- Slides: 37
Data Protection Act 1998 GDPR Data Protection Act 2018 Schools ICT
• A complete overhaul of data protection regulation with extensive updates of what can be considered identifiable information. • Applies across all member states of the EU (including us after Brexit!) • Applies to all organisations processing the data of EU subjects – wherever the organisation is geographically based • Specific and significant rights for data subjects to seek compensation, rights to erasure and accurate representation • Significant changes related to the processing and controlling of children’s data • Public authorities must appoint a Data Protection Officer • Fines of up to 20, 000 Euros or 4% of global annual turnover Schools ICT GDPR What’s New? General Data Protection Regulation Effective from 25 th May 2018
Data Controller: Determines which personal data will be collected, from whom, why, how long it will be kept for and how it will be processed Data Processor: Processes data on behalf of the data controller and could decide which systems to use to do so The Information Commissioner is the person who has powers to enforce the Data Protection Act. Schools ICT A Reminder
Personal data must be • Processed lawfully • For a specific purpose • Kept to a minimum • Accurate and up-to-date • Retained only for as long as it is needed • Kept securely Schools ICT The Six Data Principles
• Right to be informed • Right of access • Right of rectification • Right of erasure • Right to restrict processing • Right to object • Right to data portability • Rights in relation to automated decision making Schools ICT The Rights of Data Subjects
• Consent: the individual has given clear consent for you to process their personal data for a specific purpose. • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. • Legal obligation: the processing is necessary for you to comply with the law. • Vital interests: the processing is necessary to protect someone’s life. • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. Schools ICT Lawful Basis for Data Processing
• Must be able to demonstrate compliance with the regulation - compliance alone is not enough. • How can you do this? • Raise awareness • Establish what data is processed, why and for how long and who that data is shared with and why • Decide which legal grounds apply to each category of data collected • Review Privacy notices • Data protection impact assessments • Review contracts, handbooks and policies • Training Schools ICT Compliance and Accountability
The GDPR contains new provisions intended to enhance the protection of children’s personal data. For the GDPR a child is under 16. Member states can amend this but not to lower than 13. In the UK a child is under 13. Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand. An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child. If making ISS (online service) available to children, and you wish to rely on consent to legitimise your processing, you need to verify that anyone providing their own consent is old enough to do so. If service is available to under 13’s the data controller must also make reasonable efforts to verify that the person giving consent does, in fact, hold parental responsibility for the child. Introduction of a code of practice for data controllers on age-appropriate website design. Schools ICT Children & the GDPR
Current provisional indications of age of consent across the EU Schools ICT
• “I have read and agree to the Terms” is the biggest lie told on the web https: //tosdr. org Ofcom’s 2016 media use and attitudes survey of 5 -to 15 -yearolds includes useful indicators about children’s grasp of personal data privacy. These offer some worrying indications. For example, among 12 -15 year olds: • 17% agree “I will give details about myself to a website or app to be able to get something that I want. ” • 13% of those with a social media profile agree “getting more followers is more important to me than keeping my information private. ” • 58% think: “I can easily delete information that I have posted about myself online if I don’t want people to see it. ” Need to develop data protection teaching and practice through the curriculum. Schools ICT Children’s understanding of data privacy
Children’s understanding of data privacy Schools ICT
Cyberpass Schools ICT
Cyberpass Schools ICT
• The Information Commissioner’s Office (ICO) suggest a number of ways in which organisations such as schools and colleges can prepare for these changes and has published a 12 -step checklist. In summary: • Awareness: ensure decision makers and key individuals in your school or college are aware that the DPA is changing to the GDPR. They need to appreciate the impact it will have and how the new legislation will affect your institution. • Information you hold: organise an information audit and document the personal staff and student data you currently hold, where it came from and who it is shared with. • Communicating privacy information: review your current privacy notices and put a plan in place for making any necessary changes in good time. Schools ICT Action Plan for Schools & Academies
• Legal basis for processing personal data: review the various types of data processing you carry out, identify and document your legal basis for carrying it out. • Consent: review how you are seeking, obtaining and recording consent and whether any changes are required. • Individuals’ rights: check your current procedures to ensure they cover all rights of individuals, including how personal data is deleted. Schools ICT Action Plan for Schools & Academies
• Students: start thinking what systems you are going to put in place to gather pupil, parental or guardian consent for the data processing activity. • Subject access requests: update your procedures, plan how you will handle requests within the new timescales and provide any additional information. • Data breaches: ensure you have got the right procedures in place to detect, report and investigate a personal data breach. Schools ICT Action Plan for Schools & Academies
• Data protection by design and data protection impact assessments: consider when to begin implementation of the Privacy Impact Assessments at your school. • Data Protection Officers: designate a data protection officer or an individual to take responsibility for data protection compliance. • Training; for all new staff. Regular and refresher training for existing staff. • International considerations: consider the implications for those organisations with international operations. Schools ICT Action Plan for Schools & Academies
Data held or collected by the school Information assets Pupil data (within MIS) Pupil records Safeguarding / Child Protection data SEN EAL Exclusion, behaviour Reports Examination results / Statutory Assessments Attendance registers Student photos Staff data (within MIS) Staff Personal File Performance / CPD data Staff absence data Staff photos Other Personnel Data Recruitment records for new headteacher Recruitment of new staff DBS / vetting checks Appraisal / CPD data Disciplinary and grievance records Allegation of a child protection matter Malicious allegation of a child protection matter Health and safety assessments Health and safety accident reports Admissions papers (successful or unsuccessful) Student medical records and reports Student social service records and reports Financial matters Annual accounts Purchase Orders, Invoices, Payments Records around budget management Asset management School Fund FSM* - free school meals registers School meals registers Records relating to school lettings Records relating to school maintenance Access control / passwords* into systems Authorise data access / Nominated Contacts Password to Df. E or LA systems Network administration / password lists USO password information Email management Web filtering management School website administration Social media platforms, e. g. Twitter Learning Platform password information Communications Information added to website Information added to social media Learning Platform content Parental messaging system correspondence Student photos* (not required for pupil record) Staff photos* (not required for Personal record) Early Years assessments (not in core MIS) Student reports (not in core MIS) Student assessments (not in core MIS) Third Party comparative performance data USO School Open Check Back-up media (where on site) Back-up media in Cloud Emergency mobile phone loaded with data Governors' documents with sensitive content Governors' standard published meeting documents Reports presented to Governors meeting Annual governors reports Schools ICT Other T&L potentially sensitive material Annual parents’ meeting papers Policies and plans adminstered by Governing body Other operational potentially sensitive material CCTV saved footage Visitor signing-in book / management system Biometric system - registration Biometric system - other Newsletters and information with a short operational life Data in Schools & Academies
Task Using the data log; • identify the information asset owners in your school • for the pupil records, identify who can access the information • for the pupil records, identify where they are kept • for the pupil records, identify any that are shared • for communications data, identify which data you need consent for, and discuss how you will do this • Identify other T&L systems/apps that process your data Schools ICT Data Audit log
• Should be provided at the point of collection of the data explaining: • Source of the data • Who will receive it • The intended purposes of the processing and the legal basis for the processing • The period for which data will be stored • The existence of the data subject rights • The rights to object, withdraw and complain • If relying on the legitimate interests basis, what the legitimate interests are • Ensure the notice can be understood by the data subject e. g. pupils (over 13) • The Df. E have updated their template privacy notice for pupils and we have incorporated some (but not all) in to our template Schools ICT Privacy Notices
Task Using the appropriate Privacy Notice template (Primary or Pupils over 13); • Review the examples of why the school collects information • Review the section on Who you share information with • Feedback on anything that should be widely included or omitted Schools ICT Privacy Notices
• • No fee (some scope to charge for multiple copies*) – currently £ 10 One month to comply (some scope to extend) What will you do if you receive a request over the school holidays? Watch out for an overlap with the Freedom of Information Act 2000 Consider the interaction with other sector- specific legislation: For maintained schools: parents have a right to request their child’s education record - Education (Pupil Information) (England) Regulations 2005 For academies: “ an annual written report of each registered pupil's progress and attainment in the main subject areas taught……. . ” – Paragraph 32 (11)(f), schedule 1, Education Independent School Standards)) Regulations 2014 Volume : Where a large volume of data held, may ask data subject to specify precisely what the request relates to * May charge a fee or refuse to act if the request is “manifestly unfounded or excessive” (Article 12) Schools ICT Subject Access Requests
GDPR Article 28 “…the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. ” Only use processors that comply with GDPR and prove it. Schools ICT Contract Review
Transfer of documents – do all staff always use secure email USO-FX? Staff email – do all staff use school email? Governors email – do all governors use school email? Staff password policy – is it implemented and monitored? Are removable devices encrypted? Do you have remote access for all staff who need it? How often do you review data retention and get rid of data you no longer require? Are your servers physically secure? Schools ICT Data Security
• • Losing data Sending it to the wrong person Unauthorised people accessing it Emailing it over unencrypted email • Applies to electronic and paper copies of data • Serious breaches must be reported to the ICO within 72 hours • Encrypted data does not have to be reported, eg encrypted memory sticks Schools ICT Data breaches
Data breaches Schools ICT
• Notification dependent upon risk • Three categories: No Risk; High Risk • “If unaddressed, such a breach is likely to have a significant detrimental effect on individuals” • Notification must be sent to the ICO without undue delay and normally within 72 hours after discovery of the breach where that is feasible • Notification to Data Subjects if a breach is likely to result in a high risk to the rights and freedoms of individuals • Data breach systems need to be robust, rehearsed and regularly reviewed • Maintain an internal breach register • What will you do if a breach happens when the school is closed e. g. summer holidays ? Schools ICT Data breach notification
• As a public body, maintained schools and academies must appoint a DPO • This is a statutory position • For schools in a MAT, the MAT needs to appoint a DPO • Can be shared across schools or a DPO on demand service • Must be impartial, report to the Head and have no conflicts of interest Takes an advisory and monitoring role Guides your school to compliance Leads on any data breach process Schools ICT The Data Protection Officer
Requirement Activity Raise awareness & provide training Ensure all staff and governors are aware of the changes. Arrange training for staff to ensure their understanding of the requirements of the GDPR, an on-going requirement Know what data you use and how you use it Map your data fully using the data audit log Privacy by Design Review your data and ensure that your privacy notices and other policies align (e. g. consent, PIA, AUP’s) Data Security & Incident Have a robust policy and processes to keep your Management data secure and a process for investigating, managing and reporting any security incidents Roles & Responsibility Schools ICT Appoint a Data Protection Officer Action Plan for Schools & Academies
Does the school ensure that all staff know about their obligations under the data protection legislation and the school policy? Do all users receive regular security and data protection The staff members in your school are the frontline of data protection. They often collect, training? store and manipulate personal data in order to be able to fulfil their duties. It’s therefore Why this question is important? What to look for? What is good or outstanding practice? When might you be concerned? no surprise that staff are a likely cause of a data breach. Not just accidentally, but also maliciously. Whilst a data protection training programme is unlikely to stop malicious breaches, it has the potential to significantly reduce the occurrences of accidental data loss. • An audit of staff skills and understanding of data protection. • A training plan that includes all staff and visitors. • Evidence that policies are freely and readily available and well communicated (e. g. posters, school / college website, staff handbooks, etc. ). • A full range of training topics, including social engineering and phishing, use of cloud technologies and ransomware attacks covered. • Evidence that the training plan adapts to the needs of the users and the school • Role-specific and detailed training for those who process data more regularly. ▪ Data protection training is mandatory for all staff, irrespective of experience, role or skill. ▪ Where a user fails, or has difficulty in an area of understanding, the school supports the user to understand. • No training needs audit or training plan in place. • No awareness of data protection responsibilities across staff. • Missing records of data protection training and updates Schools ICT Questions that Governors should ask?
Has the school conducted a data audit / mapping exercise to identify what personal data is processed? Schools are obligated by legislation to ensure that personal data is protected. Knowing what personal data the school processes and why is the first step to understanding how it needs protecting. • How is the personal data collected? • Who has access to it? • What data is held? • Where is it held? • When will the data be disposed of? • How will the data be stored and disposed of securely? • Only once an audit has been defined and performed can personal data be mapped and the appropriate decisions and protections made. Why this question is important? • The school is able to identify what and how personal data is collected. • A list of all the storage locations for personal data and what is contained in each location. What to look for? • Users only have access to the data they need to use and no more. • An up-to-date data retention policy with an associated disposal log. What is good or outstanding practice? • The record of processing activity includes the lawful basis under which processing activity is taking place and records when and how the data will be (or was) disposed of. • User accounts enable the users to request, or temporarily obtain, access to personal data as necessary to their role. • The audit is reviewed at least annually with further actions considered. When might you be concerned? • There is no record of processing activity. • The school does not readily know what personal data is processed. • The school does not know where personal data is stored. • There is no data retention or safe disposal policy Schools ICT Questions that Governors should ask?
How does the school gather consent for processing personal data, particularly children’s data and associated formal parental consent? Has a record of consent been established? Why this question is important? The GDPR provides six lawful bases for processing data. For many schools the processing of personal data is likely to be performed under the lawful base termed ‘public task’. In essence as long as the activity is necessary and the requirement, or task, is laid down in law then you may process the personal data and do not need to look for any other basis. Care should be taken to ensure that the data is not collected for one reason (under public task) and then re-used in another way that does not constitute a public task. For example, a parental address and phone number may be essential for a school to process under law, but it would then not be lawful to process this is a different way by, for instance, sharing this with a third party parental communication system used to promote school events and other notices. In this situation another lawful base should be identified and for this, consent is most likely. Consent should also detail in a very clear and specific way why this is necessary, what will happen to the data, and, how and when it will be disposed. What to look for? • Clear, established and effective routes for gaining consent from all users, including parents / carers of children under 13 in the case of ‘information society services’. • Clear processes when staff or students register at the school / college and subsequently leave. • Well managed records of consent. What is good or outstanding practice? • Evidence of clear, well-communicated, easy-to-understand notices to all school users on what personal data is collected stored and processed. • Consent is made clear to all staff across the school and as much as practicable to pupils in language relevant to their age • Pupils actively involved. When might you be concerned? • No evidence that informed consent has been sought • Staff and pupils have little knowledge of how their data is collected, stored and processed • There are no clear routes for users to obtain relevant access to their personal data. Schools ICT Questions that Governors should ask?
Has the school / college appointed a Data Protection Officer (DPO)? Why this question is important? The requirement to appoint a data protection officer is a statutory requirement under GDPR In short you must appoint a DPO if: • You are a ‘public authority’ – this is highly likely to be the case for state- funded schools. • You carry out large-scale monitoring – such as; attendance, attainment or behaviour records processed. • You process large amounts of ‘special category’ data or criminal convictions or offences (such as DBS checks). The Officer: • Should have expert knowledge of data protection law • May be designated as data protection officer by several organisations • Must be involved in all data protection matters • Must be independent of the controller and not be subject to any conflict of interest • Must report directly to the Headteacher / Governing Body • Must be entrusted with the tasks laid out in section 69, including: advising and monitoring data protection impact assessment procedures, monitoring compliance with policies and monitoring the controller, assigning responsibilities, raising awareness, training, conducting audits. • A clear line of communication between the highest management level of the controller and the appointed DPO, either internally, or as a service from a third party, or consortium / cluster. What to look for? • Clear evidence that the school has sufficient skills and staff to ensure that personal data is kept safe and secure. What is good or outstanding practice? • The DPO has a proven history in data protection. • The DPO regularly updates their own knowledge. • The DPO is fully resourced and able to directly contact the Headteacher / Governors where a decision is required. When might you be concerned? • There is no DPO. • The DPO does not have suitable experience / qualification. • The DPO is not independent from direct personal data processing at the school • The DPO has been penalised for carrying out their duties. Schools ICT Questions that Governors should ask?
What are the school procedures in the event of a personal data breach? Under the new legislation not all data breaches need to be reported. Where a breach results in a Why this question is important? What to look for? ‘risk to the rights and freedoms of natural persons’ then this should be reported to the ICO within 72 hours of discovery, where feasible. If a breach requires notification the data subjects shall also be notified, without delay. It follows, therefore, that good data breach notification and business continuity plans should be drawn up. This task may be delegated from the Headteacher to the DPO, or the DPO in partnership with other staff/technical support partners. Either way, this process should be clearly documented and made available to those who need access to it. • A suite of related data breach, disaster recovery and business continuity plans, perhaps drawn together in a single document and / or flowchart. • Evidence of these plans having been tested. • Data protection officer involvement in the production of the policies and procedures. • Effective data backup systems and procedures. • Systems have been tested at least annually. What is good or • There is evidence of a wide range of stakeholder involvement in the planning process outstanding • Wider staff members are aware of the policies and understand their role in the event of a situation practice? occurring. • Effective data backup systems and procedures that are regularly tested and include off-site copies. When might you be concerned? ▪ There are no plans for breach notification, disaster recovery or business continuity. Schools ICT Questions that Governors should ask?
Does the school / college have up-to-date data protection policies in place? Have these been reviewed in the light of the new data protection legislation? Why this question is important? Schools are statutorily required to demonstrate compliance with the UK Data Protection Act and the GDPR. The recommended way to do this is through the creation and ratification of a clear set of data protection policies. Further information can be found in the EU GDPR, Article 5, section 2 page 118. What to look for? • There are up-to-date data protection policies in place that meet statutory requirements. • There are systematic and regular review of policies, at least on an annual basis. • Pupils / Students, staff, parents and carers are aware of data protection policy and expectations. • Where relevant, volunteers, contractors and visitors are aware of data protection policy and expectations. What is good or outstanding practice? • Policies are regularly reviewed through wide professional consultation that includes the views of pupils and parents. • Evidence of monitoring and evaluation processes to ensure understanding of, and adherence to, policies. • Linked to and a part of other relevant policies. When might you be concerned? • Missing or not up-to-date data protection policy • Policy is generic and not relevant to the school needs. • No / irregular review of policies, a lack of records management or version control. • Policies exist but are not publicised to the school body and are not known by staff and pupils. Schools ICT Questions that Governors should ask?
GDPR full text http: //ec. europa. eu/justice/data-protection/reform/files/regulation_oj_en. pdf ICO data protection for the education sector https: //ico. org. uk/for-organisations/education/ Df. E GDPR guidance for schools https: //www. youtube. com/watch? v=y 09 IHXv 6 u 6 M Wandsworth Info for Schools https: //wandsworthpublic. sharepoint. com/info 4 schools/Site. Pages/Data%20 Protection%20 Act%20 and%20 Freedom%20 of%20 Information. aspx Schools ICT Further help & guidance