GDPR: An overview for schools
What is GDPR?
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018. This is a European legislation which will largely replace the current Data Protection Act in England and Wales. The UK government is also in the process of drafting a new Data Protection Act in line with GDPR, which contains some UK-specific rules. This is due to be introduced later in 2018.
How will GDPR impact you?
The GDPR makes several key changes to data protection law. It brings many new and enhanced obligations, including the potential need for organisations to refer their own breaches to the Information Commissioner's Office (ICO) and to have written contracts with third parties that process personal data. It also introduces more severe consequences for breach and it may even have implications for OFSTED when reviewing schools' policies.
Overall responsibility for ensuring compliance with the GDPR lies with the data controller; this will be the school itself, or your school's multi-academy trust. However, the GDPR also places wider obligations on anyone who does anything with data.
The GDPR applies where you do anything with information from which a person could be identified. Say, for example, a pupil's name or medical information or a staff member's National Insurance number would qualify as 'personal data'. The identifiable individuals are referred to as 'data subjects' under the GDPR; this is likely to include pupils, staff and parents among others.
Special Categories of Personal Data
Extra care must be taken when processing special categories of personal data; this includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life or genetic or biometric data.
Legal Basis for Processing
To be compliant with GDPR, all processing of data must have a legal basis.
For schools, the most likely legal basis for processing data is the public interest that the school has for doing so. There is a public interest in the school being able to carry out its duties in educating. There is also the basis of fulfilling a legal obligation which will be relevant in some instances. Consent may also be your legal basis, but this should be avoided where possible as consent can always be withdrawn!
Rights of Data Subjects
We will all have rights under GDPR in relation to our data being held by an organisation. For example, there is a right to access that data and a right to have it corrected, among others. People may exercise their rights against the school or MAT, so you should be aware of them. However, these rights can only be exercised in line with the GDPR rules and exceptions.
Data Protection Officer
It is likely that the school or MAT will require a data protection officer, who will be responsible for monitoring compliance with GDPR. They should be allowed to act independently and not be penalised for carrying out their role.
This person may be designated internally, or appointed from outside the school, and should have some knowledge and experience of data protection.
What do you need to do now?
- Make sure that all staff are made aware of what will be expected from them under the GDPR.
- Consider what data personal you hold, how it may be used and who it may be shared with.
- Check your policies are GDPR-compliant.
- Think about who could take on the role of data protection officer.
- Keep talking. Ask questions of your colleagues and your legal advisors when you are unsure. There are still some unknowns when it comes to GDPR and, by talking about these, we can help to figure them out.