The Data Protection Act (the DPA) sets out the framework under which Independent Schools should handle personal data about pupils, parents and staff. The act covers issues such as fairness and confidentiality and requires schools to be open and transparent in how they handle information about people.
The DPA also requires that schools take adequate measures to keep personal data secure. The ICO (the data protection regulator) can fine organisations up to £500,000 for serious data protection breaches and has focused almost exclusively on security when issuing fines.
It is therefore no surprise that information security attracts the most client interest. The risks have increased with new technology and working practices which have made it much easier to process large amounts of information about people. The DPA requires that the security measures in place must take account of technological development. In other words, what might have been data protection compliant a year ago may no longer be fit for purpose.
This article considers what schools should be doing to ensure data protection compliance (particularly in relation to information security) both now, and as technology and practices advance.
Policies and procedures
Most independent schools now have data protection policies and procedures. To be effective, these should provide staff with practical advice on data protection compliance. It is no longer sufficient to have a policy that simply lists the eight data protection principles without any explanation or guidance.
Data protection policies must be dynamic documents which reflect how the school handles personal data in practice and should cover issues such as working from home, data sharing within the school, communication with parents and, most importantly, information security.
The importance of having robust policies and procedures cannot be overestimated. Not only will they be prescriptive to reducing the chance of things going wrong, they may also act as mitigation should the ICO investigate an apparent data protection breach.
Robust policies should also be supported by training for staff on data protection compliance. Training should reduce the chance of mistakes with data, but may also count in mitigation should a breach occur.
It is important that training is given to all staff and that they understand the seriousness of data protection breaches. Staff should also be reminded that they could also be personally liable in some circumstances. This may improve their vigilance and compliance.
Staff working away from school or using their own devices
Many schools encourage staff to use their own personal devices for school work (so-called ‘bring your own device to work’). This has huge implications for information security as schools have much less control. Schools should consider adopting measures such as secure remote access and device management software to ensure that school emails and documents remain secure, even if devices are lost or stolen (encryption on its own is unlikely to be sufficient).
The ICO has already taken enforcement action in this area. Last year, for example, Aberdeen City Council were fined £100,000 for a breach involving staff working from home. Precautions, guidance and advice are therefore essential whenever staff are working away from the school site, whether they are using their own device or equipment provided by the school.
Auditing data protection compliance
Schools should audit their data protection compliance on a regular basis. This should include checking that staff understand the obligations (for example, interviewing staff or asking them to complete a questionnaire) and checking that the school’s IT arrangements are secure.
Schools should also consider the data protection implications of processing personal information in a new way. All of the following should trigger a data protection audit:
• an international project which will involve staff or pupils going overseas
• a new school website (organisations have been fined for website security lapses)
• allowing staff to use their own devices (please see above)
• a new IT system and/or relocation to a new building (a number of organisations have been fined after losing records during a move).
Privacy notices and the right to know
Under the DPA, individuals have a right to know how their information is used. This information is often provided in a document called a privacy notice. This document should set out in plain English how the school uses personal data and should be made available to pupils, parents and staff.
Storing information in the cloud
More and more schools are storing information in the ‘cloud’ which has a number of advantages. The benefit is that individuals can access and work on documents from anywhere and by using multiple devices. A member of staff could create a document on a PC at school, continue working on it with a smartphone whilst on the train and finish it off using a laptop at home.
Whilst cloud computing does offer a number of advantages and may well become the standard way of working in the near future, storing and accessing information in this way is not always secure and schools should look very carefully at security when choosing a cloud storage product. Services which are ‘always on’ as the device remains logged in, so that documents can be accessed without re-entering a password, or services which automatically share documents with friends and contacts are particularly likely to give rise to data protection concerns.
Subject access requests
Under the DPA, individuals have a right to access their personal data. This is known as a subject access request (SAR). Individuals (including parents, pupils and staff) are increasingly making SARs for tactical reasons, for example, to try and force disclosure of information which might assist in a dispute. A school must supply the information unless it is exempt from disclosure. There are a number of exemptions which may allow the school to properly withhold information which it would prefer not to share with the requester.
It can take hundreds of hours to collate all of the information that is potentially disclosable. Furthermore, there is no exemption for ‘embarrassing’ emails. Staff training should include warning staff against making unprofessional comments in emails as the email may have to be disclosed (unredacted) if the subject of the email ever made a SAR. Dealing with a SAR is highly specialised and can be a real burden for an independent school.
Disclosures made to the Charity Commission
The Freedom of Information Act (FOIA) gives individuals a right to information held by public bodies. Although independent schools are not caught by the FOIA, we are witnessing a growing trend of FOIA requests to the Charity Commission (a public body) in order to obtain disclosure of information and documents relating to a school.
These requests are often made by journalists fishing for a story or by parents who are unhappy with the school’s direction (for example, they may oppose a proposed merger or constitutional change).
Ultimately, the commission has the final determination on what information is disclosed, but it will often seek the school’s view on whether any of the information is exempt from disclosure (for example, because it is confidential).
However, the commission has no legal obligation to consult and we would therefore recommend that schools should always identify in advance in their communications with the commission (by reference to the appropriate FOIA exemption) those documents which it considers would be exempt from a FOIA disclosure.
Andrew Gallie is a senior associate specialising in data protection and information law at leading education law firm Veale Wasbrough Vizards. T: 0117 314 5623 E: firstname.lastname@example.org W: www.vwv.co.uk Andrew will be providing training on DPA issues for independent schools on 27 November at The Haberdashers’ Aske’s Boys’ School. For more details and to register your interest please see the VWV website, or contact Andrew directly.