GDPR in Education > Questions & Answers
This Q&A has been specifically formulated for the education sector. It answers some of the common questions relating to schools and education providers. More generic data protection guidance can be found on the ICO website. These answers are intended to be for guidance and illustrative purposes only. They are not a substitute for legal advice and should not be relied on as such. We intend to keep updating this Q&A so please revisit periodically should you find it of use. Alternatively, you can ask us a question, and one of our education specialist data protection advisers will respond.
What does the new Data Protection Act 2018 (DPA 2018) mean to the school?
The DPA 2018 needs to be read in conjunction with the GDPR as it guides us, amongst other things, as to how certain parts of the GDPR are to be implemented in the UK. This is important because the DPA 2018 in many cases supplements the GDPR adding more ‘meat on the bones’. Two examples are that the DPA 2018 provides the conditions relating to how special categories of personal data and criminal conviction data (sensitive data) can be processed by schools as public authorities. Another example is how education-related workers are treated differently when considering restrictions relating to subject access requests.
Is it feasible to extend the deadline for responding to a SAR due to school holidays?
The GDPR states that responses to subject access requests should be dealt with “without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.” Under the old Data Protection Act 1998, the response time used to be 40 days, so schools are required to be more responsive under the new legislation. Another factor to consider is that data protection legislation makes no reference to working days. This is different to wording contained in the Freedom of Information Act 2000 which states that FOI requests must be responded to “not later than the twentieth working day following the date of receipt.” Therefore, it cannot be assumed that a SAR can be delayed due to school holidays. Any school looking to extend the period for responding to a SAR must only do so for reasons provided under the GDPR and should consult its DPO or take specialist advice before doing so.
How and when may a breach occur in a school?
When we think about the term ‘data breach’ we often associate it with losing personal information. It is important to recognise that a data breach is much broader than just loss of personal information; it can also include accidental destruction, unauthorised access or disclosure. Examples could include losing safeguarding or SEN information, transferring a pupil file to the wrong school, or even hacking and cyberattacks.
It is essential that you are able to identify data breaches as there are specific procedures laid down in the GDPR detailing how you should handle them.
If a staff member commits a breach will they be personally liable to a fine?
Firstly, it is important to understand that not every data breach must be reported to the ICO. However, when a breach does meet the reporting threshold, it is possible that the school could be sanctioned, with one of those possible sanctions being a fine. Ultimately, the data controller (i.e. the school) would be liable. In very serious cases, enforcement action can be taken against individuals in a position of responsibility, such as a Headteacher, where the offence was committed with their ‘consent, connivance or attributable to their neglect’.
It is important to create a strong data protection culture in all organisations, including schools. Where individuals are identified as committing data breaches contrary to school policy and procedure, it could result in internal disciplinary action.
What should you do if there is a breach?
It is important to implement clear data breach reporting procedures and that staff are trained on so they understand how they operate in practice. Such procedures must make it clear that it is critical that data breaches are reported to the DPO/ Headteacher, or other member of staff identified within the procedure, immediately. There are two key reasons for this:-
- It allows steps to be taken immediately to try and minimise the risks associated with the breach;
- To assess whether the data breach needs to be reported to the ICO and, potentially, those affected by it.
In relation to point ii., if the data breach is likely to result in a risk to the rights and freedoms of those affected, then it must be reported to the ICO no later than 72 hours after the school became aware of it. This underlines the importance of data breaches being reported immediately.
We have received a request from a supplier asking us to sign new T&Cs - should we sign them?
Most schools will have received many emails from providers of learning platforms and other services which are requesting that they sign up to their new T&Cs. In such circumstances this is because the provider will be a ‘data processor’ on behalf of the school and they are obliged to give certain ‘guarantees’ under the GDPR as to how the personal data will be processed. Generally, these updates will be positive as they set out things such as what assistance the processor will provide the school in responding to a SAR or data breach, the security measures it will put in place and the school’s right to inspect them. However, in some cases matters relating to indemnities and insurance are included. Where this is the case you should always obtain legal advice before agreeing to the new terms.
At what age does a pupil become eligible to consent themselves?
The answer to this question is not as simple as many people think. Article 8 of the GDPR does allow for the UK to lower the age of consent from 16 to 13 and this is indeed what section 9 of the Data Protection Act 2018 does. However, this only applies to consent in relation to “information society services” (i.e. online services). It should not be assumed that 13 is generally an appropriate age to obtain consent from a pupil instead of their parent/guardian.
Perhaps a little unhelpfully, the age which a child is able to give their own consent is not defined under the GDPR. Instead, a child is able to give consent when they are deemed ‘competent’ to do so. Whether a child is competent or not will depend on a number of factors including what they are being asked to consent to and their ability to understand the information presented.
The ICO has published guidance which schools may find useful.
What is an information audit and is it a legal requirement?
By now, many schools will have heard their colleagues, or perhaps other schools, discussing information audits. Information audits are an important tool in allowing schools to understand matters such as what personal information is being processed, why it is being processed, who it is shared with and how long it is held it for. A carefully carried out information audit forms the foundation of your ‘record of processing activities’ which all schools must hold and maintain under Article 30 of the GDPR.
The record of processing activities is an important means of demonstrating that you comply with the data protection principles in accordance with the new accountability requirements.
We know we have to appoint a DPO, but can this be an internal staff member such as the school’s Business Manager?
It is highly unlikely that this will be permissible and there are several reasons for this. Firstly, the DPO should be an expert in data protection laws. This includes an in-depth understanding of national and European data protection. The DPO should understand how the GDPR and our own Data Protection Act 2018 operates, something which is particularly important to be able to perform the role of DPO with the necessary level of competence. Even if the school was fortunate enough to employ someone with the requisite expertise, the GDPR states that the DPO cannot have a conflict of interest. Due to the nature of the Business Manager role, or any other role within the school which entails making decisions about the purpose and means of processing personal data, it would not be possible to meet the requirements of being the DPO without a conflict arising.
Can we use fingerprints for cashless payments under the GDPR?
It has become increasingly popular for a growing number of schools to use cashless payment systems. There are obvious benefits to this as it avoids children having to bring money into school which can be spent in local shops, act as a trigger for bullying or be lost. Many of these systems operate by the use of fingerprints which are used as a means of identification.
Whilst these technological developments benefit schools, they do raise data protection issues which must be managed carefully. The use of fingerprints are a form of ‘biometric data’ which for the purpose of the GDPR is considered to be sensitive personal data (or special category data as it is now referred to). This means that as well as identifying an Article 6 ground for processing, you must also identify an Article 9 ground for processing as well, which will be explicit consent.
Schools also use fingerprints for other purposes such as the use of printers, entry and library services. You should consult with your DPO or take specialist advice if you use biometric data to ensure that you are processing it in accordance with the GDPR.
The contents of this site are for general information purposes only. Whilst we endeavour to ensure that the information on this site is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.