1. What exactly is it?
It is the EU General Data Protection Regulation (GDPR), which the Government is bringing into UK law through the new Data Protection Bill. The law is about modernising data protection to make it relevant for the way we all share and use personal data in today’s connected world. As well as modernising data protection, the law places individuals, known as data subjects, at the centre and gives them additional rights. As a school, your data subjects include pupils, parents and staff as well as contractors, supply teachers and visitors.
2. Do schools get a grace period?
No. The law applies to all organisations that collect, hold and process personal data and there are no grace periods, even for schools. The GDPR comes into force on 25th May 2018 - your school must be compliant on this day, and not working towards compliance.
3. Do we need to ask for consent to process every piece of personal data?
No. As with the Data Protection Act, you must have a lawful basis for processing personal data and only one of these is consent. Much of the data you process is for statutory purposes or to comply with the legal obligation to teach the child. For staff data, you need personal data for contractual purposes of employment. An example where consent is needed is school photographs. Whilst individual photographs are used in some software to aid teaching, this doesn’t mean they can be added to the school website or shared with the local press. This is where explicit consent should be sought and, in the UK, the age of data consent has been set to 13. Under GDPR, consent can also be withdrawn and it must be easy for individuals to do so.
4. What additional rights do individuals have?
Under the GDPR, individuals have eight rights. A key one for schools, and something you can begin to address now, is the right to be informed. This means explaining to data subjects why you are collecting their personal data, what personal data you have received indirectly, such as from the local authority, what you do with it, who else you share it with as well as how you safeguard it and how long you keep it for. This is done through a privacy statement which should be written in a clear and understandable way that data subjects, or their guardians, will understand. Each group of data subjects will have their own privacy statement.
5. What can we do now to prepare?
Now is a good time to think about the data you process and how it is handled across the school. Begin this with a data audit incorporating the areas discussed above, including the lawful basis for processing as well as why it is processed and who it is shared with. Include the ways the data is handled, such as if it is downloaded or printed by staff or shared in unencrypted emails. This will help you to see if there is any data you shouldn’t or don’t need to process, as well as which you need consent for and any holes in data handling that can be filled before May. From this, you can begin to develop your privacy statements as well as identify staff training needs. Asking departments, teams, years groups and teachers to complete a data audit has the additional benefit of raising the profile of GDPR across the school and further exposes holes in data protection practices.
The Information Commissioner’s Office outlines the GDPR here.
Want to receive cutting-edge insights from leading educators each week? Sign up to our Community Update and be part of the action!