Melanie Hurley writes for capita-sims.co.uk on behalf of GDPR in Schools, a cloud-based, data protection monitoring solution for schools.
The time has almost arrived for the UK’s new data protection regulation to come into effect when the General Data Protection Regulation – the GPDR – go live on Friday 25 May.
In this blog, we’ll take a high-level look at the laws and what they mean to all of us – as data controllers or processers, schools and individuals. The new regulations represent the biggest shift in data protection laws in the UK since the Data Protection Directive came into force in 1995 and since their adoption in April 2016, plenty has been done by the education industry to prepare.
Why the GDPR?
The main aim of bringing in the GDPR at this time is to recognise the changes to everyday life that have occurred since the original rules came into being. Think back to 1995 – it was a very different time with minimal internet availability and even less mobile phone usage. Everything was done ‘offline’ and the amount of data you shared was both limited and easily controlled by you as an individual.
Since then, the way that we as individuals and organisations use data has changed beyond anyone’s imagination and as a result, the previous laws on data protection are no longer fit for purpose, so an updated approach and accompanying rules are overdue.
Modern rules for modern data
The central purpose of the GDPR is to protect people in the modern information age. This means reducing the risk of data falling into the wrong hands or being used in a different way to that which the individual originally gave their permission. Now more than ever it’s possible for data to be passed from one organisation to another so it has become essential for individuals to retain control over their personal information.
In addition, organisations will need to take on more responsibilities around the ways they collect and hold data, becoming more accountable for how the data is used and the reasons for contacting individuals.
As public-facing organisations holding significant quantities of data, schools will need to ensure their compliance with the GDPR.
Data held in schools
Driven mainly by government reporting requirements, schools currently hold extensive data on a wide number of individuals and organisations, covering a diverse spread of information.
This includes students, staff and parents, covering details such as student education data, student medical data, staff employment data, safeguarding information and contracts with suppliers.
Because of the requirements already on schools to protect their data, the majority of the above is already held in a secure way, meaning that schools are in a far better position to achieve compliance than many other organisations.
What will schools be doing?
The changes brought about by the GDPR affect everyone with personal data – so, in real terms, they affect everyone. In an education context, anyone who interacts with your school will be affected, even if they as individuals do not need to modify their current practices.
This applies to staff, parents, children and volunteers, many of which will almost certainly have data held on your SIMS database. As a result of their existing practices, schools already operate strict data protection policies, so there’s no need to panic or make sweeping changes to your existing procedures.
So long as schools already ensure that data is kept secure and used appropriately, then much will stay the same, although the arrival of the GDPR will ensure better security and greater levels of transparency.
One area for increased focus around the GDPR is consent. However in many instances consent is not used as the legal basis for processing personal data in schools. If consent is required, data controllers must do so in a clear manner and provide a straightforward way for this to be removed whenever the data subject requests it.
The role of the school governing body
As with any change of approach or new strategy, it is key for the school’s governing body to take the lead and create a positive culture around data protection. By holding the school accountable for the data they hold and how they use it, the governing body can ensure that any existing or new procedures are in line with the new regulation.
A key new role in managing this situation is that of Data Protection Officer, a position which can be filled by a new or existing member of school staff, but must be occupied under the GDPR.
As a result, this can provide assurances to the entire school community, knowing that data is being handled with the best interests of the data subjects.
Parents interacting with schools have a number of new rights as a result of the GDPR and it’s important for all involved to understand what this means – however, it is worth remembering that some rights are overridden by the necessity of key school functions.
Right to be informed: to know what, how, where, and for how long your data is used.
Right of access: be able to see and know what data is being held.
Right to rectification: to fix any errors in the data held.
Right to erasure: to choose to have the data erased.
Right to restrict processing: to stop data being used for certain purposes.
Right to data portability: to move a copy of the data elsewhere.
Right to object: to complain about how your data is used.
There are also rights applicable to automated decision making and profiling – for more information on these rights and how they might affect the handling of data, take a look at the website of the UK regulator, the Information Commissioner’s Office (ICO) at www.ico.org.uk.
GDPR in Schools (GDPRiS) provides schools with an easy-to-use, cloud-based solution for the management and processing of data. Find out more by visiting our dedicated GDPRiS product page or alternatively learn more about the full range of GDPR solutions offered by Capita SIMS.