GDPR (General Data Protection Regulation) is a European Union (EU) law that came into effect on 25th May 2018. UK GDPR governs the way in which we can use, process, and store personal data. It applies to all organisations within the EU, as well as those supplying goods or services to the EU or monitoring EU citizens.
So how does UK GDPR work for schools, how can they stay UK GDPR compliant and what are the risks of non compliance?
In this Article
- What is the difference between personal data and special category data?
- What does GDPR mean for schools in the UK?
- How can schools become UK GDPR Compliant?
- Things to keep in mind about data processing
- What are The risk of non-compliance
- Data Processors and Data Controllers: their role in schools
- What is the age students must be consulted over their data processing?
- Data Breach of a School : Steps to be taken
- How schools can work with the ICO
- What is the data protection officer's role?
What is the difference between personal data and special category data?
Any information that can be used to identify a person or their family is considered personal data. This would include their name, address, contact information, disciplinary history, as well as their grades and progress reports in school records. Even if an individual chooses to make this information public, it remains ‘personal’.
Special category data requires a high level of protection due to its sensitivity. Racial or ethnic origin, political or religious convictions, genetic or biometric data, mental or sexual health, sexual orientation, and trade union membership are examples of this type of information.
What does GDPR mean for schools in the UK?
When it comes to the UK GDPR, the education sector has it tougher than most, because children's data needs special protection, and schools and colleges generally operate on low budgets, making it difficult to hire a professional data protection team.
UK GDPR requires schools to be more accountable for the information they collect. Therefore, all actions that do not comply with usual school procedures will require a student's full consent , particularly if data is handled by a third party.
How can schools become UK GDPR Compliant?
When working toward UK GDPR compliance, there are a few key steps to remember. To begin, you must familiarise yourself with the UK GDPR legal framework. Make sure you understand the laws in place and the consequences if you do not achieve the appropriate requirements, such as:
- Right to be informed
- Schools must ensure all staff and students are aware of UK GDPR, how data is collected and stored and the implications of a breach.
- Schools must ensure all staff and students are aware of UK GDPR, how data is collected and stored and the implications of a breach.
- Right to give consent
- Schools should have systems in place that gather parental consent for data processing and also verify individuals’ ages.
- Right to know where your data is stored
- The school must provide visibility on what software is being used for teaching and data collection, such as teaching apps.
- Right to rectification
- The school must give the student the ability to request changes to his or her personal data if he or she believes it is out of date or inaccurate.
- Right to erasure/right to be forgotten
- The school must give the student the ability to ask for the deletion of their data. This will generally apply to situations where the student's relationship has ended with the school.
- Right to restrict processing
- A student can exercise this privilege to request that his or her request (for example, a loan request) be examined personally because he or she believes that automatic processing of his or her loan will not take into account the students individual situation
- Right to data portability
- The school must allow the student to request that his or her personal data be relocated. The student may request that his or her personal data be returned (to him or her) or transferred to another controller as part of such a request.
Additionally, because schools are considered public authorities under UK GDPR, they are obligated by law to hire or appoint a Data Protection Officer.
Things to keep in mind about data processing
All organisations, including schools, can process data provided that they document a legal basis for doing so. These bases are, in many cases, very broad and will almost certainly align with your data processing practices under the UK GDPR’s predecessor, the DPA (Data Protection Act) 1998.
For schools, most processing can be justified on the grounds of public interest. This refers to any activity that is necessary to carry out a specific task that ensures the welfare of the general public or to exercise official authority.
What are the risks of non-compliance?
Being UK GDPR compliant is crucial in today's day and age when it comes to protecting students' data.
In order to avoid and prevent data breaches and risk the security of teachers and students both, schools must understand that complying with UK GDPR is extremely important.
The reason being, not complying with UK GDPR can lead to a serious data breach which could result in:
- Heavy fines
- Warnings and reprimands
- Temporary or permanent bans on data processing
- Rectification, restriction or erasure of data
Having a legislation such as the UK GDPR means that there will be individuals accountable in the school which makes them be on alert and do their best to always comply. Fortunately, because of that, many schools have put strict data protection policies in place and have briefed their staff on these policies as well.
Data Processors & Data Controllers: Their role in Schools
Obtaining personal data under the UK GDPR is divided into two roles, and both of these have very different responsibilities.
In most data processing activities, schools will be the data controller. This means they determine whose information to collect, what types of data are needed and why it is necessary.
Collecting and processing data is done by the data controller, which is usually the school. This means that they will be making decisions about whose data they must collect, what types of data they must collect and why that data is necessary.
Data controllers must also make sure of:
- Whether the information will be shared with a third party and, if so, what that third party is.
- When and where a student's rights apply and how students can exercise those rights.
- How long the data will be kept in the schools possession and whether that is the correct amount of time.
- And whether to make any changes to the data on a routine basis, and if so, what data the changes will be made on.
Data processors, by contrast, are the people or organisations handling personal data on behalf of the controller. They are responsible for:
Personal data handling on behalf of the data controller is done by the data processor. They are responsible for activities such as:
- Handling the logistics of data processing activities.
- Making sure that all personal data of students is stored safely.
- Putting into place necessary controls for personal data transfers.
- Erasing personal/special category data when it is no longer needed.
The data processor in this case may be a third-party data protection officer (DPO) that the school has hired as an individual/team or a data privacy company such as DataGuard.
Both data controllers and processors can face severe consequences in the event of a school data breach as both these parties are equally accountable for complying with UK GDPR.
Therefore, when schools hire a third-party data processor, it is important that they form legal contracts that lay out how the data processor will meet their requirements.
This will allow both the school and the third-party to come to a mutual understanding of what is clearly expected of them.
What is the age students must be consulted over their data processing?
The UK GDPR states that schools cannot legally obtain consent from minors. If the student is a minor, the school must take it upon themselves to obtain legal consent from a parent or guardian of the minor. The school must also make efforts to verify that the said parent or guardian of the minor does in fact hold parental responsibility for that minor.
In the UK, a minor is considered as a person below the age of 13. Therefore if the student is 13 years or older the school must require the students consent. However, asking for consent from students below the age of 18 must be asked in writing in a clear and understandable manner.
Data Breach of a School: Steps to be taken
According to the UK GDPR, if a school learns that a data breach has occurred, the first thing that the school must do is to understand the severity of the breach.
If the breach poses a risk to the rights of any individual, whereas it may affect any individual financially, economically or socially, it must be reported to the information commissioner's office (ICO) and the situation must be investigated immediately.
But how do you determine if any of the above has occurred? Here are a few pointers to keep in mind:
- Financial loss
This applies to data such as staff and student banking information or staff payroll information that has been breached.
- Social damage
This applies when special category data such as staff and students special needs information, students behaviour information, students child protection information, staff pay scale and payroll information and students academic information.
- Identity theft or fraud
This applies when data such as names, dates of birth, home addresses and completed student progress sheets are breached.
- Reputational damage
This applies when data such as staff or pupil performance management records, as well as child protection records are breached.
Since after a data breach, the ICO must be notified immediately, let us take a look at how schools can make the process more quick and efficient and be ready to act accordingly if a breach does occur.
How schools can work with the ICO?
If the school comes to an understanding that the breach meets notification requirements, the school will have 72 hours from the time the breach was discovered to report it to the ICO
Schools must provide a detailed document about the breach, including the following points:
- How big the damage was.
- When, how, and who first discovered the breach.
- What time the breach happened.
- What kind of data protection training the staff or third-party has received.
- Whose data has been breached and is at risk.
- How the school is responding to the breach.
The ICO will not expect you to provide a long and comprehensively detailed analysis due to the fact that you only have 72 hours after the breach to notify them. However, you must provide as much information as you can about the damage that occurred.
Once you have notified the ICO, they will confirm the schools breach and the breach will be actively looked into along with other active breaches. The school will be kept in the loop to understand if the investigators are happy with the school's actions.
What is the Data Protection Officer's role?
The main responsibility of a DPO is to oversee the personal data of an organisation's employees, customers, providers, and, in this case, students processed in accordance with the applicable data protection regulations.
The responsibilities of a DPO were recently published in the official UK GDPR article 39. They are as follows:
- Mediating interaction between an organisation and the appropriate regulatory agencies.
- All staff should be educated on the UK GDPR's requirements.
- Keeping track of any data processing processes that take place across the firm.
- Communicating to students in order to inform them on how the organisation stores, secures and uses their personal information.
- All data protection procedures are being communicated to employees, parents, and students.
- Responding to requests for copies of personal data or, when required, the erasure of data.
Data Protection Officers help schools to:
- Learn everything there is to know about personal data kept by schools, how it is stored, and how it might be used.
- Complete adoption of a strong data security policy.
- UK GDPR and data protection training for all employees.
- Work with relevant authorities to make sure the organisation complies fully with UK GDPR
A thorough and efficient DPO, whether it is an internal or external one, must make sure that UK GDPR compliance is always met when obtaining, storing and changing student's and staff's personal data.
A DPO’s role is ever-changing with technological advances in data protection. Therefore, it must be understood that the ideal DPO must be tech-savvy, law-oriented, and willing to further educate themselves on the topic of data privacy and protection.
We hope that this guide has provided you with a better understanding of the importance of data protection in schools, the impact of UK GDPR on your school, and how to enhance and execute your school's data protection policy and UK GDPR compliance.
Take action now to become UK GDPR compliant and protect yourself against data breaches. We assist organisations and startups with issues such as Privacy by Design and Default and data transfers with third-party service providers.
Schedule a call with one of our GDPR experts today to ensure GDPR compliance for your school.
GDPR for small businesses
- Details on the UK GDPR and if it applies to your business
- Data Protection Fees
- The need for a Data Protection Officer
- Best practices in employee training
- How you can integrate GDPR into your business practices