Primary Blog Page

Your primary resource for guidance and updates within the sector and for your school website.

Contact Us

What is GDPR? And how will it affect your school?

As of the 25th May 2018 the way you manage all information and data within your school will change. The current DPA (Data Protection Act) will be replaced by the GDPR (General Data Protection Regulation); a new updated procedure designed to keep sensitive information safer than ever. So, let’s take a deeper look into what the updated GDPR includes, and how it will affect your school…

What is the DPA (Data Protection Act)?

The Data Protection Act, passed in 1998, was designed and introduced to protect the privacy of individuals. The DPA requires that any personal information about an individual is processed securely and confidentially.

In school terms, the DPA applies to information relating to staff, students and even parents. How you obtain, store and share any information relating to individuals is extremely important as this data can often be sensitive. It’s also important to make clear to an individual how you plan to use any information about them.

What does the DPA do?

The sensitive information that is held by schools is often easily accessed via computerised databases. Due to the easy accessibility of this information, there is a chance it could end up in the wrong hands. This is where the DPA comes in.

By ensuring that all data is obtained, managed and shared securely, schools can prevent any information about students, staff and parents being used in an illicit manner.

What is the GDPR (General Data Protection Regulation)?

The GDPR is simply a new, updated data protection regulation to be followed by schools and other organisations. The new regulation has been designed to further strengthen the safety and security of data that is held by an organisation.

The GDPR has been introduced to ensure further that personal data is protected.

Victoria Tuffill, Managing Director of data protection experts Data Compliant, said;

“DPR is the new European General Data Protection Regulation which is designed to do many things, of which two are most significant.

  1. It strengthens the rights of ordinary people like us, giving us back the power and control over our personal data and how it is used by those schools and other organisations to whom we provide it.
  2. It ensures that responsibility for protecting that data lies with the schools and other organisations who process it.

To achieve the above, GDPR requires everyone who processes personal data to demonstrate and provide evidence of compliance with the 6 Principles of GDPR.

GDPR is included in the upcoming UK’s upcoming Data Protection Act which is currently going through Parliament, so Brexit will make no difference to the need to comply.”

What does the GDPR Include?

As mentioned by Victoria Tuffill, the GDPR follows 6 key principles…

Article 5 of the GDPR requires that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

This great piece by MTHREE Consulting breaks down the principles of the GDPR into six bitesize categories.

The differences between the DPA and the GDPR…

DPA (Data Protection Act) GDPR (General Data Protection Regulation)
Only applicable to organisations based, or operating in the UK. Applies to ANY organisation acting as a Data Controller or Data Processor whether in the EU/EEA or outside the EEA that processes the personal data of EU Data Subjects. A data subject is not just restricted to an EU Citizen, they may also be people from outside the EEA who are, when their personal data is collected, classed as resident within the EU/EEA.
The DPA doesn’t require any organisation to have a dedicated DPO (Data Protection Officer). A Data Protection Officer (DPO) shall be designated when (Article 37):
  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

This means that in almost every case, a school will be required to designate a DPO however, DPO’s can be shared across organisations i.e., a group of schools could get together and appoint a single DPO.

No requirement for an organisation to remove all data held on any certain individual. The GDPR gives Data Subjects new and specified Rights (Chapter III) among which there is the Right to Erasure (right to be forgotten – Article 17). This means that data subjects can request the removal of all their personal data. However, this is not an absolute right, and their ‘Right’ may be overridden by another Lawful Basis (Article 6) such as a Legal Obligation to process their personal data.
Under DPA data collection does not necessarily require an opt-in.

There are 6 Lawful Basis for collecting and processing personal data (Article 6) which are, Consent, Contractual Obligation, Legal Obligation, Vital Interest, Public Interest and Legitimate Interest of which only one need apply.

If Consent is the lawful basis relied upon, it must be explicitly and freely given by the data subject, and ‘opt-in’ must be default setting. Data Controllers are also required to record consents.

Sets aims and requirements, however, the rules and regulations are implemented by national legislation. The regulation is 100% binding for all member states from the 25th May 2018.
For many organisations, regulations breaches do not have to be reported. Article 33 of the GDPR requires all data breaches that pose a ‘risk to the rights and freedoms of the data subject (natural persons)’ to be notified to the Supervisory Authority (the ICO in the UK) within 72 hours.
Parental consent for minors not required. Parental consent for minors is required.

Under the GDPR, the UK Government has defined the age of a child as 13 and therefore, any processing of the personal data of a child is prohibited unless ‘consent is given or authorised by the holder or parental responsibility for the child’ (Article 8). Consent must be documented.

What affect will the GDPR have on schools?

The GDPR will definitely affect the way schools, academies and trusts look after their information. It will now be even more crucial to ensure all information is handled in a secure, compliant manner.

One key thing to consider is making sure that all information on your school website is updated and reflects that you comply with the GDPR.

How to prepare for GDPR…

Educate: With the GDPR roll-out looming it’s crucial to educate everybody within your school who handles data about the changes.

Help: There’s no shame in asking for help. Many Data Protection companies are already offering advice on how to prepare for the GDPR.

Understand: The more people within the organisation who have a thorough understanding of the GDPR the better. This way knowledge can be easily shared, and any necessary checks are made.

Current Policy: Take a look at your current IT policy. Your old policy will contain a lot of useful information that will help ensure GDPR compliance.

Change: As a result of GDPR your Privacy Policy will no doubt need updating. This is extremely important as it means nobody who’s data you have obtained will be left in the dark about how it is going to/can be used.

On Privacy Policies, Victoria Tuffill of Data Compliance added; “Getting your Privacy policies right is vital. Your privacy policy is the window through which the world can see how seriously you take the protection of their personal data.”

Prepare: This legislation is being taken very seriously and it is likely that you will face assessments to ensure that your policies have come into line with the rules. You will not be able to claim ignorance on this issue and it’s clear that everybody could face large fines.

What the experts say about GDPR:

“The GDPR is the most significant update in Data Protection law in 20 years. For those already meeting best practice, the accountability and transparency requirements will be an evolution. For those already behind the curve, the GDPR could be more of a revolution, posing serious questions about how you demonstrate ongoing management of data protection risk.”

Gary Shipsey, Managing Director - Protecture

“The GDPR replaces the Data Protection Act (Directive 95/46/EC) and affects all UK companies who collect or process personal information. It’s focused on looking after the privacy and rights of the individual, and based on the premise that consumers and data subjects should have knowledge of what data is held about them and how it’s used. Whilst it’s designed to strengthen and unify data protection for individuals within the European Union, it does also deal with the transfer of personal data beyond the EU too.”

Steve Sands, CISO - Synectics Solutions Ltd