The education sector and data protection

A view from the ICO

The education sector and data protection

The School and Academies Show took place in London this week. It included a presentation from the Information Commissioners Office (ICO) which provided some helpful tips and advice in relation to data protection and schools.  We thought that it would be helpful to share this information in order that those that may not have been at the event can benefit from and pass on to others in the education sector.

Background

As you will be aware, the Data Protection Act 2018 (“DPA 2018”) came into force on 23 May 2018 with the aim of making data protection laws fit for the digital age and modernising the law to ensure it is effective for the future.  As well as the DPA 2018, organisations must comply, where applicable, with the General Data Protection Regulation (“GDPR”). It is important therefore that GDPR and DPA 2018 are reviewed together.

Where are we now?

We are now almost a year on from the data protection changes. The ICO confirmed that following approach by them, consensual audits have been taking place with various large Multi-Academy Trusts. This concentrated on policies and procedures and they will issue a report on this within the next 6 months.

Since the introduction of the new legislation, the ICO has confirmed that there has been 32,000 complaints across all sectors, with 600-700 relating to schools. They indicated that most complaints were about subject access requests (“SARs”) and/or inappropriate disclosure of data, for example disclosure of staff data to pupils, emails to parents using a wrong email address, emails being sent out to groups of people revealing each individual’s email address (i.e. not using the bcc). It was suggested that security and transparency was also a ‘hot topic’, for example, ‘I did not know my child’s data would be processed in that way’.

The ICO also warned that cyber incidents are increasing in schools, particularly ‘phishing emails’. If you have not already done so, it will be important to train all staff with email addresses and/or access to your school’s computer system to be aware of what ‘phishing’ entails and what action to take if they suspect that this is happening.

Subject access requests

In relation to SARs, you will be aware that you must respond without undue delay but in any event within one month from receiving the request. This is a much shorter period than was previously allowed. There are very limited circumstances where if the request is complex or more than one request is made, you may be able to extend the response period to three months. It is important therefore that your staff are trained to recognise when an SAR is received and what to do in handling such a request. 
When considering your processes for responding to SARs, the ICO have confirmed that there is no exemption and/or extension owing to school holidays. You will therefore need to ensure that procedures are in place to deal with requests within the relevant time period and as best you can. It was recommended that you document any issues that may arise, for example, ‘staff member not available’ and manage individual expectations in relation to responding to the complaint.

Areas to be kept under review by schools

  • It was noted that DPO roles can be overstretched, particularly in MATs where the DPO is expected to cover all schools that are part of that Trust.
  • When appointing a DPO be mindful of conflicts of interest, for example, an IT Manager should not be appointed a DPO as they procure the systems.
  • Record keeping and documentation of key decisions needs to be improved.
  • Training of key staff – ensure that this is delivered at the right level and that regular refresher training is given and documented.
  • Ensure that you have appropriate Data processing agreements in place.
  • Review security, particularly when systems and/or processes and policies are updated.

ICO Top Tips

  • Ensure that you have appropriate policies and procedures in place.
  • Review policies regularly.
  • Undertake data protection impact assessments (check who is in control of outsourced data).

How we can help

If your school requires legal advice in or around data protection, including assisting with responding to SARs, relevant policies and/or procedures, data processing agreements, data protection impact assessment and/or training, Brachers is able to assist in all of these areas. If you would like to discuss further please contact Louise Brenlund on 01622 776405.