The importance of data protection has grown exponentially over the past few years with the result that it should be a cornerstone of any school’s regulatory compliance regime.
This change has been driven by a number of factors, not least the introduction of fines for serious breaches a few years ago. Prior to that the Data Protection Act (or DPA) was seen as being a particularly weak piece of legislation because, no matter how serious the breach, the most likely outcome would be little more than a ‘rap on the knuckles’ from the regulator (the ICO).
Furthermore, changes in technology and how people work have brought data protection and privacy issues to the fore (think smartphones, cloud storage, social media, monitoring staff and pupil email and internet browsing habits and so on).
We are going to look at some of the key data protection issues in light of recent developments in this area. This is very much a ‘whistle-stop tour’ and each of the areas below could easily be the subject of an entire article.
Schools send far more marketing emails than they may realise. This is because the definition of marketing is so broad. It does not just cover selling goods and services but it extends to any communication which promotes the ‘aims and ideals’ of an organisation. Thus an email to parents about an event to raise money for the new sports hall would likely count as a marketing communication.
In the majority of cases, schools must only send marketing emails with ‘consent’. There has been some confusion over whether the DPA requires schools to obtain ‘opt-in’ consent or whether ‘opt-out’ consent is sufficient and this is probably the school fundraising issue we have been asked to advise on the most in the past six months. Opt-in consent (typically) involves the individual ticking a box to confirm that they agree to receive marketing communications. Opt-out consent works on the basis that unless the individual ticks a box to opt-out they are deemed to have consented.
Our view is that opt-out consent is compliant in most cases (and will be even if the General Data Protection Regulation comes into force – see below) but is trickier to implement in practice with the result that opt-in consent might be a safer option. This is because the opt-out wording must be sufficiently clear and prominent and must also be accompanied by a positive action on the part of the recipient (such as returning the consent form unticked).
Furthermore, the Privacy Regulations (which place extra obligations on organisations around fundraising which are in addition to those in the DPA) are very strict regarding what counts as valid consent. This is the case regardless of whether the opt-in or opt-out route is chosen. For example, a consent form intended to cover marketing emails must explicitly identify that the consent relates to emails, so it would not be sufficient to refer to the consent being in respect of ‘marketing communications’, for example.
Charity fundraising has been in the spotlight over the past couple of years with a number of high profile cases apparently showing vulnerable individuals being exploited. The Etherington report last year also identified a number of concerns. In addition, the ICO now has the power to fine organisations for breaches of the marketing regulations.
In light of this we suggest that schools should review their fundraising practices if they have not already done so. Such a review should include:
- Checking consent forms (see above)
- Considering the school’s relationship with the alumni association: Some schools pool data with the alumni association and if the association is sufficiently independent from the school then it might count as a separate ‘data controller’ to the school. This raises additional regulatory requirements and it might be advisable for the school to enter into a data sharing agreement with the alumni association
- Checking that the use of data in practice by the school is legally compliant. There are particular issues around wealth screening (ie, identifying high net worth individuals willing and able to support the school), and the use of social media and online platforms to share and capture data.
Subject access requests (SARs)
The DPA gives individuals a right to the personal data a school holds about them. A school might for example, receive a request from a parent looking for documents to fuel a potential claim against the school, or a request might be made by a disgruntled employee hoping to force disclosure of emails which show what his colleagues really think about him.
Such ‘fishing expeditions’ are not uncommon. Should the school fail to disclose any, or all, of the information requested, then they run the risk of a complaint to the ICO and/or having to pay compensation to the individual.
On the other hand, should the school disclose too much then they could risk infringing the privacy rights of third parties who might be identifiable from any disclosure.
This difficult balancing act was demonstrated in a recent case concerning a GP practice which was issued with a £40,000 fine by the ICO after disclosing too much information in response to an SAR. The Practice disclosed highly confidential information to the requester concerning the requester’s former partner as well as child protection related information.
The DPA requires organisations to have in place appropriate technical and organisational measures to keep personal data secure.
Technical measures typically include steps such as ensuring that the school network is secure, using encryption where appropriate and ensuring that staff have a secure way of working when off site. The organisational measures should include a combination of staff training, written policies and procedures and regular risks assessments.
At Veale Wasbrough Vizards, we are seeing an increasing number of deliberate attempts to gain access to school systems and data. Broadly these attacks fall into two categories:
- Staff falling victim to targeted ‘phishing’ emails where staff are tricked into revealing information (eg, about pupils) or are tricked into making payments (ie on the basis that the fraudster has made their email appear as if it has come from a trusted supplier)
- Pupils ‘hacking’ school systems.
Staff should be trained on how to spot suspicious emails in addition to the school doing what it can to prevent such emails from ever reaching people’s inboxes.
With regards to pupils it is important to identify and mitigate specific vulnerabilities. For example, we have advised on numerous cases where a pupil has gained access to school systems by installing malicious software via open USB ports and this is a vulnerability schools might wish to pay particular attention to.
The DPA was due to be replaced with a new European General Data Protection Regulation (GDPR) in May 2018 but the position remains uncertain in light of the UK’s decision to leave the EU.
The GDPR will, if implemented, shift the regulatory goalposts once again. Of particular note is that maximum fines will increase from the current £500,000 to 20 million euros.
There is every chance that the GDPR will find its way onto the statute books even in the face of Brexit. Compliance with the GDPR by UK organisations may well be one of the concessions made should whatever deal is struck with Brussels include access to the single market.
Even if the UK makes a ‘clean break’ (whatever that might mean), then schools will most likely still be required to comply with the GDPR principles if they hold data about EU citizens (e.g. EU pupils), which no doubt, many, if not all, will.
Andrew Gallie is a senior associate at leading education law firm Veale Wasbrough Vizards. Andrew can be contacted on 0117 314 5623 or at firstname.lastname@example.org