UCL’s Nathan Lea tells our editor Victoria Galligan about how the incoming General Data Protection Regulation (GDPR) will have an impact on schools and what can be done to prepare for the new regime, which comes into force on May 25th…
How will GDPR affect the way primary and secondary schools use data overall?
The General Data Protection Regulation (GDPR) places a far greater emphasis on transparency with data subjects and indeed their guardians around how data is used. It is likely that schools will need to make their uses of data clearer to parents and guardians, who will be able to ask questions and seek clarifications according to updated and new provisions enshrined in the rights for the individual component of the GDPR.
The legal bases upon which data is processed are also being modernised, but where a school is processing data pursuant to an established purpose enshrined in law, it is unlikely to change much, though the new legal bases have been developed to support existing and proposed data use more clearly. It would be important for schools to think about how the six legal bases and additional provisions for special category data (including that related to health and biometrics) will relate to their purposes, but they must be very clear on purpose – why and how you’re collecting and using the data. Where the purpose is unclear, it will need to be clarified or amended to bring it into line with GDPR.
Schools in particular should pay particular attention to age at which parental consent for data processing is likely to change. Currently it looks as though the age will be 13 years old across the UK, however they should take extra care in how they interpret it, engage with students and parents, and proceed on their legal team’s and Data Protection Officer’s (DPO) advice.
In short, provided schools are clear on purposes for data use, the legal bases for these, are transparent about their processing and are able to be accountable for the processing and protection of data, they should find that their uses will be supported and may not need to change very much. For any new uses they are planning, they will need to perform a Data Protection Impact Assessment in line with the Information Commissioner’s Office’s recommendations.
What measures should staff be taking to ensure they comply with GDPR in schools?
It is important to take any training that their school is providing for them, and these should be mandatory courses. If staff are unclear, they should seek advice from their data protection officers – it is likely that schools will either have one or share one with other schools in the area. If anyone is unsure, they should seek clarification about what they are expected to do when it comes to data handling and use – it’s important to think about how they currently handle data, for example checking work emails on mobile devices – it is likely these policies will need to be updated and that new policies will be available. But in general, greater care in the handling of data and liaison with the DPO with regards training and good and/or required practice will be vital to ensure compliance.
Is the introduction of GDPR in schools going to be a costly process?
The biggest “cost” will likely be culture change fuelled by a greater need for awareness about what data is being handled and how. Safe handling of data will need to be much more of a priority and whilst the fines for improper use will be higher, the reputational cost will be even more if something goes wrong where it might have been avoided. Furthermore, certain breaches need to be reported to the ICO within 72 hours of discovery, so schools will need to make sure they have an information risk, security and management process in place, key to which of course is their Data Protection Officer and IT management groups. However this is an important opportunity for schools to really think about what data they are processing, how they are doing so, whether they need to and how they can do it safely.
Do heads need to hire data experts to ensure they meet GDPR in schools?
It will be very hard to declare that GDPR compliance is being met from day one as nobody knows what that looks like in practice and will not for some time as mistakes are made and cases are pursued by the Information Commissioner or courts. It would not hurt to hire experts to help give an indication of where schools need to improve their data handling processes, but it will be important to provide awareness raising training and education to all staff so that they are clearer on what good practice looks like. Schools should have the required officers in place, including an appropriate DPO. But the decision about hiring a data expert should reside with the head, their IT management groups and their data protection officer.
Can schools still use old data (pre-GDPR) for marketing and fundraising purposes?
It would depend on the basis upon which the data was originally collected and if it were clear to the data subject that their data would be used in the way that it is proposed moving forward. Schools should look at the legal bases and make sure that they meet the consent requirements for handling contact data: were the purposes clearly identified? Was the consent a positive action and freely given? For example, did the school ask people to tick a box to say they had consented to having their contact details used for marketing or fundraising purposes? Or if people had to untick a box or were told that the data would be used and did not give them a choice in the matter, this is unlikely to meet the test for consent that GDPR now requires). Schools should seek advice from their DPO, legal teams about this point in particular and the legal bases under which they can process data.