28 Mar GDPR FAQ for schools
Frequently asked questions regarding GDPR for schools, academies and MATs
The following frequently asked questions are shared with permission from GDPRiS – a service which enables schools, academies and multi-academy trusts to manage issues they will face around the implementation of the requirements of the GDPR.
These FAQs will be updated as further information becomes available from the Information Commissioner’s Office and as GDPR.school update their frequently asked questions.
Don’t forget that if your school, academy or multi-academy trust subscribes to Modern Governor, then you have access to five modules on GDPR, with a sixth module to follow shortly.
Q: Does the GDPR really affect schools?
Yes, every organisation or business that handles personal data needs to review its data protection policies and bring them in line with the General Data Protection Regulation.
Q: What is personal data?
Any information that can identify a natural person (‘the data subject’). This person can be identified, directly or indirectly, such as – name, email address or where they are, but also online identifiers such as IP address, types of website cookies and other device identifiers. Thus, an email from a parent carrying data such as their name, email address, and their child’s name can clearly identify both the child and the parent. Just a UPN or an MIS identifier in a specific school is also personal data as it points to the child’s and in the case of the MIS identifier, to also the parent/carer’s information.
Q: What will the GDPR change in my school’s existing data protection processes?
If you have implemented processes in line with the existing data protection act, DPA (1998), then you are well placed to meet the new requirements. Changes are mainly based on clarification and qualification of existing directives. A major change is that you can no longer say you meet the requirements you must be able to offer evidence that this is happening.
This video from GDPRiS explores some of the thinking that a school, academy or MAT will have to do in regards to how data is used across their institution(s):
Q: Who are data controllers, processors and sub-processors?
A data controller, in the context of schools, is the organisation that determines purposes and means of processing personal data. Data processors provide services to the data controller and must follow the conditions laid down in the data controller’s instructions. The GDPR applies to both data controllers and processors. When data controllers collect data from the data subject, they must clearly tell them how they will use the data. They must also establish the legal basis for processing. Another category is called sub-processors or third-party data processors. These process data for a data processor and although they do not have direct communication with the data controller they are still wholly accountable for the protection of personal data.
Q: Can we use products before they are fully compliant?
Yes, you should continue using all products; your suppliers will be in the process of achieving their own compliance. However, before 25th May 2018, they must be confident that they will meet the deadline. Preparing for GDPR is an organisation-wide challenge involving a large amount of time, resources and expertise and all will be working towards it. They must demonstrate by 25th May 2018 that they have met the standard.
Q: How can my school benefit by complying with the GDPR?
Without a doubt, reviewing your data protection processes throughout the school will help you to restore confidence and trust in both your internal procedures and those of your suppliers. A review of the Data Protection Act is long overdue. The previous Act became law in an era when some technologies were just emerging. Ensuring that you protect an individual’s fundamental rights will give you confidence in your policies and data sharing agreements.
Q: Does my school need a Data Protection Officer (DPO)?
Yes, as a public sector organisation you are obliged to have a DPO. However, you shouldn’t allow the fact that you don’t yet have a DPO to delay your journey to compliance with the GDPR.
Q: Who is a DPO and what do they do?
In simple terms, the DPO oversees GDPR compliance – independently – and acts as an intermediary between the organisation, data subjects, and the supervisory authority, ICO. The minimum tasks of a DPO are defined as:
- To educate the organisation and its employees regarding their data protection obligations and the rights of individuals
- To monitor compliance with the GDPR
- To act as the first point of contact for supervisory authorities and individuals whose personal data is processed (e.g. staff, students, parents, carers)
Q: What qualifications must a DPO have?
The ICO states: “The GDPR does not specify the precise credentials a data protection officer is expected to have. “It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.”
Q: Explain why special categories of personal data, known as sensitive data must be treated with extra care?
Sensitive personal data which “uniquely identify a person” are classed in the GDPR as Special Category Personal Data. For example, genetic and bio-metric information. This data must be limited to only the people entitled to see or use it and extra provision must be taken to ensure this happens
Q: Subject Access Requests (SARs) – what changes do I need to make under the GDPR?
The biggest change is the removal of the £10.00 subject access fee and you have less time to comply with a subject access request. The regulation also introduces a new ‘best practice recommendation’ encouraging organisations to provide remote access to a secure, self-service system providing individuals with direct access to their information. Numerous school cloud-based systems are starting to deliver this service and more will be evolving.
Q: I’ve been told that I must have a legal basis to process personal data under the GDPR?
Yes, to process personal data under the GDPR you must have a legal basis to do so, and document it. Under the Data Protection Act, this is known as ‘conditions for processing’. Checkout the GDPR.school blog How concerned should schools be about consent? or this video:
Q: What happens when personal data is breached under the GDPR?
The GDPR is introducing a duty on all organisations to report certain types of data breaches to the “relevant supervisory authority” and to individuals when they have been affected. Even if a data breach is not reported to an authority outside school, it is important to get a full overview where minor breaches are taking place and ensure they are not repeated.
Q: Do I have to do a Data Protection Impact Assessment DPIA under the GDPR?
Whilst not mandatory, all schools should consider doing a DPIA as a tool to help consider data breach risks on any new project or process at the very beginning of the planning stage. This should be a consideration when choosing any new supplier who will act as a data processor, or provide you with tools to alow you to process data yourselves.
Q: Why do I need a privacy notice?
Since you hold and process data on individuals, you must tell them in simple terms how their data is processed. The regulation states that this should be clear, easy to access and free of charge.
If the privacy notice applies to children, you’ll need to write it in a way they will understand.
Q: What is Privacy by Design?
This is best explained as considering data protection before implementing a process, be it technical or organisational. If you’re familiar with the UK’s Data Protection Act, you’ll probably know that the Information Commissioner’s Office has long championed this.
Q: Is the DfE offering help to schools?
Yes, the DfE has pledged to provide information and resources for GDPR implementation in schools. Links to their advice can be found at teaching.blog.gov.uk searching for GDPR. The first video from the DfE is here:
GDPRiS has also produced various free resources for schools that you may find useful.
Q: What about the ICO – do they offer specific help to schools
Yes. The ICO has a section dedicated to schools and education. Visit their website which has a section dedicated to the education sector. GDPRiS has also produced various free resources for schools that you may find useful.
Q: Is there any extra funding to implement GDPR in schools?
Data Protection has always been an ongoing area that schools should be complying with already. As such, there is no additional funds at the moment to support any changes and improvements.
Q: Why might I start using GDPRiS?
The GDPRiS platform has been built to support schools through their GDPR journey and beyond. The GDPR.school team are here to help your school meet compliance. We share good practice from around the school data protection community and provide training materials including videos to ensure every member of staff is part of your journey.