delete the data in what is called the “right to erasure”.
72 hours to notify of a data breach
If you experience a data breach of your system, you have 72 hours from the moment you realise until you must inform those affected.
Data Protection Officers
Professionally qualified officers must be appointed in all public authorities and organisations (including schools) that engage in large scale monitoring or processing of sensitive personal data. This applies to companies with 250 or more employees.
Data Portability
Data portability allows individuals to obtain and use their personal data for their own purposes and to transfer it across different IT platforms.
What about historic data?
This is the big question! And is particularly relevant to schools and alumni associations that hold information about past pupils and now need explicit consent in order to lawfully process that data. Simply put, there are three options:
- Delete – Delete all of the data that you hold using the proper channels.
- Make the data unlinkable – If you are not actively using the data but are simply archiving it then, as long as it is secure, you can simply store it.
- Transform the data – Reconnect with everyone whose data you already hold to get clear and concise consent to use it.
However, there are 5 other lawful grounds for processing data (which includes storing) in addition to consent that may be relevant. In terms of storing data, it is likely that “Legitimate interest” may be a sufficient legal basis for schools and their alumni associations. The jury’s out on this at present but we will endeavour to provide an update when the situation becomes clearer.
The opportunity to transform the data
It may be feasible for you to take the opportunity to reach out and solidify contact with the school’s community… parents, alumni, governors, neighbours and other stakeholders. You have until 25 May to use the data you have to contact people to gain consent. Many will be pleased to hear from you and reassured that they are going to continue receiving communications.
Whilst researching for this blog, we came across much contradictory advice and information. Through it all, though, was an over-riding message that if you are aware of the changes that come in to play with GDPR, have conducted an audit of your school’s data practices and key members of leadership staff are able to effectively communicate relevant messaging to both teaching and support staff, then you are not likely to face the threatened heavy fines*.
We have found the following resources useful, with school specific information:-
Department for Education – a useful film for schools
Information Commissioner’s Office – Introduction to GDPR
Information Commissioner’s Office – General Data Protection Regulation (GDPR) FAQs for the education sector
TES.com – GDPR for schools: how will the new data regulations affect my school?
Gov.uk Teaching Blog – General Data Protection Regulation: Evolution or Revolution for Schools?
Gov.uk Teaching Blog – Twelve steps to take now, or twelve steps to take then?
GDPR In Schools – Frequently Asked Questions
There is an expectation that recommended practice for schools in relation to GDPR will become much clearer after the implementation date of 25 May 2018. In the meantime, swot up on expectations, refresh your privacy policy, get on with your data mapping and talk to staff to raise awareness on data security.
* Disclaimer – Smarter Reach Ltd is not specialising in GDPR changes and associated law so cannot be held responsible for any actions taken as a result of reading this blog post. Schools and other organisations are advised to seek specialist advice.