General Data Protection Regulations
As of 25th May 2018, the GDPR replaced the Data Protection Act 1998 – this means the way in which schools manage data and information has slightly changed. At Kingsmead, the school governing body alongside Ms Stewart, ensures that our school is compliant and handles data in accordance with the new guidance including appointing a Data Officer, Mrs Lesley Cocker our School Business Manager. This is achieved through: a full data audit; the generation of new policies (our Data Protection and Freedom of Information policy was updated in Summer 2018) (including child friendly policies) and ammendments to existing policies; staff training, and challenge and support from governors.
The GDPR is designed to strengthen the safety and security of all data held within an organisation, and make sure procedures are consistent. It focusses on the privacy rights of individuals and the idea that everyone should know what data is held about them and how it is used.
Why is it important? Well, the GDPR makes many changes to existing data protection rules and regulations that schools adhere to – including policies.
The main new elements are:
- Accountability – schools must prove their compliance with data protection principles by having effective policies and procedures in place.
- Privacy – new information must be included in privacy notices, e.g. legal basis for processing data, retention periods, rights to complain to the Information Commissioner's Office (ICO). This information must be in a concise, clear and easy-to-understand language.
- Individuals' rights – a new right to 'data portability' means data must be provided in a commonly used, electronic format. Other rights under the GDPR include: subject access requests; to have inaccuracies corrected; to have information erased; to prevent direct marketing; and data portability.
- Subject access – there's a reduced time frame to comply with subject access requests (SARs) – from 40 days to 1 month. To refuse requests you must have policies and procedures in place to show the refusal meets the criteria. Unfounded or excessive SARs can be charged or refused. Additional information is needed for those making SARs, including retention periods and the right to have inaccurate data corrected.
- Legal basis – schools' legal basis for processing personal data must be explained in privacy notices.
- Consent – data controllers must demonstrate that, where necessary, consent was given, and it has to be a positive indication of agreement to personal data being processed.
- Children – special protection is given for children's personal data – consent is needed from a parent to process this data, unless the child is over the age of 13, in that case they are able to provide their own consent in certain circumstances. Privacy notices must be written in a language that can be understood by children.
- Data breaches – a breach notification duty is applied to all schools, and those that are likely to cause damage, e.g. identity theft, have to be reported to the ICO within 72 hours – failure to do so can result in a fine.
- Data protection impact assessment – this will be carried out when using new technologies, and the processing is likely to result in a high risk to the rights and freedoms of individuals.
- Data protection officer (DPO) – schools are required to appoint a DPO.