by John Roberts
Increasingly, the Assembly team is being asked questions by schools regarding the impact of the General Data Protection Regulation (GDPR) on how they share data. Forbes Solicitors and I have been working with Assembly since 2015 on their approach to data protection and security, so given the increased interest in GDPR, we thought that now was a good time to offer some practical suggestions for steps schools can take to become GDPR-ready. We’ve therefore written this blog between us to set out our latest thinking on this complex subject.
As brief context, GDPR is the new legal framework that will supersede the Data Protection Act 1998, and it is enforceable from 25th May 2018. The regulation includes important changes to data protection law, such as new rights for data subjects, increased transparency when processing personal data, specific requirements regarding the appointment of data processors, and higher fines for non-compliance. However, the Act of parliament that will turn the GDPR into law hasn’t yet been finalised, so there are still quite a few grey areas about the implications of GDPR for schools.
Nonetheless, we think there are plenty of sensible things that schools can do now that will set them in good stead for GDPR-compliance. Much of what follows is “common sense”, and could be seen as prudent behaviour, regardless of how regulations evolve. In data-protection speak, schools will need to adopt a “risk-based approach” to processing personal data: in other words, identify the risks; take steps to minimise those risks; and document the school’s approach and compliance activities.
We should nonetheless stress that this blog is not formal legal advice - like we say, some key parts of GDPR are in any case still vague. You should seek your own formal legal advice wherever relevant.
Seven Practical Steps to become GDPR-ready
- Conduct an Information Audit to establish:
a. What data is being processed
b. The purpose for the processing and the legal basis for doing so
c. Where data is being stored
d. With whom data is being shared
e. How data is being kept up to date and accurate
f. Data retention periods and how data is being destroyed when no longer required
As part of an information audit it would be sensible to review existing contracts which involve personal data sharing, and also examine existing school policies in relation to data protection, data sharing and IT security.
Don’t forget: sending a spreadsheet or downloading a CSV counts as “processing data” - so the audit should cover these practises alongside other, more formal data processing methods (such as integrations with software like Assembly). 2. **Develop a Compliance Plan.** Once you’ve completed your Information Audit, a logical next step is to create a Compliance Plan to address any issues arising from it, or more broadly to ensure GDPR-compliance. This may include contacting suppliers to enquire about whether contracts need changing to be GDPR-compliant, or updating policies as required. The Compliance Plan should be regularly maintained and updated with changes that take place. It should also include a template for a Privacy Impact Assessment (a key GDPR document), which should be carried before any significant changes to how a school handles data, so that principles of GDPR such as “data minimisation” and “privacy by design and default” are applied properly. It would also be sensible to report to the Board of Governors on the Compliance Plan.
- Pay particular attention to the legal basis for processing data (see 1b above). A major part of an information audit will be ensuring that the legal grounds for processing are documented by a school in each case, and that any adjustments to that basis arising from GDPR are taken into account. This page of the ICO website gives a useful overview on lawful processing. In our experience, there are two common bases for processing used by schools:
a. **“Public interest”**, which is to say that the processing is necessary to provide a high quality standard of education and care, and which is covered by GDPR’s Article 6.1 (e) (“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”).
b. **“Consent”**, which means the agreement of the data subject, or someone with the right to grant consent on behalf of the data subject, and which is covered by Article 6.1 (a).
Public Interest covers a wide range of school processing uses, so it is likely to be the most common basis used by schools. That said, GDPR brings with it a number of implications to consider when a school uses this basis. For example, in a GDPR world, when “Public Interest” is invoked, schools should be able to demonstrate what they have agreed to share, with whom, in an auditable fashion, and at a granular level (e.g. specifying whether the data being shared includes basic student information, staff details, assessment results, and so on). They should also be able to demonstrate that they can withdraw their consent easily at any time.
Consent involves more rights for the data subject, and what is acceptable as the standard of consent is being enhanced by GDPR. In the ICO’s words, GDPR means that:
*“consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes.”*
So if a school is using consent as the basis of processing, it’s likely that this will require documented agreement from each student, or a parent/guardian with authority to give consent on their behalf. Data subjects also have a range of rights in relation to consent-based processing, including subject access requests, data portability, the right to be forgotten, the right to rectification and the right to object to processing. Schools should carefully consider how they will deal with these rights, upon request. 4. **Review and update your Privacy Notices** to ensure it is clear to data subjects how their data is being processed. Privacy Notices should consider the rights of parents, pupils and employees. The most recent DfE guidance on privacy notices is [here](https://www.gov.uk/government/publications/data-protection-and-privacy-privacy-notices), though this dates from 2013. So, until there is a further update from the DfE, we’ve drafted [suggested text for how to update your Privacy Notice in light of GDPR](https://docs.google.com/document/d/1ZWY2JosXosyj8v9olxmA_2nMwYloaC-lpcw7MzDdlmc/edit?usp=sharing), which you're welcome to refer to our copy from as you see fit.
Appoint a Data Protection Officer (DPO). All schools will be required by GDPR to have a nominated DPO. In organisations such as larger MATs, this is likely to be a full-time role. Within schools, it could in theory involve allocating this as an additional responsibility to someone already within the school. However, it should be borne in mind that the role should be separate from from key data-processing roles that could create a conflict of interest if combined with DPO responsibilities (for example a school data manager). In practice therefore, schools may end up contracting an external individual or organisation to be a DPO. It would also be sensible for the DPO to organise updated data protection training for all staff.
Develop a data breach response plan. GDPR requires any organisation experiencing a data breach to inform the ICO within 72 hours. If the breach is classed as “high risk” you will have to inform the data subjects involved without delay. As part of GDPR-compliance, it is therefore wise to think through and document how you’ll act in the event of a breach to comply with this mandatory self-reporting role.
Locate expert advice. This blog has hopefully helped you structure your thoughts around GDPR. However, we think it’s likely that you’ll have questions as time passes, and it would be wise to know who you’ll turn to if and when you need proper legal guidance regarding GDPR. So it would be sensible to find an expert - either a lawyer or a demonstrable expert - that you can call on when required.
Schools, and all those processing data, must be GDPR compliant by 25th May 2018 and there is no grace period so it’s important that we all put plans in place to be compliant very soon. If you have any questions about how Assembly is handling GDPR compliance, then do let us know.
The ICO is the best place to start when researching GDPR - they have a nice overview on their website.