The world has changed significantly since the Data Protection Act (DPA) was introduced in 1998. From a mere 800,000 computers in UK schools to several million now, schools communicating with parents, staff and pupils using text, emails, Twitter etc and a huge adoption of tablets and smartphones. All of these have combined to create a very different environment for data.
Given this transformation to the data landscape, the rules required an overhaul.
So, what is the General Data Protection Regulation (GDPR)?
GDPR does a few things:
- It defines what is meant by ‘personal data’
- It confers rights on ‘data subjects’
- It places obligations on ‘data controllers’ and ‘data processors’
- It creates principles relating to the processing of personal data
- It provides for penalties for failure to comply with the above.
Note that this relates to any personal data processed using computers, as well as personal data contained within any kind of filing system, including paper.
I’ve heard there are massive fines, right?
Firstly, it is worth clearing up some misconceptions about the fines being discussed. Yes, GDPR does provide potential for increased penalties, but these are for major breaches which affect large numbers of data subjects and which could cause huge issues for those affected. Maximum fines (up to €20m) will be issued no more frequently than is currently the case under the DPA.
What Rights Do Data Subjects Have?
Data subjects – the living individual the personal data being processed relates to – have the following rights under GDPR:
- The right to be informed –they must be told what data is used, why and for what purpose
- The right of access – they are allowed to see what data of theirs is processed upon request
- The right of rectification – if their data is wrong, it must be corrected
- The right to erasure – they can demand that all their data is erased
- The right to data portability – they can decide to move their data to another processor, which you must supply the data to
- The right to object – they can object to your use of their data and you must stop using it unless you have an overriding legitimate reason to continue
- Rights in relation to automated decision-making or profiling – they can demand that automated decisions about them are reviewed by a human.
Who Are Data Controllers and Data Processors?
The Data Controller is the person or organisation which determines the purposes and means of the processing of personal data. In UK education, this would be the school (Scotland is an exception, with theirs being the local authority).
The Data Processor is the person or organisation which processes the personal data on behalf of the controller. Examples in education would be the MIS provider, cashless catering supplier etc.
What Obligations Do Controllers and Processors Have?
To comply with GDPR, Data Controllers must determine:
- The legal basis for collecting data
- Which items of personal data to collect
- The purpose(s) the data is to be used for
- Which individuals to collect data about
- Whether to disclose the data and, if so, to whom
- Whether subject access and other individual’s rights apply
- How long to retain the data.
Data Processors must set out, in a legal contract, their obligations which ensure that they:
- Process the personal data only on documented instructions from the controller
- Ensure their staff involved in processing the data observe confidentiality
- Take appropriate security measures to protect the data
- Help the Data Controller by using appropriate technical and organisational measures
- Help the controller to ensure compliance
- Return or delete all the data at the end of the contract
- Provide the controller with all information necessary to demonstrate compliance.
Schools can no longer merely sign a supplier’s order form – they need a legally binding contract that stipulates all the above or they are not legally allowed to use the processor.
The Six ‘Principles’ Of GDPR
A Data Controller must comply with ‘the six principles’ of GDPR and evidence how they do so. The principles are that data must be:
- Processed fairly, lawfully and in a transparent manner
- Used for specified, explicit and legitimate purposes
- Used in a way that is adequate, relevant and limited
- Accurate and kept up-to-date
- Kept no longer than is necessary
- Processed in a manner that ensures appropriate security of the data.
So, how will GDPR affect schools?
There are a few key changes that schools need to be aware of and ensure they comply with:
- The need to identify and record the legal basis for processing data before it is processed.
- Consent conditions have been strengthened
- Data breaches must be notified to the ICO within 72 hours
- Individuals have an increased right of access to their data and its use
- The ‘right to be forgotten’, also known as ‘data erasure’
- Accountability for data controllers
- ‘Privacy by design’ will become a legal requirement under GDPR
- Data Protection Officers need to be appointed.
GDPR represents an ‘evolution’ rather than a ‘revolution’ – it’s an opportunity to review your current practices and update them so that any personal data you hold is looked after adequately.
There is plenty to be done, but if staff have undertaken GDPR training, you keep good records with suppliers, conduct data protection impact assessments and take thorough risk minimisation measures, you’ll be well on your way to compliance.
To support schools in their journey towards compliance, Groupcall is running CPD-certified GDPR training courses across the UK. To find out more and register for a training course near you, visit www.groupcall.com/gdpr-training.
Ensuring Compliance with GDPR in Schools (GDPRiS)
Groupcall has partnered with GDPRiS – a complete data protection management solution specifically developed for schools. It documents data flows, helps map and audit personal data and prompts the use of Self-Assessment Questionnaires (SAQs), helping school staff reach a new level of data protection understanding. For more information, visit www.groupcall.com/gdpris.
Don’t forget you can sign up to receive our daily email bulletin (around 7am) with all the latest schools news stories. Your details will never be given to anyone else and you can unsubscribe at any stage. Just follow this link
We now have a Facebook page - pls click to like!