Head to Head

New Data Protection Rules: What you need to know and what you need to do

1.    What is data protection and how does it impact on schools?

Data protection laws are designed to empower people to control their own ‘personal data’ and protect themselves from abuse. Comprehensive data protection laws already exist in the UK in the form of the Data Protection Act 1998 (“DPA”). However, the General Data Protection Regulation (“GDPR”) is set to come into force on 25th May 2018 which will change the way in which data is managed, including in schools.

2.    What is ‘personal data’?

Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – e.g. an IP address – as well as the more traditional types of personal data e.g.  names, addresses, phone numbers, pupil numbers, etc  can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way information is collected about people.

Schools will hold personal data on a number of different individuals: pupils, parents/guardians, teachers, support staff, etc. The individual on whom you hold personal data (the ‘Data Subjects’) has certain rights in relation to such personal data. For schools the change to the definition brought by the GDPR should make little practical difference in relation to keeping HR records, pupil/parent details, educational records, etc.
The ICO have a useful guide for determining what constitutes personal data under the DPA: https://ico.org.uk/media/1549/... . You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.

3.    What are the big changes for schools under the GDPR?

Whilst the basic rules in the GDPR will be familiar from the DPA many of them are significantly tightened up.  A few key changes to watch out for include:

•    Data Breaches - There are new duties to report data breaches to The Information Commissioner’s Office (“ICO”) and in some cases directly to the affected individuals (most likely the child’s parents) within 72 hours of the breach occurring or the school becoming aware of the breach (whichever is earlier). All schools will have to adopt internal procedures for detecting, reporting and investigating a personal data breach.

•    Accountability - It will not be enough that you comply with the data protection rules. The GDPR requires that you be able to demonstrate compliance. The ICO will expect you to be able to “show your workings” if asked. This could take the form of well documented policies and procedures but your school should also treat privacy of data as a front runner in any current or new projects and not just as an afterthought.

•    Fines - The ICO will be able to impose fines of up to 20 million Euros. The financial cost of non-compliance is only part of the picture. Expect the ICO to do much more “naming and shaming”. Affected Individuals can also sue direct for compensation – both for actual damage or loss they suffer, and also for distress caused.

4.    What rights do the people we hold data on have?

As mentioned above, the Data Subjects on which you hold personal data have certain rights which have been increased and strengthened under the GDPR.
The key legal rights for Data Subjects under the GDPR include:

•    The right of subject access; •    The right to information;
•    The right to have information erased (also known as “right to be forgotten”);
•    The right to prevent automated decision-making and profiling;
•    The right to object to certain processing;
•    The right to have inaccuracies rectified; and
•    The right to data portability (In brief schools will have to provide requested information electronically and in a commonly used machine-readable format e.g. a Microsoft word document)

5.    How long should I be keeping personal data for?

It is not compliant to hold all types of personal data for all time coming. Personal data should only be retained for as long as necessary. Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be adjudged on a case-by-case basis, subject to the local education authority’s policy, a recommended retention period table is set out in the table below to assist.  

At the end of the retention period, or the life of a particular record, it should be reviewed and deleted, unless there is some special reason for keeping it.

Record Type    Retention Period
Pupil Data
School Register / Roll Books    Indefinitely
Enrolment Forms    Hold until Pupil is 25 Years
Disciplinary notes    Never Destroy
Test Results – Standardised    Hold until Pupil is 25 Years
Psychological Assessments    Never Destroy
Accident Reports    Never Destroy
Child Protection Reports    Never Destroy
Interview Records For Staff
Interview Board + Marking Scheme
+ Board of Management notes
(for unsuccessful candidates)    2 years from the date the
position is successfully filled
Staff Records
Contract of Employment, Teacher Registrations, vetting Records, etc    Duration of Employment of the
 releevant individual plus 7 years
Accident / Injury at Work Reports    7 years
Management Records
Board of Management Agenda
& Minutes    Indefinitely
CCTV Recordings    30 days (in the event of a criminal investigation as advised by the investigating body)
Payroll & Taxation    HMRC require a 6 year period
after the end of the relevant tax year
Invoices / Receipts    7 years
Audited Accounts    Indefinitely

6.    What can I do to prepare?

There are a number of things you can do, here is a short list of some crucial preparations you can make:

•    do not to wait for the GDPR to come into force before you train your staff in data protection. All staff should receive basic data protection training with staff that access and process personal data regularly receiving advanced training;

•    obtain the local education authority’s policy;

•    contact your local education authority to see what support and assistance they can provide to your school;

•    carry out a gap analysis to see where your school falls short of the GDPR requirements and if required a data flow audit to identify where personal data comes in, is processed and leaves your school. This should put you in a good position to address any issues;
•    consider appointing a Data Protection Officer (“DPO”) who takes responsibility for data protection matters in your school;

•    review and adjust your existing data protection policies, subject access request procedures and all related documents to ensure they comply with the GDPR.  Any policies also intended to be read by children will have to be explained in clear non-technical language and in a way that can be readily understood by the intended audience.

•    Update your school’s Parent Handbook to let parents/guardians know of how your school complies with data protection legislation and details of any DPO.

The ICO has a fuller “12 Steps To Take Now” guide (https://ico.org.uk/media/16242... ) which should assist you and your school.

Stephen Grant is a corporate and commercial solicitor based in Wright, Johnston & Mackenzie’s Glasgow office with a special interest in data protection: srg@wjm.co.uk  or  0141 248 3434.