GDPR: Considerations for Schools
The General Data Protection Regulation (or GDPR) is a change in legislation on how we use and store personal data and which came into effect on the 25th May 2018. All organisations must be compliant with the new rules. So what does this mean for schools?
What is Personal Data?
Personal data refers to information that can, directly or indirectly, identify a real person. This includes information such as: a name, an email address, posts on social networking sites, medical information, bank details, a photo or indeed an IP address. Schools may also hold additional information on a child’s ethnicity, religion or medical history. There are rules that will need to address how this information is handled.
Why the Change?
The General Data Protection Regulation (GDPR) ensures that organisations and businesses are more accountable and transparent in their collection, use, and protection of personal data.
The new legislation replaces the Data Protection Directive 95/46/EC and will be a more stringent and up-to-date regulation. The EU recognises that the collection of personal data is big business and aims to ensure that responsible and ethical practices are in place, along with safeguarding procedures. It will provide EU citizens with greater data protection and privacy.
Organisations and businesses will now have to be more accountable and answer the following questions in relation to personal data:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and on what basis might you do so?
Rights of the Individual
Under GDPR individuals will have more control over who has their information, what is used for, who is it shared with and how it is processed. They will now have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to compensation and liability
Personal information must be processed fairly and lawfully. As a school, if you are collecting personal data, you must be able to explain:
- Why you are collecting it
- How you will be processing it
- Who you will be sharing it with and who have access to it
- How long you intend on keeping it
There are six lawful bases under which a school can process personal data. The collection of data must fall under one of these six bases or it is not compliant with GDPR and should not be processed.The bases are as following:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
Things to remember here is that you may need information about a student, such as a name and address. This would be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. However, you can not then use that information in a different way, such as sharing it with a third party, without getting permission from the data subject first.
Similarly with taking photographs of students. Not only will you require informed consent before you take the photos and/or share photos but you must use the photos for their particular use and not in another context. Schools will need to create a policy about photos on their website as this is a public sphere. For a more detailed look at photographs and videos please see: What is considered good practice when schools/ETBs take photos of their students?.
What to Do?
Schools should first conduct an audit of the information they have, decide whether they need it or not, why was it collected in the first place, and how long they aim to keep it for. Download the Compliance Checklist.
Next, develop an internal data protection policy that specifies what personal data is held by the school/ETB. This document should be reviewed and updated on a regular basis. It should also refer to the eight data protection rules and show how the school/ETB collects and stores personal data, who has access to this information and a review of how information is retained.
The rules are as follows:
- Rule 1: Obtain and process information fairly
- Rule 2: Keep it only for one or more specified, explicit & lawful purposes
- Rule 3: Use and disclose it only in ways compatible with these purposes
- Rule 4: Keep it safe and secure
- Rule 5: Keep it accurate, complete and up-to-date
- Rule 6: Ensure that it is adequate, relevant & not excessive
- Rule 7: Retain it for no longer than is necessary for the purpose or purposes
- Rule 8: Give a copy of their personal data to that individual, on request
Schools generally collect large quantities of personal data about students and staff, making them data controllers. Usually, the board of management for a school or ETB would be the data controller. Please see Responsibilities on Schools/ETBs as Data Controllers for more information on who the data controller is for your school.
What is a Data Breach?
A data breach occurs when personal data, whether inadvertently or not, is shared or disclosed to others, altered in any way, deleted or lost. If data is compromised, the ICO must be notified within 72 hours. If the breach negatively affects the rights of any data subject(s), they must also be notified.
For schools, this means that school leaders and staff must have procedures in place to deal with such occasions.
The new regulation may seem daunting but it will provide better protection for your students and staff. While there are many things to consider, the best advice would be to begin the process as soon as possible. There are a number of useful links to help you get started below.
Preparing for GDPR: http://dataprotectionschools.ie/Document-Library/GDPR-12-Steps.pdf