There is concern that schools are not prepared for impending changes to data protection regulations and could therefore be at risk of large fines.
The new General Data Protection Regulations (GDPR) will come into force on May 25, 2018 and will replace existing data protection laws (the Data Protection Act 1998).
Data experts have said that the new rules represent the biggest change to how organisations process personal information in the last 25 years.
However, a snapshot YouGov survey of educational establishments has shown that only a fifth are aware of the changes.
The findings come after the NHS recently fell victim to the ransomware global cyber attack, when a virus infiltrated its outdated XP Windows system, blocking access to patient records.
The new GDPR rules apply to all businesses and organisations that use personal data.
The YouGov poll was commissioned by law firm Irwin Mitchell, which has warned schools that they will be affected by the GDPR. Joanne Bone, a partner and data protection expert at the firm, said: “Whether you have employee data, customer data or supplier data – if the data relates to an individual you will be caught by the new data protection laws.”
Key changes under the GDPR include:
- Compulsory notification of data breaches: data breaches which impact on privacy will have to be notified to the Information Commissioner, the UK data protection regulator, within 72 hours. There is an obligation to notify affected individuals in certain circumstances. Schools will need to monitor their systems to know whether or not there has been a breach. A breach might range from a parent database being hacked or a letter being put in the wrong envelope.
- Obligation to be more transparent in how personal data is used: schools will need to be open with individuals about what data they collect and what is being done with it.
- The right to be forgotten: individuals can require schools to erase their personal data and while organisations need to have a process to action this, the right is not wide-ranging.
- Increased rights given to individuals: the rights that individuals already have in relation to accessing the data that schools hold will be extended. Additional information will need to be provided and generally in a shorter timescale. It will also no longer be possible to charge a fee.
- Harder to obtain and maintain consents for marketing activity: not all use of personal data needs consent. However, consent will be harder to obtain and maintain under GDPR.
The GDPR contains new provisions intended to enhance the protection of children’s personal data. This includes privacy notices for children, which must be written in a clear, plain way that a child will understand.
The GDPR also states that parental/guardian consent for access to online services is required for children aged 16 and under. However, parental/guardian consent is not required where the processing is related to preventative or counselling services offered directly to a child.
A number of resources have been published by the Information Commissioner’s Office (ICO), including a “12 steps to take now” document and a GDPR self-assessment checklist.
Among the 12 steps to take now, the ICO recommends:
- Consent: you should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Information you hold: you should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Data breaches: you should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Individuals’ rights: you should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Data Protection Officers: you should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
Under the new rules, the maximum fine for certain data breaches in the UK will rise from £500,000 to €20 million.
Ms Bone added: “There are some additional challenges for the education sector, particularly as they are engaging with children and young people and they will need to tailor their processes accordingly. Another issue to be aware of relates to new technology including body cams in the classroom, which will create new challenges in terms of how data is stored.”
For more on the GDPR changes and guidance from the ICO, visit https://ico.org.uk/for-organisations/data-protection-reform/
For details on the Irwin Mitchell/YouGov findings, visit www.irwinmitchell.com/gdpr-2018