Data protection for boarding schools
Ben Collingwood Barlow Robbins Solicitors
“Barlow Robbins are intelligent, thoughtful and considered. They are very clear in giving advice with a strong sense of judgement, rather than sitting on the fence.� Chambers UK, 2017
www.boarding.org.uk
Contents 1
INTRODUCTION
2
THE EUROPEAN LAW Proposed European reform
3
DATA PROTECTION ACT 1998 Dramatis personae What is “personal data”? What is “sensitive personal data”? Data protection principles
4
DATA PROCESSING Data security Record keeping Independent Inquiry into Child Sexual Abuse
5
DATA SUBJECT ACCESS REQUESTS Rights and obligations Reasonable search Third party data Exemption DSAR made on behalf of a pupil
6
CONSEQUENCES OF BREACH ICO Court action Reputation
7
OTHER MATTERS Education (Pupil Information) (England) Regulations 2005 Freedom of information Act 2000
8
LEGAL ADVICE
1 Introduction Boarding schools inevitably process large amounts of personal data belonging to pupils, parents, employees and others. The processing of such data is closely regulated and the risks of non-compliance can be significant. This Briefing Paper is intended to provide an overview of the regulatory framework and to provide some tips and practical examples of situations which are regularly faced by independent boarding schools. The same matters will be relevant to state boarding schools, which will also be subject to additional regulation by virtue of their state maintained status. This Briefing Paper is intended to be a helpful reference guide to both independent and state boarding schools. It is intended to present a summary of some key issues in plain language and without over- complicated legal jargon or content. This Briefing Paper should not be viewed as a substitute for obtaining legal advice as much will turn on the facts of a particular matter.
2 The European Law The data protection regime has its origins in the European Union’s Data Protection Directive (1995) which is required to be implemented into the law of member states. The relevant domestic implementing legislation is the Data Protection Act 1998. Proposed European reform The European Commission has proposed a data protection reform, in the form of the General Data Protection Regulation (“GDPR”), to enable European organisations and citizens to participate more fully in the global digital single market. The GDPR seeks to establish better protection of personal data in the global digital environment by establishing: • A single pan-European law for data protection;
• A single supervisory authority, accessible via our domestic data authority; • The same rule for all who operate in the EU.
New rules will intend to strengthen citizens’ rights and confidence in data security, particularly online. Proposed changes to the rules include:
• A right to be forgotten – Where an individual no longer wants their data to be processed, and there is no legitimate reason to retain it. This will not be a right to erase events, and it is not intended to override freedom of expression or freedom of the media.
• Easier access to data – A right to data portability will make it easier for individuals to transfer their personal data between service providers. • Greater control – When an individual’s consent is required to process data, they will be asked to give it explicitly, so that it cannot be assumed. Organisations will also be required to inform individuals about serious data breaches which may affect them.
The European Commission purports to be prioritising this data reform in 2015 and we therefore await developments which will affect our domestic regime. The UK Government is critical of the inflexible nature of some reform proposals and argues that member states should be permitted more flexibility. Boarding schools should be mindful of their obligations, risks and practical procedures under the existing regime to be better prepared for any increased burden of regulation which may follow reform.
3 Data Protection Act 1998 (“DPA”) The DPA sets out rules which govern when and how personal data may be processed. Dramatis personae “Data subject” = the individual who is the subject of the personal data. Boarding schools will deal with data subjects in the form of: pupils; parents; staff; alumni; contractors; suppliers etc. • “Data controller” = the school, which is responsible for the fair and lawful processing of the data. • “Data processor” = the individual processing the data e.g. Bursar; Head; Registrar; payroll bureau etc.
Schools should appoint a senior member of staff to oversee data processing and should ensure that this person benefits from relevant training. However, the School will remain responsible as the data controller. What is “personal data”? Over the years, the courts have developed their understanding of what information would constitute personal data. The prevailing view, which is favoured by the Information Commissioner’s Office (“ICO”), is that personal data are data which relate to an individual who can be identified from that data or from that data and other information which is in, or is likely to come into, the possession of the data controller. There is a common sense understanding that data which identifies an individual, even in a relatively benign or innocuous way, is likely to be personal data. Information does not need to be confidential to constitute personal data.
Personal data may include:
• Information held in a pupil file e.g. personal contact details of pupil/parents, education records, marks/scores, information about family circumstances etc.; • Information held in a personnel file e.g. staff personal details etc.; • Data contained in emails;
• Expressions of opinion about the individual e.g. personal views concerning the conduct, capability or character of an individual e.g. a member of staff; • An indication of the school’s, or any other person’s, intentions in respect of an individual; • Etc.
The ICO has issued guidance to assist schools in determining whether information constitutes personal data in circumstances where this may not be clear. Information is likely to be personal data if: • In cases where it is not immediately obvious whether a person can be identified, the information is the means the data controller is likely to use to identify the person;
• The information relates to the person, or has the potential to impact on the person, in his/her personal or family life, business or profession; • The information is used to inform or influence the data controller’s actions or decisions affecting the person;
• The information focuses or concentrates on the individual rather than some other person. For example, information about a family breakdown/divorce may constitute personal data of the parents and/or their child.
What is “sensitive personal data”? The DPA defines sensitive personal data as data relating to the data subject’s: • Racial or ethnic origin; • Political opinions;
• Religious beliefs, or beliefs of a similar nature; • Membership of trade unions;
• Physical or mental health or condition; • Sexual life;
• Commission or alleged commission of an offence, and/or any proceedings in relation to any such offence. There is broad scope for boarding schools to need to process sensitive personal data in relation to both pupils and parents, e.g. in connection with: • Health e.g. of pupils/staff;
• Religious beliefs e.g. of the family/staff;
• Race or ethnicity e.g. of the family/staff;
• Sexual life e.g. marriage/civil partnership status of parents/staff; pupil relationships. Data protection principles Schedule 1 of the DPA sets out eight “Data Protection Principles” which pervade a school’s responsibilities. In simple terms, if the school is to process data, personal data shall be: 1. Processed fairly and lawfully, AND: • At least one of the conditions for processing in Schedule 2 is satisfied – these include: • the data subject has given his consent to the processing; or
• the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party/parties to whom the data are disclosed, except where the processing is unwarranted in any case by reason of prejudice to the rights freedoms or legitimate interests of the data subject; or
• other conditions are listed, but the above may be most frequently relevant to boarding schools;
• In the case of sensitive personal data, at least one of the conditions for processing in Schedule 3 is met – these include: • The data subject has given explicit consent to the processing of sensitive personal data; or
• Other conditions are listed, but the above is most frequently relevant for schools.
2. Obtained only for one or more specified and lawful purposes;
3. Adequate, relevant and not excessive in relation to the purpose(s) for which they are processed; 4. Accurate and, where necessary, kept up to date;
5. Kept no longer than is necessary for the purpose(s);
6. Processed in accordance with the rights of data subjects under the DPA;
7. Protected by technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction and damage;
8. Prohibited from being transferred to a country outside the EEA unless that territory ensures adequate protection of personal data. Tips and practical examples: • While the best way to ensure fair and lawful processing is to obtain the data subject’s consent (or explicit consent in the case of sensitive personal data), the absence of consent is not necessarily a bar to processing, depending upon whether one or more of the other stated conditions for processing applies. In the absence of consent, the school should consider a balancing exercise between the rights of the data subject and the legitimate interests of other parties, for example. • This is often a complex and technical process and schools should ensure that they obtain specialist legal advice.
4 Data processing When the school obtains, records, uses, discloses or erases any personal data, this is likely to constitute “processing” of personal data. The mere holding of personal data on a computer or other structured filing system is likely to constitute processing. For the purposes of the DPA, a “relevant filing system” is any set of information relating to individuals that is structured in such a way that the specific information relating to an individual is readily accessible i.e. any organised filing system. This will include: • Email inboxes
• Any information held electronically on a computer • All school databases, SIMS or iSAMS data etc.
All such personal data would be disclosable to a data subject (see DSARs below). The school should inform staff, parents and pupils what personal information will be processed and why. This may sensibly be communicated in a “fair processing policy” or “privacy notice”. As set out above, the Data Protection Principles require “fair and lawful processing”. The easiest way to ensure that the school’s processing is fair is to obtain the data subject’s permission to process their personal data. Tips and practical examples: • Contract of employment – obtain consent to process personal data and explicit consent to process sensitive personal data relating to the employee. Registration Form & Parent contract – obtain consent to process personal data and explicit consent to process sensitive personal data concerning pupils and parents, in the Registration and Acceptance Forms.
• Photographs / videos – these identify individuals so the data protection principles apply to the school’s use of pictures.
• The school wishes to video the school play – the school may express its intentions in the parent contract and its fair processing notice stating that it will photograph and video pupils, unless parents object in writing. On the night when the play is to be recorded, the child of any objecting parent may be removed from proceedings.
• What if parents are recording the play? The parent would be the data controller for those purposes. It would be a matter of policy whether the school permits parents to bring devices to record the play. • The school wishes to post photographs of an expedition on its social media channels – Do all staff know which parents have objected to their child being photographed? Designate a teacher to be photographer and/or social media editor with photograph/video screening responsibilities. Ensure this designated teacher has details of parents who have objected.
• A photograph in the school prospectus will probably have been processed if appropriate consent was obtained in the parent contract etc. and there was a legitimate interest in the processing (e.g. promoting the school). If the parents later withdraw consent to process that data, it would not be necessary to destroy all existing copies of the prospectus, because that image had been fairly processed at the time, and it is not the right of the data subject to destroy historic records. However, it would not be appropriate to process the image in any new draft of the prospectus. • Inform staff, parents and pupils if the school records CCTV footage, why this is done and how long the footage it retained for.
• Train staff and governors in the basics of information governance.
• Recognise when third parties are processing personal information for the school and require them to do it securely e.g. payroll bureau, contractors, photographers. • Retain specialist professional advisers for technical advice and support.
Data security The protection of data (data protection principle 7) is paramount for schools due to the volume of data being processed, and the impact that a security breach would have on the school’s reputation. Data security relates to the physical security of files and buildings. It also requires secure IT infrastructure. Tips and practical examples: • Schools should require staff to use strong passwords. • Schools should carefully consider the use of mobile devices. If mobile devices are being used, encryption software must be considered. This would involve significant investment and a careful risk assessment.
• The ICO takes the view that, if a school is reluctant to incur the cost of encryption of mobile devices, the school should question whether it is necessary to use mobile devices at all. The ICO asserts in terms that it would take a very dim view if a school were to lose unencrypted data on a mobile device such as a CD or USB data stick. • Most schools would take the view that it is better to incur the cost of encryption than the potentially high cost of a penalty (see below) and damage to the school’s reputation.
Record keeping The basic position is that data should not be retained for longer than is necessary for the purpose for which the data is retained (data protection principle 5). There is little clear guidance regarding duration of retention of staff or pupil files whether in normal circumstances or where there may have been allegations of abuse. Tips and practical examples: • In our experience, the ICO, DfE and the National College of Teaching and Leadership have confirmed that this is a matter of policy for individual institutions.
• In accordance with general data protection principles, it would be reasonable to retain staff files in normal circumstances for 6 years, which is the limitation period for most claims of breach of contract and negligence.
• Where there may be allegations, which are not shown to be malicious, several safeguarding boards recommend that the teacher’s personnel file is retained until the staff member reaches normal retirement age (e.g. 65). The National College of Teaching and Leadership has indicated anecdotally that it retains records of notifications for 50 years. • Retention of pupil files – for the purposes of a claim brought by a child, the limitation period does not start until the child’s 18th birthday, so retention for a period of 6 years from that date, or until the pupil reaches age 25 would be reasonable. • Where there is a child protection file in respect of a pupil, this should be kept separate from the pupil’s main file. When the pupil moves on from school, the child protection file would be forwarded to the next school. Once received by the new school there would be no need for the file to be retained by the previous school under the basic data protection principles.
• A recent High Court decision indicates that a school’s policy to retain child protection files for a period of 35 years after the case closure was lawful. The purpose of the file retention was not viewed as solely to protect the school against claims of negligence. The Court considered that files would also be required for people to access in later life to discover their life story and identity, and in the wider public interest for public inquiry into child abuse and criminal investigations where six-year retention would be inadequate to preserve evidence. The High Court did not provide guidance on specific appropriate retention periods. • Schools should review their data protection policies, clearly setting out their approach to retention of child protection files, striking a balance between retention timescales and intended purposes of retention (e.g. those outlined by the court above) and explaining the advantages of the stated retention period. • School medical records should be passed to the new school as soon as possible.
5 Data subject access requests Independent Inquiry into Child Sexual Abuse Recent guidance issued by the Independent Inquiry into Child Sex Abuse indicates that any failure without reasonable excuse to comply with an order issued by the Inquiry to produce documents is an offence punishable by imprisonment. It is also an offence to destroy or tamper with evidence which may be relevant to the Inquiry or prevent it being disclosed to the Inquiry.
Rights and obligations An individual has the right under the DPA to make a data subject access request (“DSAR”) to a data controller to obtain disclosure of their personal data.
IICSA therefore requires preservation of records which are relevant to the Inquiry for if necessary to assist the Inquiry. Such retention at the request of the Inquiry would not contravene a school’s duties under the DPA, provided such information is restricted to that necessary to fulfil any potential duty the school has in relation to the Inquiry.
The data subject is entitled to receive:
Technically, therefore, this requirement to retain records relevant to the Inquiry indefinitely may be viewed as only relating to staff or pupil files where there have been concerns raised. However, schools must exercise caution and would be well advised to suspend all destruction of records until the Inquiry is concluded, or at least until more is known about what may be required of schools to assist the Inquiry.
A DSAR should be made in writing. The intended statutory purpose of the DSAR is to enable a review of the personal data to ensure its accuracy. • Confirmation of whether his personal data is being processed; • A description of the personal data;
• Confirmation of the purposes for which it is being processed;
• A description of the recipients to whom the data may be disclosed; • Any information available to the data controller as to the source of the data.
The ICO Subject Access Code of Practice states that the data controller: • Must comply with requests promptly and in any event within 40 days of receipt of the request;
• May charge a £10 administration fee. If this fee is levied, the data controller will have 40 days to respond from the date payment is received;
• Must provide information in an intelligible form, unless this is not possible or would involve “disproportionate effort”; • Must conduct a reasonable search for the data; • Must keep a record of DSARs.
Tips and practical examples: • While a DSAR should be made in writing, individuals often make such requests orally. The school is not obliged to respond to an oral request, but it may do so if it is satisfied as to the identity of the data subject. Alternatively, the school may prefer to inform the data subject of the requirement for the request to be made in writing and then to consider any written DSAR which follows.
• There is no requirement for a DSAR to describe itself as such, nor to mention “subject access” or the DPA. Therefore, schools must be alive to recognise any requests from individuals for disclosure of personal information to avoid a failure to respond. • There is no requirement for the data subject to state their motivation for making the request. He may be fishing for disclosure of incriminating evidence while considering making a formal complaint or bringing any proceedings against the school. This is common when parents make a complaint under the school’s Complaints Procedure when seeking to avoid paying fees in lieu of notice, for example. Unfortunately, the school is not entitled to verification of the data subject’s motivation and it must respond to all DSARs. • The “disproportionate effort” exclusion only relates to the intelligible form of information provided. It is not a license to avoid disclosure of information at all. This exception only applies in the most exceptional circumstances. The data controller must balance the work/expense of providing the information in a form being so disproportionate/excessive to outweigh the data subject’s right to access it in that form. Even where the exception applies, it would be necessary to provide the data in some other way e.g. to allow the data subject to view the information at school under supervision.
• The school would be advised to respond to the DSAR in the form of a detailed disclosure letter, clearly setting out the information to which the data subject is entitled, enclosing any appropriate documents and a description of the data contained in them.
Reasonable search The data controller must conduct a reasonable search for the data subject’s personal data. The data controller must be prepared to make extensive effort to locate data. It is never reasonable to refuse a DSAR because the search would be labour intensive or inconvenient for the school. The data subject can make a blanket request for disclosure of “all the information you hold on me”, or he may formulate a more focused request. Tips and practical examples: • If faced with a broad DSAR for “all the information you hold on me”, the school may seek clarification from the data subject about the information sought e.g. the timeframe, context, or format of information sought. This may help to focus the school’s search. However, the data subject is not obliged to narrow his request in this way. • Electronic archives/backup measures have been created so that the school can access this information if necessary. As such, archives could be used to inform the school’s decisions and are potentially disclosable and should feature in the school’s search.
• Deleted data, which has been permanently deleted/destroyed/removed from electronic records, does not need to be reconstituted by the school simply on the basis that a forensic IT expert could do so. The data has been permanently deleted and could not, in normal circumstances, be accessed by the school to inform its decisions.
• “Deleted items” stored in the deleted emails section of a staff email inbox have not been permanently deleted. They are accessible and should feature in the school’s search.
• Personal devices belonging to staff or governors do not normally need to be included in the school’s search. That is unless a member of staff or governor has been processing data on a personal device actively on the school’s behalf e.g. where a governor has been appointed to a staff disciplinary panel, or a parent complaint panel – whereupon the governor’s personal device, email inbox etc. should probably feature in the school’s search.
• As discussed above, expressions of opinion or the school’s intentions regarding an individual are likely to constitute personal data, so the school should be extremely cautious in the processing of such information, particularly when considering acting in respect of staff or pupils in circumstances where the school would not want that individual to ever see those communications. Careful thought should be given before any such information is processed in writing in case it may be disclosable to the data subject. It may be prudent to restrict the matter to confidential verbal discussion, or email correspondence which is copied to the school’s lawyer with the intention of obtaining legal advice on the matter, to ensure that the communication is protected under legal advice privilege. Privileged communications would usually remain confidential between the school and its lawyer.
Third party data Personal data belonging to a third party, other than the data subject making the DSAR, should not be disclosed unless the third party has consented to the disclosure, or it is reasonable in all the circumstances to disclose the data without the third party’s consent e.g. if the third-party information is already known to the data subject making the DSAR, it may be reasonable in all the circumstances to disclose it.
Tips and practical examples: • Data subjects are entitled to see “data”, not documents. • Disclosure of documents may be the simplest and most efficient way of providing the information requested.
• It is possible to redact information relating to third parties from such documents to avoid disclosure of third party data without consent.
• If it is not practical/possible to redact a document, or if disclosure of an original document may reveal the identity of the author whose identity should remain confidential, it may be possible to type a summary of the personal data contained in the document and to provide this to the data subject making the DSAR.
Exemptions Not every piece of data must be disclosed in response to a DSAR. A reference which the school gives to a subsequent school in confidence for an individual’s education, training or employment is exempt from disclosure in a DSAR made to the school. A similar reference which the school receives from a previous school is not exempt from disclosure in a DSAR made to the school. Normal data protection principles and disclosure rules apply. Details of the author of the reference (e.g. the Head of the previous school) would constitute third party data, so the school should check with the author whether he/she objects to disclosure of the reference. If the author of a reference objects to disclosure of the reference to the data subject, the school should consider his/her reasons for objecting and weigh these reasons against the rights of the data subject. A data subject would be entitled to disclosure of examination scores, but the examination scripts themselves are exempt from disclosure.
Information which might cause serious harm if disclosed would be exempt from disclosure. Information which reveals that a child is at risk of abuse would also be exempt. Tips and practical examples: • The school’s safeguarding duty always overrides its data obligations. DSAR made on behalf of a pupil Personal data regarding a pupil is the property of the child, regardless of his/her age. It is the child’s right to request disclosure of their personal data in the form of a DSAR. Parents of children who are considered too young to have sufficient capacity to exercise their own rights may exercise data rights on behalf of their child. Whereas, a child who does have capacity to exercise his/her own rights may instruct a third party, e.g. parents, to make a DSAR on his/her behalf. ICO guidance suggests that the age at which children may normally be considered to have capacity is 12 years.
Schools sometimes express reservations about responding to parents who submit a DSAR in respect of an older child. The school should take account of all considerations, for example: • The nature of the data requested;
• Any court order regarding parental access to the child or information concerning the child; • The views of the child;
• Any possible detriment to the child if the parents do not obtain access to the information;
• Any possible consequences if the parents are granted access to the information e.g. where a child may have made allegations of abuse.
Tips and practical examples: • The school must balance the rights and wishes of the child against the rights of the parents.
• If the school is in doubt as to whether a child aged 12 or over has consented to a third party making a DSAR on his/her behalf, it should make further enquiry and if necessary obtain written consent from the child.
6 Consequences of breach ICO The ICO has the following broad powers:
• Power to issue an “Information Notice” requiring information from the school about its data processing; • Power to issue a “Special Information Notice” to check that data is being processed only for stated purposes;
• Power to issue an “Enforcement Notice” confirming actions required for the school to comply with the DPA; • Power to obtain a warrant for entry to the school and inspection of records; • Power to impose a fine up to a maximum £500,000.
Failure to comply with notices issued by the ICO is a criminal offence. A recent update to guidance issued by the ICO clarifies that financial a penalty would be appropriate where: • there has been a serious contravention of the data controller’s duty to comply with the data protection principles; • the contravention was of a kind likely to cause substantial damage or substantial distress; and • the contravention was deliberate; or
• the data controller knew or ought to have known that there was a risk that the contravention would occur and that it would be likely to cause substantial damage or substantial distress, but it failed to take reasonable steps to prevent the contravention.
Tips and practical examples: • A single breach may be sufficient to constitute a “serious” breach, but a case of multiple breaches is more likely to fulfil this requirement. The ICO gives the specific example of a failure to take adequate security measures such as encryption of data on a CD as an example of a serious breach (see data security above). • Both the likelihood and the extent of damage/distress would have to be considerable (e.g. in terms of importance, value, degree or extent) to fulfil the “substantial” requirement.
• “Damage” means any financially quantifiable loss.
• The ICO gives the example of loss of medical records leading a data subject to fear that his sensitive personal data will be made public in relation to “distress”. Mere injury to feelings or anxiety are not sufficient.
• Data controllers are expected to meet the standard of a reasonably prudent person when considering the risk of contravention. “Reasonable steps” would include risk assessments, policy, procedures and governance arrangements to prevent contraventions. • The more serious the breach, and/or the more serious the consequences, the more likely it is that there will be a financial penalty. The penalty is intended to be a deterrent and a sanction and the size of the penalty would need to reflect this intention.
Court action The civil courts have jurisdiction to order compensation for loss and/or distress suffered because of breach(es) of the DPA. Very few claims are made in the courts. The limited number of case decisions have shown that compensation awarded may typically be modest where there is no financial loss. The courts also have the power to order rectification, blocking, erasure or destruction of inaccurate data, and can require the data controller to notify third parties who have received the inaccurate data of the required rectification etc. Reputation In addition to the financial penalties and compensation outlined above, and perhaps most importantly for boarding schools, a breach of the DPA could cause very serious damage to the reputation of the school.
7 Other matters
8 Legal advice
While a data subject has the right to ask any school, whether independent or state maintained, for disclosure of their personal data under the DPA by issuing a DSAR, the following legislation only applies to state maintained schools, including state boarding schools.
As stated in the introduction, this Briefing Paper is intended to provide boarding schools with an overview and some practical tips to assist them in processing of personal data. It is not possible to cover all conceivable situations and queries in a briefing note.
Education (Pupil Information) (England) Regulations 2005 (“EPIE Regulations”) Under the EPIE Regulations, parents have their own independent right to a copy of their child’s education record. This would include any information about current and past pupils that is processed by or for a governing body or teacher, including a curricular record i.e. any formal record of a pupil’s academic achievements, other skills and abilities and progress in school.
It is ALWAYS wise to obtain legal advice when considering the school’s data obligations, particularly when faced with a query which you suspect may constitute a DSAR.
The education record would include communications about a particular child from the Head and teachers at the school, other employees at a local education authority, educational psychologists engaged by the governing body, or information provided by the parents or the child e.g. health information. The record does not include information retained by a teacher solely for their own use. Information which would be withheld from a child making a DSAR should not be disclosed to parents exercising their independent right under the EPIE Regulations. A School should respond to a request under the EPIE Regulations within 15 days. The amount a school may charge in the form of an administration fee varies according the volume of papers to be processed. Freedom of Information Act 2000 (“FOI Act”) The FOI Act provides public access to information, whereby individuals are enabled to request provision of information held by public authorities, including state schools. The FOI Act does not provide access to the individual’s own personal data and is outside the scope of this briefing note.
Ben Collingwood
Senior Associate Schools & Charities 01483 464204 bencollingwood@barlowrobbins.com Ben is an experienced lawyer specialising in wide ranging areas of education law, advising independent schools on reputation issues, pastoral, safeguarding, historic abuse allegations, exclusions, parent/pupil complaints, data protection, parent contracts, admissions and contentious and non-contentious employment/HR matters. He has written and spoken widely on these issues, providing comment in the Times, Guardian, The Lawyer, Law Society Gazette, and at BSA, ISBA and AGBIS training events. Ben is a member of the Institute of Directors (serving as the Surrey Branch Legal Ambassador), the Employment Lawyers’ Association and the Lawyers’ Christian Fellowship.
“I would encourage any HMC Head to approach Ben for support as I have done. Ben’s advice was incredibly prompt and helpful. He demonstrates true expertise in the unique challenges faced by independent schools today including education and pastoral matters, safeguarding, data protection and the preservation and promotion of the school’s reputation.”
Mark Bishop, Former Headmaster, Trinity Croydon
“Ben is a recommended individual in Legal 500 and Chambers & Partners, being described as ‘thorough’, ‘accommodating’ and ‘an excellent advocate’.”
Legal 500 & Chambers UK
GUILDFORD The Oriel Sydenham Road Guildford, Surrey GU1 3SR T: +44 (0)1483 543210 F: +44 (0)1483 464260 E: enquiries@barlowrobbins.com
WOKING Concord House 165 Church Street East Woking, Surrey GU21 6HJ T: +44 (0)1483 748500 F: +44 (0)1483 729933 E: woking@barlowrobbins.com GODALMING Church House 30 Church Street Godalming, Surrey GU7 1EP T: +44 (0)1483 417121 F: +44 (0)1483 426836 E: godalming@barlowrobbins.com
Boarding Schools’ Association 4th Floor 134 Buckingham Palace Road London SW1W 9SA bsa@boarding.org.uk www.boarding.org.uk