If you wish to report a data breach:
Data Protection Officer: Mrs Carole Connelly email@example.com
Deputy Data Protection Officer: Stephen Hoult-Allen firstname.lastname@example.org
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which determines how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data.
What constitutes personal data?
‘Personal data’ means information that can identify a living individual. Any information that can be used to directly or indirectly identify a user. It can be anything from a name, a photo, an email address, phone numbers, national insurance number or bank details to information relating to someone’s race or medical information.
What personal data breaches need to be reported to the Information Commissioner's Office (ICO)?
Breaches that are likely to result in a risk to the rights and freedoms of individuals must be reported (within 72 hours). Examples of these sorts of beaches could include the following:
- Access by an unauthorised third party - for example, a data hack or sharing of users’ login details (deliberately or accidentally)
- Sending personal data to the wrong person - for example, using the wrong email address or mislabelling an envelope (this is one of the more common areas for a breach to occur)
- Computing devices containing personal data being lost or stolen - for example, a work laptop being stolen from the boot of a car or a USB stick being lost
- Loss or theft of hardcopy information - for example, paper records being left on a train or in a briefcase that is stolen
- Insecure disposal of paperwork containing personal data – for example, paperwork that was to be disposed of securely being put in general rubbish.
The regulation applies to all schools, and also applies since the UK left the EU.
The GDPR sets out the key principles that all personal data must be processed in line with.
- Data must be: processed lawfully, fairly and transparently; collected for specific, explicit and legitimate purposes; limited to what is necessary for the purposes for which it is processed; accurate and kept up to date; held securely; only retained for as long as is necessary for the reasons it was collected
There are also stronger rights for individuals regarding their own data.
- The individual’s rights include: to be informed about how their data is used, to have access to their data, to rectify incorrect information, to have their data erased, to restrict how their data is used, to move their data from one organisation to another, and to object to their data being used at all
The GDPR is similar to the Data Protection Act (DPA) 1998 (which schools already complied with), but strengthens many of the DPA’s principles. The main changes are:
- Schools must appoint a data protection officer, who will advise on compliance with the GDPR and other relevant data protection law
- Privacy notices must be in clear and plain language and include some extra information – the school’s ‘legal basis’ for processing, the individual’s rights in relation to their own data
- Schools will only have a month to comply with subject access requests, and in most cases can’t charge
- Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are new, special protections for children’s data
- The Information Commissioner’s Office must be notified within 72 hours of a data breach
- Organisations will have to demonstrate how they comply with the new law
- Schools will need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils
- Higher fines for data breaches – up to 20 million euros
What are the new rights for individuals?
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist; the ones that are most likely to be relevant in a school context are as follows:
- The right to be informed – usually via privacy notices
- The right of access – known as subject access requests (SARs).
- The right to rectification
- The right to erasure – also known as the right to be forgotten
- The right to restrict processing
- The right to data portability. These are not absolute rights and don’t always apply. If these issues ever cross your desk, speak to your data protection officer about how to respond
Will Brexit change things?
Data protection standards should remain the same after the UK leaves the EU (no matter what shape leaving takes). The Data Protection Act 2018 and the European Union (Withdrawal) Act 2018 have introduced GDPR directly into UK law. This means that post-Brexit, the GDPR’s protections and rules will continue to apply in the UK.
Can consent be used as the legal basis for processing the personal data of members of staff?
As an employer, you must have a legal basis for processing the personal data of your staff members. Historically, many employers relied on consent to justify their data processing; relying on consent has always been slightly uncertain, but under GDPR, it’s highly unlikely to provide the legal basis for processing the personal data of staff members. The ICO recommends that employers should avoid relying on consent; instead, they should rely on one of the other processing conditions set out in GDPR, such as the performance of the contract or compliance with a legal obligation.
What about safeguarding?
GDPR doesn’t prevent or limit the sharing of information for the purposes of keeping children safe. Lawful and secure information sharing between schools, children’s social care and other local agencies is essential for keeping children safe and ensuring they get the support they need. The Data Protection Act 2018 introduced ‘safeguarding’ as a reason to be able to process sensitive personal data without consent.
Do we need to train staff about GDPR?
Yes. This will help you to demonstrate that your school is committed to upholding the principles in GDPR and has taken steps to ensure this happens. In addition, if all GDPR FAQs update staff are trained in how to handle data, you should experience fewer data breaches.