Spring 2019
www.npw.uk.com
Data Digest NEWHAM PARTNERSHIP WORKING
TERMLY
New Year, New ‘Digital’ Me Happy New Year from the Data Compliance Team! Have you considered a ‘Digital Detox’?
More so than ever before, individuals are better informed and are clearing out apps and shutting down accounts. This is in an effort to regain control of their digital self and sever ties with those who don't treat their data with proper, lawful respect. Consider this along with all those other new year resolutions!
www.npw.uk.com
NPW’s Data Digest - Spring 2019
Subject Access Requests, should we be scared? By Sat Singh
At a time when school budgets are
system, this is a use for which email
increasingly stretched, the sheer
was never intended.
amount of time which a flurry of SARs can take to fulfill is burdensome to the extreme. The primary business of schools is education and rightly so this should be prioritised. That said, conflicting demands are being made on already drained resources. The General Data Protection Regulation makes no allowances for schools, they are held to the same stringent legislation as multinational
conglomerates. Personal data is often held within a multitude of systems, this in itself is not an issue, it’s very rare for any organisation to have only 1 or 2 systems which use personal data. The issue comes from the ability of the school to be able to service the right of access within a timely manner. Can you be sure that if The current data protection regime
your school were to receive an SAR
in Europe is the most rigorous in
tomorrow morning that it could be
the world. Individuals have been
fulfilled according to all the
granted greater control over their
demands of the regulation?
personal information than ever before. As expected, data subjects are now exercising their rights following awareness campaigns by the Information Commissioner's Office (ICO). Arguably, the greatest challenge for schools stems from the right to access data, commonly referred to
as subject access requests (SAR).
SARs must be responded to within 1 month of receipt, irrespective of workload, OFSTED visits, parents evening, sports days, school holidays and even that vitally important staff bowling night out.
sometimes these are staff and pupils.
missed deadlines, inappropriate redaction etc.
efficient way of retrieval when considering SARs. We have seen school’s faced with over 5,000 emails containing the personal data of a requester. A sage piece of advice would be to only document opinions and thoughts which you wouldn’t mind
being exposed to the person in question. Bob Hoskins old BT advert ‘It’s good to talk’ rings true over 20 yrs later! Due to increased public awareness, I expect to see a rise in SARs to schools. An unintended consequence of the ICO’s awareness campaign has seen the weaponisation of SARs in order for disgruntled staff, pupils or parents to cause disruption. A word of warning, always refer to your data retention schedule so you can be sure if personal data can be destroyed. If you don’t need to retain personal data this should be securely destroyed. If you don’t hold personal data then you cannot provide it in a SAR, this is by far the best scenario.
disgruntled data subjects,
50% of the complaints which they
can be based on ignored requests,
which there is no real adequate or
SARs, often these are from
sometimes these are parents or
relation to SARs. These complaints
personal data held in a system from
Many of our schools have received
The ICO recently revealed that over receive regarding schools are in
The result is vast amounts of
If you would like to find out how NPW can help you with a SAR issue or any Data Compliance service
Emails are by far and away the most problematic store of personal data for schools. Over time, emails
related query contact us at dpo@npw.uk.com or 0208 249 6900
have transformed from being a messaging system to a data storage
2
NPW’s Data Digest - Spring 2019
www.npw.uk.com
What do they know about our children? The children’s commissioner has published a report looking how vast amounts of children’s data is collected. This is information about children growing up which often the child and parents are unaware of, and the ways in which it might shape their lives both now and in the future as adults. Click here to view the report.
Quick wins The following are a few quick data protection tips… 1. To lock your computer, hold down the Windows key together with the letter ‘L’
2. If you use Gmail and accidentally send an email, there is an option to cancel the send within a set period of time the undo option which appears at the bottom of the screen. Click Settings to set a cancellation period between 0 and 30 seconds. After sending the email, you have a maximum of 30 seconds to use:
3. Don’t use single dictionary words for passwords as these can be very easily cracked. A more secure alternative would be to use 3 dictionary words together with numbers or special characters and to associate an image in your mind with the password e.g. doghairpink99
3
NPW’s Data Digest - Spring 2019
www.npw.uk.com
Brunch & Discuss We had a great turnout for our second Brunch & Discuss data protection user group session in November. Let us know if you have any suggestions or topics which you’d like to see covered. Don’t forget our next session will be held on Tuesday, 12 March 2019 at Francis House.
Gangs Matrix We briefly discussed the Met’s Gangs Matrix at the last Brunch & Discuss user group in relation to data protection and privacy concerns. Click the following link for details of the recent review by the Mayor of London’s office... https://www.theguardian.com/uk-news/2018/dec/21/metropolitan-police-gangs-matrix-review-london-mayordiscriminatory
Headteacher prosecuted for previous school’s data The ICO has conducted an investigation into a Headteacher who was found guilty in court for unlawfully processing data which he had obtained from two schools where he had previously worked. He had uploaded large amounts of sensitive data on to a USB stick and could not provide a satisfactory explanation. Click the following link to view the ICO’s findings...
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/12/former-headteacherprosecuted-for-unlawfully-obtaining-school-children-s-personal-information/
4