The General Data Protection Regulation (GDPR) will come into force on 25 May 2018. This is a European legislation which will largely replace the current Data Protection Act in England and Wales. The UK government is also in the process of drafting a new Data Protection Act in line with GDPR, which contains some UK-specific rules. This is due to be introduced later in 2018.
The GDPR makes several key changes to data protection law. It brings many new and enhanced obligations, including the potential need for organisations to refer their own breaches to the Information Commissioner’s Office (ICO) and to have written contracts with third parties that process personal data. It also introduces more severe consequences for breach and it may even have implications for OFSTED when reviewing schools’ policies.
Overall responsibility for ensuring compliance with the GDPR lies with the data controller; this will be the school itself, or your school’s multi-academy trust. However, the GDPR also places wider obligations on anyone who does anything with data.
The GDPR applies where you do anything with information from which a person could be identified. Say, for example, a pupil’s name or medical information or a staff member’s National Insurance number would qualify as ‘personal data’. The identifiable individuals are referred to as ‘data subjects’ under the GDPR; this is likely to include pupils, staff and parents among others.
Extra care must be taken when processing special categories of personal data; this includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life or genetic or biometric data.
To be compliant with GDPR, all processing of data must have a legal basis.
For schools, the most likely legal basis for processing data is the public interest that the school has for doing so. There is a public interest in the school being able to carry out its duties in educating. There is also the basis of fulfilling a legal obligation which will be relevant in some instances. Consent may also be your legal basis, but this should be avoided where possible as consent can always be withdrawn!
We will all have rights under GDPR in relation to our data being held by an organisation. For example, there is a right to access that data and a right to have it corrected, among others. People may exercise their rights against the school or MAT, so you should be aware of them. However, these rights can only be exercised in line with the GDPR rules and exceptions.
It is likely that the school or MAT will require a data protection officer, who will be responsible for monitoring compliance with GDPR. They should be allowed to act independently and not be penalised for carrying out their role.
This person may be designated internally, or appointed from outside the school, and should have some knowledge and experience of data protection.
