Schools
GDPR and schools Richard Harrold reflects on a year of data protection The GDPR bill became law a year ago this May and it has made a massive difference to the working practices in school. Until it came into law, the most scandalous infringements of privacy were being carried out by large corporate companies. They had absolutely no incentive to do anything about it because it wasn’t in their commercial interests to do so. While designed to protect consumers, with the ability to fine a company four percent of its global revenue for data breaches, the law has also given schools an understandable and achievable way to protect themselves, their staff and students. However, schools can feel that GDPR has created a rod for their backs, because of the huge amount of work it involves. Setting up good, compliant systems, and keeping them refreshed and up to date, is an enormous task, there is no doubt. But the real
While designed to protect consumers, with the ability to fine a company four percent of its global revenue for data breaches, the law has also given schools an understandable and achievable way to protect themselves, their staff and students. reason many schools can feel that GDPR has created more work is because in the past few years the number of Subject Access Information requests has gone up tenfold. This is where an individual, usually a member of staff or student, past or present, can request to be sent all the personal information held about them. The information has to sent within thirty days of the request being made. These can use up an horrendous amount of time, but having good GDPR systems in place can actually help. For example, the Information and Records Management Society (IRMS) publishes advice on how long you need to keep different types of information. Student records only need to be kept for seven years after they’ve left school. Schools should delete the records after this and keep a record that they have done so, because otherwise if they hold the data and a student asks to see it, the school has to provide it. If schools keep everything, they are taking a big risk. We tell all our graduates that we won’t have any information about them once they turn 25. When they leave, we give them their records and tell them to look after them! Other specific information has to be kept for longer, such as medical data; fabric 24
Summer 2019
issues, such as asbestos or radioactive incident records; or health and safety and child protection data. Requirements for each will be described by the IRMS but of particular note is any data which might pertain to child abuse. Under The Goddard Inquiry terms, all organisations have to keep information while the inquiry is ongoing which is likely to be at least another decade. The IRMS is a great and underused resource for ensuring you know exactly what you should keep and what you can and should destroy (keeping a record, ironically, that you have done so.) The Department for Education’s Data Protection Toolkit for Schools is an excellent resource too. As an international school where children and staff come and go from all parts of the world, it is especially important that we have our house in order. If we leave the EU without a deal there could be GDPR implications. At the moment, for example, if a student leaves to go to another country in the European Economic Area (EEA) such as France, we hand over the data to the school, confident the data will be handled securely. We would not do the same if a student went to some areas of the Middle East, where countries don’t hold the same laws or values as us. Suppose the student was LGBT, the data could be very dangerous for them. If we leave without an agreement from the EU, in theory we are a country which is outside their law and legally their data cannot be shared with us. This is just one extra thing to bear in mind that is new since last year. Another area where GDPR has created change within schools is the subject of consent or contracts in using photos and images. The age of consent for data is thirteen, twelve in Scotland. A parent can say yes, they don’t mind if the child is photographed, but the child has to say yes. This is why many schools are now opting for a contract rather than consent. Schools have to ensure they are not caught in the crossfire between parents and children. Consent could be given by phone, on email or on a slip of paper. But that consent from the child or parent could be withdrawn at any time. You might have printed your school brochure and paid thousands of pounds for it when consent is withdrawn and suddenly you can’t use it. A contract, signed by both parents, explains the terms of agreement to cover situations such as this. This is where GDPR, backed-up by good working practices, protects the school, and most admissions departments are now geared up for it. I recently attended the Information Commissioner’s Office (ICO) conference. The presence of so many different companies like Vodafone, Virgin and Arsenal Football Club, along with many schools shows just how important GDPR is for us all. A key message I came away with is that the ICO is not looking to punish schools and make life harder. It is trying to ensure we are all protected and managing our data in an informed and measured way. Dr Richard Harrold is Data Protection Officer at ACS International Schools
