The GDPR – data protection in schools and academies

The EU General Data Protection Regulation 2016 (GDPR) comes into force on 25 May 2018 and replaces the Data Protection Act 1998. The changes introduced by the GDPR amount to the biggest reform of data protection and privacy law in over two decades.

Schools and academies need to be aware of the forthcoming changes because:

• Ofsted is likely to continue its policy of heavily criticising schools for data protection breaches under the new legislation
• parents are increasingly privacy literate and expect schools and academies to be compliant with the relevant legislation
• maximum thresholds in respect of breaching data protection legislation are increasing to the greater of €20m or 4% of group annual turnover
• individuals can bring compensation claims for breaches through the courts

This article focusses on the forthcoming reforms to three key areas of data protection law which will affect schools and academies:

1. the data protection principles
2. the requirement for public bodies and authorities to appoint a data protection officer (DPO)
3. the right of subject access

The Data Protection principles

From 25 May 2018, schools and academies will need to be able to demonstrate that they comply with the following data protection principles, which require that personal data is:

• processed in a lawful, fair and transparent manner
• collected for specified, explicit and legitimate purposes
• adequate, relevant and limited to what is necessary
• accurate, and where necessary, kept up to date
• kept in a form which enables individuals to be identified for no longer than necessary
• processed in a manner that ensures appropriate security

There are three key points for schools and academies to take away from the changes to the data protection principles:

1. schools and academies which are already compliant with the existing legislation are well placed to update their practices to comply with the GDPR
2. the requirement of the first principle that data is processed in a ‘lawful’ and ‘transparent’ manner mean schools’ and academies’ privacy policies and certain supplier contracts need to be reviewed and brought up to spec: the GDPR sets out a number of new, mandatory requirements for these legal documents
3. the new data protection principles mean schools and academies will need to have a better understanding than ever before of what data they hold, why they hold that data and who has access to it

Data Protection Officers

Under the GDPR, ‘any public body or authority’ is required to appoint a DPO, but there is no clear-cut guidance as to which institutions qualify as such. Until further guidance is published on this point, all academies (and schools which are already subject to Freedom of Information Act legislation) should assume they will be required to appoint a DPO.

Whilst many schools have already appointed a ‘data protection compliance manager’ or similar, under GDPR, the DPO receives protected employment status and must:

• be suitably qualified, and an expert in data protection law
• be able to carry out the role independently
• report to the highest level of management

The DPO can either be engaged as an employee or a sub-contractor, and one DPO can act as the DPO for a number of public bodies.

The rights of individuals

Schools and academies will already be familiar with the right of subject access. This right is changing slightly under the GDPR: a charge can no longer be made for responding to a subject access request (unless particular circumstances apply) and the time for responding to a subject access request is being reduced from 40 days to one calendar month.

The GDPR also grants individuals other additional rights which are outside the scope of this article.

What should schools and academies be doing to prepare?

Schools and academies should:

1. start a ‘data-mapping’ exercise: understanding what personal data is collected from students, parents, employees and management, as well as what that personal data is being used for, is a vital first step.
2. start discussions with governors to determine: (a) how you will demonstrate that you comply with the data protection principles; and (b) whether a DPO needs to be appointed (and if so, build this into your budgets for next year)
3. review your existing policies and training to ensure you are ready to comply with the changes to subject access and other rights granted to individuals under the GDPR.

If you are interested in hearing more about the forthcoming changes, please get in touch with the Education team.

We are also providing training seminars on the GDPR to schools and academies in the near future. In the meantime, you can download a copy of our free GDPR brochure using the button below.

Download GDPR brochure