There’s no two ways about it – ensuring we as teachers comply with the regulations of the Data Protection Act is a serious matter. Surprisingly only a fifth of schools know that there has been reform on the Data Protection Act 1998 and schools have just until May 2018 to get compliant. Experts have said that the new rules constitute the biggest change to how personal information should be processed in the last 25 years. It has always been a shock to me when I visit schools and people don’t know who the ‘data controller’ is. Data should be something that all school leaders have a very serious handle on.
For the avoidance of doubt, there are fines attached to non-compliance and with the new regulations the maximum fine for certain data breaches in the UK will rise from £500,000 to €20 million (or 4% of your annual turnover – whatever the greater is).
Whilst that all sounds a bit scary it important to note that the GDPR (General Data Protection Regulations) are very similar to the current regulations, so if you have a handle on that then you are very likely to be able to transition to GDPR more easily.
The GDPR does introduce a step change in data protection legislation. The new legislation is designed to deal with the challenges of the online world and the data flows that occur in that world. The GDPR enhances existing rights and gives new rights. It puts greater obligations on to data controllers and they will have to now take further steps to demonstrate their accountability under the new regulations.
Some areas you may need to consider include:
- IT systems
- Personnel changes
The ICO (Information Commissioners Office) have given lots of guidance and support around the GDPR.
- Considering the personal information you hold
- Communicating privacy notices
- Individuals’ rights
- Data Subject access requests (you will no longer be able to charge for this)
- Legal basis for processing
- Review of consent – unambiguous and explicit
- Children and handling their data – parental consent changes, potentially to age 13. Consent must also be verifiable – ie it should be on record, audited and be able to be produced upon request
- Preparing for data breaches
- Data protection by design
- Data protection officers
More explanation of these steps can be found in this video from the ICO:
The following video which focuses specifically on GDPR and how it will impact upon schools is particularly useful:
As mentioned in my list above, the GDPR has new provisions designed to develop the protection of children’s personal data. The includes ensuring that the privacy notices mentioned above must be written in a clear way which a child would understand.
The GDPR also states that parental/guardian consent for access to online services is required. It will be important to find out whether the online services you use are handling the data of your children correctly. Parental consent will not however be required where processing of that data is related to services such as counselling for the child. It will be important that you check whether or not your third party suppliers (and this could be from IT systems, to the apps being used on devices in your school that use personal data) are GDPR compliant. Chances are that your third party suppliers won’t be compliant yet as the deadline is May 2018 and like you, many are still working towards compliance. You should however be making sure that they are working towards that compliance and recording the audit the record of you having checked too. If your third party suppliers are not GDPR compliant then you will need to take steps to ensure compliance in relation to your data subjects.
There are lots of resources available to help you, such as the videos above. The ICO have also provided lots of resources to help:
The following link has some great blog posts from the ICO too on GDPR myths.
I also highly recommend watching this video from Tony Sheppard.
If you’d like some advice around GDPR and how you can tackle it in your school, then please get in touch.