Administration and finance

GDPR – the facts and useful links

Be compliant, not complacent

The UK General Data Protection Regulation (GDPR) is designed to protect and empower British citizens with regard to their data privacy, and places greater obligations and sanctions on organisations that process for example obtain, use, store, share and destroy, personal data.

This new legislation is the biggest change in data privacy legislation in 20 years. Although the Information Commissioner (the UK Data Protection Regulator) has stated it is an “evolution…not a revolution” of our current data protection laws, it does still create significant burdens (resources and financial) on schools requiring them to overhaul their existing practices for handling personal data about pupils, parents and carers, staff, governors in order to be compliant.

Shop for data protection support

How does the UK GDPR affect schools?

GDPR is large and complex, so here’s an overview of the key areas which affect schools:

Personal data breaches

Under UK GDPR, schools are legally required to notify the Information Commissioner’s Office (the ICO) of any breaches which are likely to result in a risk to the rights and freedoms of individuals. For example, if the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. In such cases, the school must notify the ICO within 72hrs of becoming aware of the breach and carry out a full internal investigation. The school is also required to inform the individual whose personal data has been put at ‘high risk’ as soon as possible.

Fines

The UK GDPR introduces significantly higher financial penalties to organisations that fail to comply. Failing to comply with the UK GDPR could be costly with fines up to £17.5 million being enforced by the ICO. The ICO has new powers to levy these hefty fines and is required by law to ensure that these are ‘effective, proportionate and dissuasive’. When considering whether or not to fine and how much, the ICO will take into account (amongst other things) the:

  • nature, gravity and duration of the breach
  • number of people affected and the level of damage suffered by them
  • intention or negligence of the person or organisation who caused the breach
  • actions taken by the organisation to mitigate the damage
  • previous breaches suffered by the organisation
  • co-operation of the organisation with the ICO during their investigation
  • the measures the organisation had in place to protect the data

The UK GDPR sets out the maximum fines the ICO can issue for particular types of breaches. Here are some examples:

Up to £17.5 Million

  • Breaching any of the data protection principles
  • Failing to comply with the conditions for obtaining and managing consent
  • Failing to provide adequate privacy notices

Up to £8.7 Million

  • Failing to appoint a Data Protection Officer (when required to)
  • Failing to implement appropriate security controls to protect personal data
  • Failing to notify the ICO of data breaches likely to result in risks to individuals

Compensation

In addition to fines for personal data breaches, the UK GDPR provides individuals with the right to compensation if they suffer damage as a result of a breach involving their personal data. It is therefore imperative that schools review how they handle personal data to ensure it is in line with the UK GDPR in order to avoid potential fines and compensation claims.

Data Protection Officers

Under the UK GDPR, schools are legally required to appoint a Data Protection Officer (DPO) for their school; failure to do so could result in a fine up to £17.5 million.
The Data Protection Officer can be an employee of the school or the school can contract out the post to an external person. The legislation states that the DPO must have the freedom to carry out the role independently and must not have a conflict of interest.

Individuals’ rights

Individuals are given several rights under the UK GDPR, here is a quick summary of some of these rights:

Transparency and information
There are new requirements to publish certain types of information in your Privacy Notices, such as the contact details of your Data Protection Officer; the purpose and lawful basis for processing the information you are collecting; how long you intend to keep the data for and who you will share the data with.

Access to personal data
This is known as a Subject Access Request (SAR or DSAR) and under UK GDPR, this right entitles pupils, parents, carers, staff and governors to receive a copy of the information the school holds on them for free and within one month.
It should be noted, this right does not affect or replace the existing rights for parents and carers of children in maintained schools to access their child’s education record under the Education (Pupil Information) (England) Regulations 2005 within 15 school days.

Rectification and erasure of personal data
As with the current Data Protection Act, individuals are entitled under UK GDPR to have inaccurate personal data rectified or incomplete information completed.
In addition, individuals are entitled to have their personal data deleted in cases where the data is no longer needed or the individual withdraws consent. This right does not require a school to delete data upon request if the school is complying with a legal obligation in holding it, for example if the school is required under statute to collect and retain the data for a certain length of time.

Object to direct marketing
Parents, carers and pupils have the right not to receive direct marketing which means that schools will have to gain explicit ‘opt in’ consent before sending out marketing material. This will be relevant in cases where schools target parents and guardians for fundraising, advertise their school prospectus or put advertising literature in pupils’ book bags about other organisations!

Consent

Most of what schools do, does not require consent from parents, guardians or pupils, however there are some occasions when they must obtain it. For example, if they photograph a school event and publish these images; take pupils on school trips; collect and use biometric information or send direct marketing material to parents, guardians and pupils. Under UK GDPR rules, schools need to demonstrate that consent has been obtained freely, it is specific and not general, the person giving it is fully informed and the consent wording is unambiguous.
Schools are required to keep clear records of all consent they obtain and they must inform individuals of their ‘right to withdraw consent’ at the time, and offer easy ways to do this. When obtaining consent directly from children, schools are required to adapt the wording according to the children’s level of understanding.

Obligations

There are several obligations and duties for schools to fulfil under UK GDPR. These include:

  • having appropriate and effective data protection policies, procedures and training
  • assessing the suitability of companies and contractors who process personal data on behalf of the school, and issuing written contracts to them setting out their data protection obligations and restrictions on the use of the data
  • keeping a record of the processing activities of the school for example a description of what personal data is collected, why, how long it is kept for, who it is shared with and the security measures in place to keep it safe
  • implementing technical measures, policies and procedures that ensure data protection compliance is built into everyday practices, which includes only processing personal data if it is absolutely necessary to do so, keeping it for appropriate timeframes and limiting access to it
  • carrying out Data Protection Impact Assessments prior to processing personal data, which could result in high risks to the rights and freedoms of people
  • appointing a Data Protection Officer (employee or a contractor) and involving them in all data protection matters and giving them the appropriate resources and support to keep the school compliant.

What should schools be doing now that the UK GDPR is in place?

  • Make sure senior management understand the significance and impact of the UK GDPR on your school and seek their ongoing support
  • Carry out an annual information audit to identify and record what personal data you hold, where, who you share it with, how long you keep it for and what your lawful basis is for processing it
  • Deliver annual UK GDPR staff awareness training to ALL staff and governors
  • Review, update or create policies and procedures which reflect the UK GDPR changes, particularly in relation to data breach investigation and reporting; privacy notices, obtaining and managing consent and handling requests from individuals exercising their rights
  • Appoint a Data Protection Officer. This person must have expert knowledge of data protection law and practices and be able to fulfil the tasks set out in Article 39 of the GDPR. This person can be an employee or an external contractor.

GDPR solutions for schools – help is at hand!

We can offer schools unique packages which will support you through the GDPR journey, from preparation to post implementation. These packages include:

  • an experienced Data Protection Officer assigned to your school
  • GDPR readiness audits with action and recommendations report
  • staff training
  • data protection briefings and bulletins
  • data breach investigation
  • reporting support
  • conferences.

We understand schools have tight budgets and in many cases very limited expertise in data protection, so we offer a full range of packages to suit the needs and budgets of different schools.

Useful links


Top
Devon County Council, County Hall, Topsham Road, Exeter, Devon EX2 4QD
Our contact numbers
Devon County Council