Key Issues for Compliance
Accountability
There are strong accountability obligations on data controllers to demonstrate compliance. Not just doing the right thing, but proving compliance with documentation, audit trails and a schedule of compliance and training.
Biometric and Genetic Data
Many schools use biometric data for school lunches for example and should note that the GDPR includes biometric and genetic data in the definition of special category data (sensitive personal data).
Breach Notification
Breaches that meet established criteria must be reported to the ICO within 72 hours. You must have a policy and procedures in place for handling incidents. Your employees and contractors need to recognise and comply with your procedures for reporting and investigating suspected incidents.
Consent
Consent must be clear, recorded and auditable. Consent should be ‘opt-in’. You must not force people to opt-out nor should you use pre-ticked boxes for consent. There must be a clear and evidenced route for withdrawing consent.
You should only ask for consent where the individual has a right to remove consent. If they asked you to, would you stop processing their data? Asking for consent is not the same as being clear and transparent with people about what you are doing with their data.
Contracts
New responsibilities are placed on data processors (contractors) but you still need to complete due diligence on your data processors. You must have written contracts in place and carry out regular contract monitoring.
Data Protection Officer
All schools must appoint a DPO and make their details known to staff, parents and pupils. The DPO must have easy and regular access to senior management (if they are not on the board) and have the authority to stop activities, and procure the resources they deem necessary to comply with data protection law. The DPO role has protections from dismissal.
The appointed DPO must have oversight of all reports and decisions being made to ensure data protection is appropriately covered, much like legal oversight or equality checks. The DPO must make decisions objectively and cannot hold a post that has a conflict of interest with the responsibilities of the DPO (eg not the head teacher or chair of governors).
Schools may choose to work together to appoint a DPO between them, appoint an individual themselves, or perhaps ask a legal firm to act as DPO and review and approve policies and procedures. The ICO has much guidance about what is required. The local authority is unable to act as DPO for a school.
Policies
There should be clear policies for handling personal data, such as a data protection policy, SAR policy, password and security policy and incident management policy. The council publishes all its data protection and information management policies on its website.
The council is undertaking a full review and revision of IM policies to both assure compliance with GDPR and create a more user friendly structure.
Privacy by Design
Privacy must be considered at the outset of projects and process changes (eg within business cases). Data Protection Impact Assessments (also called Privacy Impact Assessments) will be mandatory for some projects and will affect procurement of service providers and new systems. A DPIA is a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.
Privacy Notice
The privacy notice (sometimes called a Fair Processing Notice or FPN) may be one document or you may have different privacy notices for different types of data or data collection. You are likely to have at least one privacy notice on your website that containsdetails of the different types of processing you undertake and details of an individual’s rights.
A particular type of work may need its own privacy notice due to the complexities of the work, or you may have a verbal privacy notice or one designed to be more easily understood by those who have disability, impairment or sensory loss or English as a second language.
Record of Processing
You must hold a detailed record of all processing of personal data undertaken, which is updated regularly by those who know the processes. Production of a Record of Processing Activity (ROPA) may require a data mapping exercise so you know what you hold, why, and what you do with it.
Subject Access Requests (SARs)
The £10 fee is removed with a reduction in time limit from 40 calendar days to ‘one month’ (30 calendar days). An extension of up to two months is available for complex or numerous requests. Schools must have clear processes for how someone can make a Subject Access Request and for handling SARs in a timely fashion.