GDPR seven months on: what have we learnt?
VWV Partner, Andrew Gallie, and Senior Associate, Claire Hall, look at the key data protection issues following GDPR
At VWV, we look at the key data protection issues we have been advising schools on since the new data protection regime came into force in May.
We are often asked whether consent should be sought before taking and using photographs.
The answer will often turn on how privacy-intrusive the photograph (or its use) is. For example, a photograph featured on the front cover of a school’s prospectus will likely require consent but not usually if the photo was being used on an internal display at the school. NB – if consent is not sought a school should still be transparent about its practices so that individuals have an opportunity to object.
Privacy notices are essential
We are finding that a lot of schools have not yet put in place compliant privacy notices. The purpose of the privacy notice is to set out how the school uses personal information. Not only is the provision of privacy notice information a legal requirement, but schools are also finding they are useful in relation to disputes. For example, a parent with an ongoing dispute may seek to argue that the school has breached its data protection obligations through not being transparent regarding how the parent’s data is used, as an additional strand to the complaint. If the school can show that what the parent has complained about is covered in the privacy notice, then this will often go a long way to rebutting the alleged non-compliance.
Data breaches – getting the essentials right
A number of schools have fallen victim to cyber attacks. These range from phishing emails, through to remote attacks made against the school’s network and IT infrastructure. We have found that attacks are often successful through schools failing to provide essential training to staff or failing to take basic steps to secure the school’s network.
Schools should therefore ensure that they have done enough to protect their systems from attack. The GDPR contains explicit obligations around information security, for example, in relation to documentation, encryption, back-ups, and ongoing testing and assessment – schools should have regard to these in particular.
Not only is the provision of privacy notice information a legal requirement, but schools are also finding they are useful in relation to disputes
Subject access requests aren’t getting any easier
Subject access requests (SARs) remain by far the most common type of request made against a school, despite the abundance of new rights granted under GDPR.
Of particular note is that the exemption which allowed a school to withhold third-party information (i.e. where third-party data is mixed with the requester’s) under an SAR – this no longer applies if the third party is ‘a teacher or other employee at the school’. This is a significant change which makes it more difficult to lawfully withhold staff information, for example, in circumstances where a school wanted to withhold the identity of a whistleblower.
However, this is not to say that third-party staff data must necessarily be disclosed in all cases, in some situations there may be alternative exemptions which would be applicable.
A school will often use the same alumni database as its alumni society. In these circumstances, it is not always clear who ‘owns’ the data – either the school or the society (or to use data protection terminology, who the data controller is). That the school may physically control the database is not determinative. A risk is that the society argues that it, and not the school, is the controller, and if the society is right then the school would have no right to use the data for its own purposes. A data-sharing agreement between the school and the society can help to regularise the relationship. An agreement should, in particular, make it clear that the school is a controller of the data (if indeed this is the case) to prevent any dispute further down the line. Often these agreements provide that both the school and the society are controllers.
How would you respond if you received this letter from your school’s alumni society?
Dear Director of Development,
As you know I am the Chair of Blueacre School Alumni Society (the BSAS). It has come to my attention that the school has been using the BSAS alumni database to send out school marketing communications. Not only is this practice a breach of data protection law (you need consent for this) but it is also in breach of our longstanding arrangement that the school is only entitled to use the BSAS database to send out communications on behalf of BSAS and not from the school’s own purposes. It is clear from my review of the correspondence that the school has been sending out letters and emails about school events and school fundraising since at least 2008.
I expect your written confirmation that these practices will stop. I have today written to the ICO as I expect they will have something to say about this as well.
BSAS Chair on behalf of the BSAS Committee
How should the school respond? Points to consider:
● There may well be a wider context which has caused a deterioration in the relationship and this communication could be the latest in a long line from the BSAS on a variety of topics. As such, addressing any wider issues may also assist with regards to the BSAS’ concerns regarding data protection.
● At the core of BSAS’ position is that it, rather than the school, ‘owns’ the alumni database and that it is the controller. Whether this is indeed the case will depend on a number of factors, for example, the history of the database, what alumni have been told and the detail of the ‘longstanding arrangement’ the BSAS refer to above. It may be helpful to look through the history of the school’s and the BSAS’ interaction with alumni. For example, if previous communications to alumni have always made it clear that both the school and the BSAS will use alumni personal data for their own respective purposes, then this may assist the school rebut the arguments raised by the BSAS.
● The BSAS have also claimed that the school is in breach of the GDPR because the school did not obtain consent before contacting alumni for school-related purposes. One of the more popular ‘GDPR myths’ is that consent is required for all alumni communications. This is patently not the case although development-related emails sent to alumni will often require consent.
● As noted above, a data-sharing agreement would help address some of the data protection concerns and would also help prevent the BSAS from seeking to raise this issue again in future. As a further (longer-term) step, the school could (with the society’s agreement) seek to bring the society ‘in-house’. This could, for example, involve transferring the society’s assets to the school and making its activities the responsibility of a committee of the governing body of the school. This is something which a number of schools are considering and it does have a number of significant legal and practical advantages. This may also be in the interests of the society members, particularly if the society is constituted as an unincorporated members association as members of unincorporated associations can be personally liable.
VWV’s online compliance-management solution My OnStream provides GDPR data protection and GDPR information security e-learning for all your staff so they are aware of what is expected of them. It also tracks and manages staff progress for you and provides real-time reporting. Please consider subscribing to My OnStream. Find out more at mos.vwv.co.uk and book a free online demo.
Andrew Gallie and Claire Hall are in the data protection team at leading education law firm VWV. Andrew can be contacted on 0117 314 5623 or at firstname.lastname@example.org. Claire can be contacted on 0117 314 5279 or at email@example.com.