Data protection has been the focus of some major news stories recently and GDPR has received a lot of attention as the new legislation deadline approaches on 25th May. Schools need to make sure that the implications of GDPR are widely understood and to this end, DfE has published Data Protection: A toolkit for schools (April 2018). The legislation relates to ‘personal data’, that which can be used to identify a living person.
The publication from DfE is a really useful and timely document, but also rather lengthy, so we thought it would be useful to summarise it here and to signpost what we believe are some key points. So here are our seven big takeaways from the toolkit...
Everyone who works in or with a school needs to have an awareness of personal data, what it is and what the terms ‘processor’ and ‘controller’ mean. This includes all cleaning, catering and peripatetic staff, as well as teachers, teaching assistants, administrators and support staff. All school staff are involved with or exposed to data in some form, but not everyone has the same exposure or responsibilities. The DfE set out three levels of awareness based on people’s likely exposure to and work with data. In particular, schools need to pay attention to ‘Special Category Personal Data’ and to be aware what it includes. Read the advice on page 18.
2. Data maps and asset registers
Schools should establish a process for creating a thorough audit and map of their data structures. This should involve all staff, especially those with higher levels of data exposure and use. This should be a live document and be reviewed and updated regularly. Special attention should be paid to MIS links and to specialist software and apps that might not be on the SLT radar. It's important to consider not only where your data is going, but also what data is actually being transferred. Data minimisation is one of the key principles of GDPR; you should think about whether systems need access to everything or only a limited subset of your data.There is a much greater emphasis in the new legislation on ‘demonstrating’ compliance with GDPR. Therefore this mapping and asset register exercise becomes pivotal in the process. For a more in-depth discussion and practical case studies see Step 2 and Step 3 in the toolkit document. Your data asset register should include considerations of reassurance and risk, dealt with separately in Step 6: page 29.
3. Lawful processing of data
The requirements of the legislation are that you have a lawful reason for processing personal data. Lawful reasons vary in their nature and this blog does not constitute legal advice, therefore it is essential that your reasons are documented and adhered to. More details can be found in Step 4. Schools need to examine the what, why and how of all activity, as well as what happens afterwards. If processing is required "to effectively and safely run your school", then your legal basis for doing so may well be “public task”. This term crops up often, but is not fully understood by all schools, so it is worth reading the parts of the toolkit that cover this carefully. The toolkit offers some clarity and explanation on pages 18-21 and in Annex 4.1 (e). “Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law”. Annex 4.1 lists the possible legal reasons for processing data.
4. Data retention
The duration of data retention is based upon justification, so if you can justify keeping data for lawful purposes using defensible logic, then your policy should be acceptable. There are no more specific sector-wide data retention guidelines at present, but Annex 5.1 offers a first iteration of a policy template that you could use for your school.
The appointment of a Data Protection Officer (DPO) it pivotal to GDPR compliance in your school. This new - and very specific - role is required by the new legislation. Part of the DPO remit is building a culture of data protection in the school and encouraging people to think about data protection as part and parcel of safeguarding is seen as a way of creating this culture. Details and further discussion can be found in Step 7. There is an interesting case study on page 39 of how Ark Schools are approaching the role of the DPO across their 36 schools.
You will need to decide how to communicate any changes you make to your policies to your data subjects (staff, students and others). Knowing the rights of data subjects with regard to consent, deletion, portability and subject access requests will require a thorough understanding of subjects rights and organisation responsibilities. DfE outlines its suggestions in Step 8.
7. Organisational behaviour
The new legislation means that data protection has to be a more embedded part of everyday operations and decision making by everyone concerned. The structures and cultures surrounding personal data will need to be reviewed regularly and to become part of common operational practice in the school. The DfE toolkit emphasises the idea that this is not a one-off compliance exercise but a continuous process.
You can read the full DfE toolkit document here. We recommend checking regularly as new publications reflect the growing understanding of this legislation and its impact on schools. The DfE aim to continue to share best practice amongst schools to help navigate the changing landscape.