There have been marked changes in data protection over the past couple of years: it now forms an integral part of a school’s regulatory compliance. New ways of working and advances in technology, together with higher fines by the Information Commissioner’s Office (ICO), mean that there are now greater risks associated with the handling of personal information.
Independent schools may not consider that the recent publicity regarding TalkTalk’s loss of personal data involving over 4 million customers is relevant to them. However, the recent series of high-profile data losses has raised public awareness of data protection. In the same week as the TalkTalk loss, Marks and Spencer’s website allowed customers to see each other’s details and British Gas had a problem with email addresses and account passwords being posted online.
We are seeing an upsurge in data protection-related queries from independent schools and this reflects the heightened awareness of the risks in this area.
Recent changes in the law – Safe Harbour
A recent development that impacts all organisations handling personal data is the European court ruling outlawing the ‘Safe Harbour’ arrangement. This allowed European organisations to rely on a supplier’s assurance that it adheres to European data protection requirements when handling personal data in the US
How does this affect schools? There is a growing trend to move IT services onto cloud-based facilities so staff and pupils can access information from any location. Schools need to be particularly vigilant where these services hold confidential, sensitive information about pupils, parents or staff. Most cloud storage providers will try and save data in at least two data centres to protect against failures and local disasters – in the majority of cases one of these will probably be in the US.
The ICO has indicated that it will not take immediate action against organisations that use cloud-based facilities which may transfer personal data to the US. However, it is vital to liaise with your IT department and consider whether the arrangements in place adequately protect the information processed.
Other data protection considerations – consent and disclosure
Schools process a significant amount of personal data as part of school life. Undoubtedly, this is also going to include sensitive personal data where schools need to take extra care. Examples of sensitive personal data include details regarding a pupil’s disability or medical conditions, any special educational needs and can also cover information regarding staff members (for example, trade union membership).
We recommend that information should only be accessible to those requiring access for a specific purpose: sensitive data will require a greater level of security. Just because a member of staff is in a senior position, there is no blanket right to access all information held by the school: it needs to be considered on a case-by-case basis. In certain circumstances you may only be able to use or disclose personal data once you have obtained explicit consent from that individual or from the parents. We recommend that a record is kept of any consents provided.
Pupils over 12 years of age are generally considered capable of giving or withholding consent to the use of their own personal data. In such cases, consent cannot be given on behalf of the data subject – for example, by the parents. This can lead to difficult situations, such as where the parent may want access to their child’s examination results but the pupil refuses. If this cannot be resolved by discussion, we can advise on how best to protect the school from potential claims.
There will be some cases where an exemption in the Data Protection Act (DPA) allows disclosure of personal information to the police or safeguarding organisations. Consent may not be required, but a school will still need to meet its obligations under the DPA. We recommend that you do not have a blanket policy and review each request on a case-by-case basis.
It is also not uncommon for pupils to have estranged parents. We have seen individuals using subject access requests as a means of obtaining evidence to use in a dispute rather than to check the accuracy of the information held. This can place the school in a difficult position. It needs to understand what information it may provide in these circumstances.
Practical steps and strategies
Schools should review their data protection arrangements and understand the risks. In particular, focus on information security and ensure that both organisational (for example, robust policies and staff training) and technical measures (for example, encryption and remote access) are in place. Pay special attention to data going outside the EEA.
To help take stock, the first box provides a non-exhaustive list of systems that your school may currently use. For each system you should then consider the questions in the second box.
The third box sets out areas that are often overlooked until something goes wrong and are worth reviewing before it does.
Fines and Penalties
The ICO regulates data protection compliance. It can make enforcements, conduct audits and issue monetary penalties of up to £500,000.
Historically, the ICO has been reluctant to fine schools for data protection breaches, but this does not mean it might not do so. Even if a school avoids a fine, it is likely to have to divert management time and resources to deal with the ICO and with adverse publicity – the ICO publishes its decisions online and these are often picked up by the press.
The use of technology and personal data is increasingly evolving and it is vital that schools have a clear understanding of what personal data they use, what policies and measures are in place, and have robust procedures if anything goes wrong.
Checklist: systems to review
• Parent/pupil portals
• Email systems
• Sports fixtures systems
• School photo galleries
• Parent billing systems
• Online systems for bookings, courses, examinations, results
• Mobile apps
• SMS/text messaging services
• Social media such as Facebook and Twitter accounts
• Supplier databases
• Staff payroll systems
• Marketing databases including alumni and past parents
• Website hosting
• Outsourced services
Checklist: what questions to ask
• Is there personal data in this system?
• Is any of it sensitive personal data?
• Do we have the right to use the personal data this way?
• Does the system send personal data outside the EEA? If so, do we have permission to do so and sufficient protection for the data in the other country?
• Are the servers always in the EEA? Especially for cloud storage and website hosting
• Do we have agreements in place to control what others do with the personal data for which we are responsible?
• What security is in place to prevent a data breach? Are we sure it is good enough?
• How far does the security depend on staff/pupils/parents complying with our procedures?
• How long is personal data kept? How do we keep it up to date?
Checklist: other areas for review
• Have you trained your staff and governors on DPA compliance this year?
• Do you routinely share data with other bodies such as other schools/centres? If so, do you have data sharing agreements in place?
• Do your parent contracts and pupil privacy policies give you the rights to handle personal data the way that you do?
• Does your ICO notification cover all your personal data processing activities?
• Do you have a protocol for handling data subject access requests?
• Is there a designated person responsible for the School’s data protection compliance?
Serena Tierney is an IP and data law specialist at leading education law firm Veale Wasbrough Vizards.