Handling personal data in an appropriate way is, of course, a longstanding responsibility for institutions such as schools, but the new GDPR requires organisations to go much further in documenting how and why they process all personal data. The regulations also give enhanced rights to the individual to access records, for example about his or her child, without any charge. To ensure compliance, each school must have a designated data protection officer. At Ashbourne the data controller is the Principal, who has the time and in-depth knowledge of the college to manage the data protection in an appropriate way.
Naturally, a school’s compliance officer (unless you have 250 or more employees, it is advisable not to use the term data protection officer for whom there may be strict requirements for independence with which only the larger schools would find easy to comply) must understand the relevant law, so that it is reflected in new policies and technology, and will rely on the support of all staff, academic and administrative. This means that employees have to be trained to use computer data systems in a secure, appropriate and lawful way. As with every aspect of a school culture, it is vital that senior managers ensure that all members of staff properly observe data protection.
The personal data handled by schools ranges from everyday information, such as attendance, to images, academic records and sensitive medical issues. It can include tightly regulated ‘special category data’, such as details on race and ethnicity, biometric data or trade union membership: needless to say, the data includes information about employees as well as students. Obviously, any third party who is entrusted with processing personal data must have a contract that stipulates compliance with the GDPR. Every aspect of school life potentially involves the handling of such data, so that even a new piece of academic software needs to be cleared with the compliance officer.
“There are some five million companies in the UK; if each appoints a data controller and data processor and spends £1,000 per annum complying with GDPR the cost to our economy is £5bn, possibly more.”
Crucially, if there is a risk that a data breach has occurred, this must be passed on within 72 hours to the information commissioner’s office, and, in some cases, to the individual in question. And there are serious fines for non-compliance, the maximum being €20m or 4% of the organisation’s annual turnover! A school would have to be grossly negligent indeed to incur such a fine, but these penalties underline the fact that the new GDPR have to be taken very seriously. We have all become painfully aware of the risks of inadequate data protection in various areas of life. Clearly, education is a field in which the highest standards are expected.
We would be better served if strict adherence to the regulations applied to organisations with more than 250 employees, as referred to above, a number which features in the current legislation. In the first instance we might focus on the larger issues such as the use for profit of personal data by companies in social media; the prevention of fraud through the internet; and security of data within large organisations such as the NHS. Once success is achieved in these areas, we might better be able to offer assistance smaller organisations to protect the privacy of our citizens. The burden of GDPR is too onerous for smaller institutions. There are some five million companies in the UK; if each appoints a data controller and data processor and spends £1,000 per annum complying with GDPR the cost to our economy is £5bn, possibly more. This cost discourages start-ups, reduces investment, limits expenditure in other areas and indeed provides a basis for understanding the impact of regulations on productivity in our economy.
Ashbourne College: ashbournecollege.co.uk