Darren Rose CIPP/E, who is currently Schools Compliance Advisor (Data Protection) at OSMIS Education, offers his guidance on GDPR within schools.
The General Data Protection Regulation (GDPR) is a European law which comes into effect on the 25th May 2018 and is the culmination of 4 years of deliberation on the changes of technology since the current data protection directive 1995 was enacted, as well as possible future technologies. If you consider that in 1995 we had Ceefax, telephone boxes, no internet (other than the academic JANET network) and no social media, many things have changed, not least the reliance on sharing personal information for banking, e-commerce and social interaction thereby greatly increasing the potential risk to the individual.
The Information Commissioner (Elizabeth Denham), in her recent video “GDPR for the boardroom”, confirms that the GDPR is a change of a generation and requires your organisation to demonstrate that data protection is a corner stone of your policies and practices otherwise you will leave yourself open to enforcement action.
A key part of the legislation is that of accountability through a comprehensive framework including mandatory documented policies, procedures and records within your school.
Overview of critical changes.
- Comes into effect on 25 May 2018
- Fines of up to €20 Million (or 4% of global turnover)
- New subjects’ right to compensation
- New specific consent with evidence and rights to withdraw consent
- New subject right to be forgotten (deletion)
- 1 Month for subject access requests with charges removed
- Mandatory privacy impact assessments
- Mandatory documentation of compliance
- Mandatory breach notifications within 72 hrs of discovery
Whilst I have listed fines the ICO has confirmed that this is not the full extent of the GDPR’s powers. There are levels of non-monetary fines available to the ICO including undertakings and enforcement notices, which will be considered for organisations who have demonstrated a privacy culture within their school but have experienced a data breach.
What schools should be focusing on/ reviewing
Whilst there is still ongoing discussion regarding mandatory appointments of a Data Protection Officer (DPO) within education, schools should still act now. And while local authorities are still establishing what services they can provide to schools within their authority, as well as awaiting confirmation of definitive accreditation guidance from the ICO, there are certain tasks, such as staff training and identification of personal data within your school, which can be completed prior to the confirmation of the status or need for a DPO.
How does a Chief Privacy Officer differ from a Data Protection Officer?
The ICO has stated that in the absence of a data protection officer, or a position where there is not a mandatory requirement for appointment, an organisation should nominate an individual as a single point of contact. This single point of contact should support peers in data protection issues, oversee the data privacy culture, report any issues to senior management and escalate issues to an external data protection officer if required. The position does not have any job title or job description as it is not legally required, rather guidance for best practice. However, some organisations are using the role of Chief Privacy Officer. As this role is not a statutory requirement, any individual can be nominated including roles which have previously been barred from the newly defined position of Data Protection Officer due to a possible conflict of interest i.e. Head of IT, Head of HR or a member of the executive.
Reducing cost by implementing the 95% model
A model appears to be developing within education known as the 95% model. This basically describes a model in which the majority of functions will be performed by individuals, under the guidance of the school chief privacy officer (CPO), within the school with a light touch approach from either an internal DPO or an outsourced DPO service (the remaining 5%). This model not only reduces costs but also ensures an ongoing privacy culture develops and continues to be the corner stone of data protection within the school into the future.
Using a culture to address “The human factor”
According to the International Association of Privacy Professionals (IAPP) the most common privacy breaches happen when data is stolen, lost or mistakenly disclosed. What is needed is an environment, or “culture”, where protecting data privacy is top of the mind of every staff member whenever that person handles personal information – a privacy culture.
A privacy culture is best implemented through awareness, training and support of all staff within your school who may handle personal data.
Another key element of a privacy culture should be that of adequate technological and physical security of hardware and electronic or hard copies or personal data including backups, antivirus software, critical updates to operating systems, securing critical servers and filing cabinets.
A key principle of a good data management is CIA: Confidentiality, Integrity (also known as accuracy) and Accessibility, in so much that increased accessibility, with adequate security (Confidentiality), will ensure the Integrity of the data whilst providing the best data security.
Some real-world examples of this could be your MIS system or school network. If you increase their accessibility, either within the school network or via remote access, you remove the need for potentially insecure printouts, USB sticks containing temporary backups and insecure transmission via email, therefore greatly reducing the risks involved with handling that personal data.
Responsibilities of the school & what they can do to comply
- Identify the resources you already have access to, either internal or external, via an existing support contract. Utilise this existing resource to its full potential to reduce costs and impact on your school. This could be in the form of fully utilising the capability of your MIS system, school networks and IT hardware which you have already invested in over the years.
- Appoint a chief privacy officer (CPO) to be a single point of contact within the school, provide peer support, signpost colleagues to training and support and provide updates on progress and key issues to the head and governing body.
- Assign a team to support the CPO and to ensure all data is included which could possibly include the school business manager (for supplier contracts, staff contracts and admin data), IT (for hardware audits, network security, backups, antivirus and OS updates), SENCO (for identification of data held on some of the most vulnerable groups) and a member of the SLT team, if not already one of the positions mentioned.
- Create a group to allow collaboration with other schools within your family or cluster to provide peer support, share best practice and provide procurement benefit through economy of scale.
The ICO website has a wealth of useful resources including tools, myth buster videos, training materials and updates on the new Data Protection Bill.
In all training and procedures, it should be emphasised that data privacy should never trump safeguarding policies. The ICO data sharing checklist even specifies a condition for sharing data as “If there is a risk to an individual, or society, of sharing or not sharing the information”.
Be proactive in engaging parents to create a positive perception of data privacy, instil confidence in parents and reduce the likelihood of subject access requests, through communications via either a letter home or handouts ready in school reception areas.
Follow the same methodology as you have used in the past to implement a safeguarding culture and fulfil the safeguarding accountability framework, including training, new staff induction procedures, school policy, communication and documentation to prove compliance.
It will take time to implement a privacy culture, just as your current safeguarding environment didn’t simply happen overnight. By encouraging everyone involved to play an active role in the process and understand its benefits as well as the pitfalls, tackling GDPR compliance doesn’t need to be a challenge or a burden.
SIMS has a number of solutions to help schools comply with GDPR - learn more by visiting our GDPR solutions page.