Do you know how GDPR will affect schools?
On Friday 25 May 2018 the existing Data Protection Act will be replaced by the General Data Protection Regulation (GDPR). As a school, you may ask “How does this impact us?” To put this simply, you have a legal requirement to be compliant with GDPR.
The key here is that this is all about protection, something which is already incorporated into the way schools operate. In some senses then, GDPR is an evolution of schools’ current good practice. However, it’s a new regime with new elements to consider and tough penalties for breaching them. Pro-activity and good safeguards are at the core of this data protection upgrade.
What is GDPR?
According to the EU's GDPR website, the legislation is designed to ‘harmonise’ data privacy laws across Europe, as well as give greater protection and rights to individuals. It specifically aims to put individuals in charge of their data and how it gets used.
There are many changes for the public, as well as organisations and businesses that handle personal information, including schools and other education organisations. There are stiff penalties for non-compliance and any data breaches.
GDPR and the individual
GDPR directly caters for the privacy rights of individuals and their data, including permissions for other parties to access and use their personal data; it also outlines your obligations in using, storing and granting access to this data. This includes a number of new rights e.g. their right to data accuracy and correction, the continued right for an individual to access their data, and their right to have their personal data removed.
GDPR in schools
GDPR covers all data – be it digital or physical. It cannot be ignored and its reach is extensive. GDPR covers the data in your archives, in your filing cabinets, CCTV footage, in any of your school systems – you will have data on pupils, parents, staff and other contacts in a multitude of places.
One of the richest sources of data affected by GDPR will be your school’s Management Information System (MIS). It’s a rich repository of school data containing not just learner information but also personal data for parents/guardians, staff and other key contacts. In all likelihood, you will currently share data with third party suppliers too.
What should schools do?
Firstly, you will need to make a senior staff member or trusted affiliate responsible for GDPR. This is your Data Protection Officer (DPO) - it’s not an optional post; you must have one and they own GDPR compliance at your school. Trusts can appoint a DPO across a number of schools. However, they must be able to spend sufficient time in the role and not be spread too thinly. The DPO must also have unhindered access to the school leaders. We’re hearing of single points of escalation as Privacy Officers rather than DPOs – this may simply be a way of sharing the workload but does not remove the core need for organisations including schools to have designated ownership.
Many schools are in good shape already and see GDPR as an extension of their good practice, albeit with greater emphasis on proof points and with more stringent penalties in place for poor adherence and breach. For others, GDPR will be a genuine wake-up call.
Newly appointed DPOs may find themselves wondering what they’ve signed up for and will need to immerse themselves in this updated data protection world. There’s lots of good information out there but starting with the Information Commissioner’s website is best – this is the source of the truth. GDPR awareness starts here. There are also specific education-focused materials available.
Secondly, you should assess your school’s current position – run a GDPR health check by way of a full audit. This should include a full end-to-end data mapping exercise – what data do you collect and where does it go? In each case, assess the reason for holding the data and whether it is still needed. These are not quick jobs and may require external assistance to complete.
You’ll also need to review where you engage with any third party data processors - confirm you still need this relationship and whether it is necessary to share any data. Then you must check their GDPR compliance status, starting with their Privacy Notice. This could lead to you having to change providers.
Finally, in amongst this foundation work, it is an important requirement that school staff are fully aware of their obligations under GDPR – it’s no good having great systems, processes and protection if you have careless individuals being lax with personal data. This is a cultural change, or at the least a reinforcement of good practice.
To seek Consent or not?
From 25 May you must have a ‘Lawful Basis for Processing’ personal data. The Basis depends on the data subject and the reason for needing to process and store their data.
For schools, where data is being used for the purposes of a learner’s education and/or safeguarding this is covered by Article 6(1)(e) as ‘Public Task’.
Where data is being used for any other purpose (e.g. for fundraising) then Consent must be sought – this means explicit, written, opted-in Consent. For learners this means seeking Consent from the parent/guardian up until the age of 13; at this age the learner can give their own Consent.
For staff, data being used for HR purposes etc. will be covered by Article 6(1) (b) ‘Contract’. However, if the data is to be used outside of performance of their duties and their contract with the school, then Consent should be sought. For example, using their details and photos for marketing purposes.
For parents, it is essential to be able to contact them for safeguarding purposes, so again this is data which can be held for fulfilling a Public Task. However, stray into any other use – say for fundraising – and Consent will be required.
It is the responsibility of the school to ensure that before GDPR is operational Consent has been obtained for non-Public Task or Contractual purposes. We recommend that this is reflected in your MIS.
What we’re doing to help
Advanced has invested in building a team of product experts to assess the impact of GDPR on our customers. We have identified a number of key themes and requirements, which have driven product updates to help our customers on their journey to becoming GDPR compliant.
We are also making changes to our MIS solutions – the core information schools need to maintain now has a home within Facility, Progresso and CloudSchool. Additional modules are also now available to existing customers to help the DPO manage the many facets of GDPR from within the MIS. Our education consultants are up-to-speed on all regulatory changes and product updates, and we’re running GDPR training courses.
Get in touch to find out how we could help you.