If you have not heard of the General Data Protection Regulation (GDPR) and you work in a school, you need to get clued up quickly: break the new rules after they come into force on 25 May and the consequences could be damaging both for your school's budget and reputation.
In our other guides, we give you a breakdown of what GDPR is and how is differs from the Data Protection Act, and we also give you some tips on how to become compliant.
Here we tell you what schools in particular need to know about GDPR.
GDPR for schools
Schools handle a large amount of personal data. This includes information on pupils, such as grades, medical information, images and much more. Schools will also hold data on staff, governors, volunteers and job applicants.
Schools will also handle what the GDPR refers to as special category data, which is subject to tighter controls. This could be details on race, ethnic origin, biometric data or trade union membership.
This data is already governed by existing DPA regulations, which ensure personal data is handled lawfully. However, the new GDPR has gone further and requires organisations to document how and why they process all personal data, and gives enhanced rights to the individual.
“What the GDPR has done is taken the previous regime, built upon it and modernised it for the current technological and societal environment,” says Claire Williams, an information and cyber law specialist from law firm Mills & Reeve.
“In terms of schools, and the education sector in general, there’s going to be much more of a focus on data protection and it’s going to have to be much more at the forefront of peoples’ minds, particularly the senior leadership when they’re deciding on policies and bringing in new technology.”
Who exactly will this impact?
“Achieving compliance for any organisation will require the unconditional support from all staff, leaders, teachers and support staff,” says Guy Dudley, director of Advice and Legal Services at the school leaders' union the NAHT.
“GDPR isn’t normal ‘day-to-day’ business for schools, so they’ll have to make this change alongside all of the regular teaching and learning commitments that go on.”
In the same way that safeguarding is a school-wide priority normally led by one of the senior leadership team, it is recommended that data protection follows the same approach.
“You are expected to have somebody within the senior team whose responsibility encompasses GDPR and data protection in general,” says Williams. “They need to have adequate resourcing and an adequate understanding of what the law actually is.”
With such a major emphasis of evidencing compliance, it’s important that schools can also demonstrate that the whole school is on board when it comes to data protection.
“Part of the process of becoming compliant is to make sure that everybody has received adequate training,” says Williams. “Training needs to be sufficiently focussed and relevant to what people are doing day to day, so that they understand both the cyber security implications of their actions and the rules about the protection of personal data.”
Data Protection Officer (DPO)
Under the new law you must appoint a DPO if you carry out large-scale tracking of individuals or large-scale processing of special category data. It is possible for groups of schools, or MATs to share a DPO.
“Schools need to look at what suits their organisational structure,” says Williams. “If they are planning to use an external DPO, they need to make sure he or she has sufficient knowledge about the school to be able to properly advise and give tailored advice. Schools need to make sure that whoever they engage will have adequate resources and adequate time to meet the school’s needs.”
External third parties
Any relationships with third parties who handle personal data will need to have processing agreements (basically, transparent agreements about what happens to the data to ensure it is GDPR compliant) in place.
“In terms of any existing contracts, schools need to look at what they have in place and whether it is adequate,” says Williams.
Any contracts that do not contain the necessary provisions will need to be amended.
“That can be quite a significant job depending on how many processors you’ve got.”
What changes need to be made?
The key shift from the existing DPA is that simply processing data lawfully is now no longer sufficient.
“The big difference around GDPR is that it’s very much focused around being able to prove compliance,” says Toks Oladuti, director of information systems at an independent girls’ schools trust.
“[This] is going to introduce new record keeping that schools will need to do and slightly newer approaches to how they actually introduce new processing activities.”
Mapping data and having records of processing across all school systems is one of the biggest and most important changes from the DPA.
“Schools need to understand where their data is processed,” says Jonathan Harrex, DPO and information security specialist at thinkdpo.com. “They need to understand what they process, and whether that’s done internally or by a third party or by both. So they will identify how their data is processed and who does it and then they will be able to identify, as part of that, the technology that they process the data on and how that’s secured.”
Key changes for leaders:
- Demonstrate compliance: schools need to document every system used to process personal data. They also need to map how this data is transferred to other systems or any third parties.
- Appoint DPO: schools must appoint a Data Protection Officer (DPO) to ensure that their school is fully compliant to the new regulations (more info below).
- Processor agreements: for any third-party processors you must have contracts in place stipulating that personal data is handled in compliance with the GDPR.
- Reporting a data breach: if personal data has been put at risk, you may be required to inform the ICO, and in some cases, the individual at risk. This should be done within 72 hours of the breach being discovered.
- Staff training: despite the best efforts of the DPO in using compliant processes, these are only as secure as the people using them. Making sure staff are trained and there is a culture of data compliance is crucial.
With the increased emphasis on accountability will come more pressure on leaders to ensure their staff receive the necessary training. Systems in place will also impact anyone who handles personal data, even if that’s an attendance register.
Key changes for teachers:
- Reporting a breach: teachers must understand what constitutes a breach and, if they suspect a breach has occurred, report it to their DPO.
- Introducing new systems: if teachers want to introduce a new piece of subject-specific software or use any new processing system there needs to be a clear process in place to inform the DPO and ensure it is done compliantly.
What will happen on 25 May 2018?
From 25 May, any data subject (that’s someone whose data the school holds) can exercise certain rights with regards to their data. This means that a parent could ask for a school to produce all data it currently holds on their child, or a job applicant could ask you to erase all their details. Under the new law an individual could ask for their data in a portable form so they can pass it on to another organisation.
The school would be legally obliged to carry out these requests within 28 days of the request being given.
Although individuals were previously allowed to request access and an amend to any inaccuracies, they now have additional rights and the £10 fee has been waivered.
“People are becoming more aware of their data rights,” says Williams, “The volume of subject access requests has been rising but that’s just a general societal phenomenon, as people realise their data has value and have become a lot more curious about what people are doing with it.”
Reporting a breach
From 25 May, if you’re informed of a breach to someone’s personal data, you may be required to inform the ICO. Under serious circumstances you may be required to inform the individuals whose data has been put at risk.
The maximum fine for failing to comply with the new GDPR is €20m (around £17.7m) or 4 per cent of the organisation’s annual turnover (whichever is greater). Under the previous regulations, organisations such as the NHS and TalkTalk have received six-figure fines, although the consensus suggests schools will need to be seriously negligent to receive similar penalties.
“The organisations that have been taken to task are the ones that have looked the other way over recognised standards,” says Harrex. "In terms of the penalties the ICO, at least for now, remain a very friendly and constructive regulator,” adds Williams. “One of their purposes is to educate people about data protection and to help people to get up to speed so they don’t whip out the fines at every opportunity."
After 25 May, it will become much clearer how the GDPR will be enforced. Tes will regularly update its guidance with every development.
For more information on GDPR visit the Tes School Portal
If you’re registered on School Portal: Click login in the top right-hand corner of this page and click on the My schools button and visit the Advice centre
Problems logging in? If your school is registered for School Portal but you can’t see the My schools button contact your School Admin for Portal access.
If your school is not registered for School Portal: Request Portal access here
For full and up-to-date guidance on the GDPR visit the ICO website.