General Data Protection Regulation/ new UK Data Protection Law

A brief guide for schools

New legislation governing data protection, you must be compliant by 25th May 2018.

A list of actions to take is included at the end of this document.
You should start identifying the necessary tasks now.

The regulation (GDPR) updates an earlier EU Directive which forms the basis of the Data Protection Act 1998 (DPA). Brexit will make no difference to this as it will be established in our law before then and will be incorporated into UK law as part of the new Data Protection law announced in the Queen’s Speech and due to be presented to Parliament in early September 2017.

GDPR marks a natural evolution from the DPA, it incorporates most of the same principles of lawful processing, but also:

  1. takes account of new ways of identifying an individual (biometric data; genetic material; location data; IP address and social media identity are all now included as personal data)
  2. regulates the use of personal data for commercial or campaigning purposes using profiling; targeted advertising; strengthens the law on unsolicited contact.

The Information Commissioner’s Office (ICO) will remain the Regulator or Supervisory Authority for how organisations handle personal data under the new law. The ICO will investigate data breaches and can impose substantial monetary penalties (fines) for failures to comply with a number of new requirements not just data loss.

Schools should consider what is appropriate for their circumstance and their processing. The security or systems required to manage personal data in a large secondary school may be different to that in a small primary school but everyone needs to ensure they have thought about their specific activities, data risks and responsibilities.

  1. Principles of Lawful Processing

Extract from Article 5 of the Regulation is given in full below.

Personal data shall be:

(a) / processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) / collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’);
(c) / adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) / accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) / kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);
(f) / processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.The controller shall be responsible for, and be able to demonstrate compliance with, paragraph1 (‘accountability’).

  1. Rights of Data Subjects – responsibilities of Data Controllers

Establishing and protecting the rights of Data Subjects (people whose data is collected or used) are the focus of much of GDPR. Data Controllers (organisations who collect and decide how data is to be used, e.g. schools; councils; Police; Health authorities; companies; charities) need to be clear about why they are collecting data because the rights vary according to the basis for holding the data. In all cases they should be as open and transparent about the use they make of data they collect.

  • Collecting, storing and using data to fulfil a statutory duty or a contract with the data subject are still valid reasons to processpersonal data e.g.
  • Maintaining school admission and attendance registers is a legal requirement as is reporting a safeguarding concern for a child or adult;
  • Providing a school meal which excludes foods the child has an allergy to would be part of a contractual requirement.
  • Using data to protect the vital interests of someone is lawful (sharing medical information with a paramedic or first aider during an incident) This includes for example the vital interests of a member of staff who is making contact, meeting or working with a parent or carer who is known to be violent, they should be informed so they can effectively asses any risk to themselves.
  • Consent is necessary where there is no statutory or contractual reason to process data or to share it for other reasons.
  • Consent must be explicit and informed. This means you cannot assume or infer someone has consented. Consent should be indicated in clear affirmative action – a signature or a tick box.
  • It is NOT acceptable to have an opt–out box at the end of a long list of terms and conditions and a statement that unless the opt-out is completed opt-in is assumed.
  • Where you rely on consent:
  • Privacy Notices must be clear and allow people to refuse consent for some elements e.g. you may share my data with Health organisations but not with a commercial organisation.
  • Privacy Notices should also be clear about the effects of refusing consent. E.g. if we can’t pass your child’s details to the company who run our after school activities your child won’t be able to participate.
  • Data subjects will have the right to object to some processing, especially where consent is required. They will still have the right to have inaccurate factual information corrected (e.g. Date of Birth) or to record where they disagree with a statement (e.g. where a professional has given a diagnosis which a parent doesn’t accept)
  • Data subjects will have the right to an electronic copy of their personal data such as the records you hold about them(see Subject Access Request below) if the data is held electronically.
  • Data Portability gives the right to ensure data moves with the child (except where the original school has a statutory obligation to hold it)

End of Subject Access Request charges

It will no longer be permissible to routinely charge for complying with a Subject Access Request. However, it will be possible to charge a reasonable fee for additional requests for the same material, voluminous or excessive requests –which means that the fee must be based on the administrative cost of providing the information.

Childrenand e-safety

The law aims to offer greater protection to children under 13 especially where they are the target of web services. Service providers such as Facebook will need to make greater efforts to get parental consent or acknowledgement that the child is the age stated and provide a suitably simple Privacy Notice.

This may apply to some of the websites you direct childrenand parents to for learning activities, if they have a sign-in or want to use location data or some tracking cookies.

NB This does not apply to a secure area of a school website intended for communications between staff and pupils who attend the school and their parents.

  1. Tighter timescales

Time periods for responding to Subject Access Requests (when someone asks for the data you hold about them) are changing, for most requests this will be a shorter time e.g. one month, for complex requests additional time will be available. Both these things are still awaiting clearer definition.

This also applies to requests for:

  • rectification of inaccurate data;
  • erasure;
  • restriction of processing
  • data portability;
  • objections to automated processing
  1. Data Protection by Design and by Default - new systems and services

The regulation expects that any new system for holding or collecting personal data; new service or shared arrangement which requires processing personal data; even policy making decisions should be planned and implemented with the privacy of individuals and the security of their data as integral to how it operates and not something bolted on afterwards.

Data Protection Impact Assessments or Privacy Impact Assessments are fundamental to getting your thinking in the right order when planning changes. It is vital an impact assessment is carried out where you are processing sensitive personal data and failure to carry one out can result in a monetary penalty. Because Privacy Impact Assessments have been good practice for some time there is guidance available on the ICO’s website

Where there is a significant risk to personal data which you cannot mitigate with technical security the ICO will need to be informed before you proceed.

  1. Dealing with PersonalData Breaches

The rules aroundnotification have also changed.

In line with the aim of improved transparency data subjects should be informed,without undue delay, if their data is disclosed to a third party and this is likely to result in high risk to their rights and freedoms; for example where personal data would make someone vulnerable to identity theft or open to discrimination or abuse.

The harm should be considered regardless of how the data loss occurred, malicious or unintentional; for example theft or hacking or human error such as letters sent to old postal or email addresses and files left on the bus.

The ICO should be informed within 72 hours if personal data is breached except where thebreach is unlikely to result in a risk to the rights and freedoms of people affected e.g. a laptop is stolen but its contents are fully encrypted.

Schools will need to ensure they have a simple in-house process for recording breaches as they occur, identifying if notification is required and recording any action they have taken to mitigate the effects of the data loss for the data subject.

The Regulation also allows people who have suffered harm as a result of loss or misuse of their data to seek compensation so it is important to take action as swiftly as possible. Encourage a culture of openness around reporting incidents and concerns.

  1. Data Protection Officer

Schools will be among the data controllers that will need to appoint a Data Protection Officer (DPO), who will be the nominated contact for data subjects and the Information Commissioners Office on all matters to do with personal data – reporting breaches; complaints about personal data handling within the school etc.
Not having a DPO if you are required to can result in a monetary penalty.

The guidance indicates this post should be a reasonably senior role within the management of the school but with an understanding of the requirements of the new law and of the type of data processing which goes on in schools and avoiding conflicts of interest with things like decision-making on systems which process personal data. They do not have to be individually named on a website but details of how to contact them will need to be published there. Schools may want to set up an email address and in-box which is monitored daily during term-time to ensure they can meet relevant timescales.

  1. Bigger fines - more offences

Much of hype around GDPR has been that at their maximum fines of £17,000,000 or 4% of previous year’s turnover for companies apply. While this is true, the fines also have a more complex two-tier structure, with some breaches attracting a maximum penalty which is set at half of this level.

The ICO has now gone on record to say that they do not envisage this very large fines being applied at the outset. Furthermore the ICO does still have a range of lower level sanctions which can beapplied, such as requiring the head of an organisation to sign an undertaking to improve practice. however publicly funded bodies like schools will still find even a fine of £100,000 which is common at current levels, will create a severe impact on budgets. Schools should do all they can to prevent incurring a monetary penalty.Putting your head in the sand and ignoring the changes is the worst thing you can do.

Breaches which can incur a monetary at the lower level (max. £8,5m) include:

  1. Not getting required [parental] consents when targeting web services at children below 13
  2. Identifiable processing where this isn’t necessary or is no longer necessary.
  3. Not implementing Privacy by design and default (see also 10 below)
  4. Not ensuring a data processor working for you has appropriate technical and organisation safeguards in place proportionate to the data processed.
  5. Not maintaining a record of all your processing activities with the specified information.
  6. Not co-operating with the ICO [Supervisory Authority] where required.
  7. Insufficient technical and organisation measures in place to ensure the security of and of personal data.
  8. Failure to notify a notifiable breach to the ICO.
  9. Failure to notify a Data Subject of a breach where notifiable.
  10. Failure to conduct a Data Protection Impact Assessment (DPIA).
  11. Failure to consult ICO where a DPIAindicates a high risk in the absence of mitigating measures.
  12. Failures to designate or carry out the functions of the Data Protection Officer.

Breaches which can incur a monetary at the higher level (max. £17mm) include:

  1. Breaching the basic principles for processing both Personal Data and Sensitive Personal Data,including conditions for consent.
  2. Disregarding data subjects rights by:
  3. Not providing specified details of the processing undertaken with regard to their data.
  4. Not responding to requests promptly, within one month maximum.
  5. Not providing copies of data held [seeSubject Access Request advice above]
  6. Rectification of errors where appropriate*
  7. Right to erasure where appropriate*
  8. Right to restriction of processing where appropriate*
  9. Not providing data electronically where it has been requested and is held electronically
  10. Right to object where appropriate*
  11. Right to have human review of automated decision making where appropriate*

*These rights are stronger where you rely on consent than where a statutory obligation to hold the data exists.

  1. Transferring data to a third country which is not regarded as having equivalent protection. EEA countries are acceptable and USA where the organisation has signed up to the EU-US Privacy shield. You should check the EU list of approved countries (link below). This is particularly important where you are looking at cloud based services as many will not be using data warehouses in the UK or even the EEA.

What should schools do now: Your action plan

  1. Ensure you understand why you hold the personal data you do, be clear about whether you hold it to fulfil a statutory duty; a contract or whether you need to consent of the data subject. Create a register or list in each category. This will help meet your obligations and help you understand what rights the data subject has when you receive SARs; requests to cease processing; objections to processing;etc
  2. Check where cloud based or remote hosted services are storing data. All countries are not equal when it comes to protecting data. Use the EU list of countries considered to have equivalent data protection.
  1. Look at the Privacy Notices you use when you collect data. Ensure they are clear to understand and allow explicit consent to be gathered where needed, a tick box or signature can be used as appropriate. Identify who you share data with and allow parents to opt out of some sharing (the law relating to concerns about the safety or risk to a child overrides this preference where this threshold is met).
  1. Make sure you are only collecting the data you need for the purpose. It is easy to be lulled into holding things just on case – don’t
  1. Make sure you have good mechanisms for updating or checking the accuracy of data. Ensure data is updated in every record you hold relating to the child, and try to have as few separate records as you can, it’s easy for one to get missed, resulting in a lost letter, which may become a data breach.
  1. Make sure your data is stored securely and only accessed by people who need to access it. Curiosity is human nature but dipping into the school register to find out where your neighbour moved to is an offence.
  1. Identify your Data Protection Officer and arrange training for them
  1. Ensure you have a breach reporting and investigation process and that it includes documenting details of the data lost; how it occurred and mitigating actions. Ensure you understand the threshold for reporting to data subjects and the ICO.
  1. Inform your Governing body of the changes
  1. Ensure staff and anyone working within the school is aware of their responsibilities under the GDPR.

PR – December 2017