Schools – like everyone else – have to make sure they are compliant with the new General Data Protection Regulation (GDPR). The GDPR increases every individual’s rights over their personal data, while at the same time increasing the burden of responsibility on schools, as controllers and processors of personal data.
The GDPR aims to address vulnerabilities in our increasingly online world. Break the rules and you could jeopardise your school’s budget and reputation. In a worst-case scenario of a serious data breach, schools could be liable to a maximum fine of £17 million or 4% of their annual turnover, whichever is greater.
The general consensus is that these drastic measures are unlikely to be taken against schools, as the ICO seeks to be more of an educational body rather than a draconian enforcer, but the reputational damage and procedural burden of a mistake will be as painful as any financial cost.
Schools handle a large amount of personal data. This includes information on pupils, staff, governors, volunteers and job applicants. And if you thought that was sensitive; well, they also handle data like grades, medical information and images of children. Furthermore, schools often handle what the GDPR refers to as ‘special category’ data, which is subject to even tighter controls. This relates to areas such as ethnic origin, biometric data or trade union membership.
The previous Data Protection Act (DPA) offered no specific provisions for the protection of data in relation to a child. The GDPR seeks specifically to protect the child as a person – particularly against the risks associated with Internet use and online profiles.
Schools are expected to have somebody within the senior team whose responsibility encompasses GDPR and data protection in general. That said, achieving GDPR compliance requires demonstrable buy-in from all staff, leaders, teachers and support staff.
This involves focused training so people are clear about their day-to-day responsibilities, including cyber security, handling general data protection risks and what they should do in the event of a data breach.
Schools that carry out large-scale tracking of individuals or large-scale processing of special category data must appoint a Data Protection Officer (DPO). It is possible to share a DPO amongst schools, if appropriate.
The Government has published suggested privacy notices templates that schools can issue to their workforce, parents and pupils. It has tailored the wording to suit each audience, but schools can review and amend them to reflect their local needs and circumstances – particularly as these templates refer only to data collections. Schools can share these privacy notices on their websites, induction packs and staff contracts.
Under the new GDPR, it isn’t enough for schools to be GDPR compliant. Schools will also have to prove compliance. This involves auditing and mapping data, and retaining records of processing across all school systems. They need to understand what data is processed, who processes it, the allocated lawful reason for processing it – mapping its entire lifecycle.
They’ll also need to address their technology and systems. Do they allow for efficient reporting? Are they robust enough to keep personal data secure? Is it backed up and accessible in case of a data breach? Are the school’s business continuity and disaster recovery plans up to date?
Introducing new systems
If teachers want to introduce a new piece of subject-specific software or processing system, the school needs to be able to demonstrate a clear process in place for GDPR compliance. This involves informing your DPO and completing a Data Protection Impact Assessment (DPIA).
Subject Access Requests (SARs)
Under the GDPR, schools will have to respond more quickly to Subject Access Requests – within 28 days – and the current £10 charge is waived. These two factors, plus people’s increasing awareness of their data privacy rights, are likely to lead to an increase in SARs, so schools must prepare for this, too.
Reporting a data breach
From 25 May 2018, schools are required to report a data breach to the ICO if personal data is likely to be – or have been – compromised. If a serious data breach occurs, they will also have to inform the individuals whose data is at risk.
Me Learning offers free GDPR Board training, as well as a family of discounted, flexible online courses for key stakeholders and staff. We’ve been working with schools for more than a decade, so we know how to help lighten the growing burden carried by teachers, governors and ancillary staff.
To find out more about how you can ensure GDPR compliance click here.
Do you have a question?
Whether it’s a technical question or a sales enquiry, our helpdesk and sales teams will be happy to help.