GDPR awareness For Schools Presented by Darren Rose

GDPR awareness… For Schools Presented by: Darren Rose Note: This presentation and supporting materials do not constitute legal advice. GDPR awareness…

Confirmation of materials: GDPR awareness…

What does GDPR stand for? GDPR… an overview General Data Protection Regulation What is it? It is the change of a generation for individual data privacy brought into law by Europe through a framework or regulation, to harmonise and enforce the rights of every resident to data privacy. Whilst there are unchangeable elements of the regulation, each member state is required to enact a local law to confirm certain local aspects such as age of consent for children, legitimate interests etc. GDPR awareness… The Data Protection Bill 2017 is currently going through parliament and will be enacted before the 25 th May.

1. The right to be informed Data privacy rights 2. The right of access 3. The right to rectification 4. The right to erasure (be forgotten) 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling. GDPR awareness…

GDPR… Definition of terms ICO – Information Commissioners Office UK supervisory authority Data Controller Organisation which determines the purpose & means of data processing Data Processor Organisation who's sole aim is to process the data in-lieu of the controller Data Subject – Individual who’s data you hold i. e. student, staff etc. Third Party – Any person or organisation you are sharing data with but not as Data processor or Data Controller i. e. Police etc. DPO – Data Protection Officer Named individual responsible for guidance and compliance GDPR awareness…

GDPR… Definition of terms PIMS – Personal information management systems Description of policies, procedures and records of processing kept. ISMS – Information security management systems Description of policies, procedures and records of security measures used to keep information secure. Risk – Probability of something happening multiplied by its impact (Hint: you do this everyday within a school). Risk appetite – How much risk you wish to accept GDPR awareness…

GDPR… an overview Scope… PECR “any information relating to an identified or identifiable natural person…” GDPR EU 2016/679 Article 4(1) Df. E Personal Data held by a school Territorial Scope… ANY organisation offering a service, paid or free, to EU residents. HSE DWP GDPR awareness… Safeguarding

Does this replace other legislation i. e. Safeguarding? GDPR… an overview NO The GDPR is there to protect the data. Other legislation will dictate what you collect, with whom you should share it, how long you should keep it. The Information commissioners office have produced a data sharing checklist which contains the paragraph: “Have you assessed the potential benefits and risks to individuals and/or society of sharing or not sharing? . . GDPR awareness… Source: ICO Data sharing checklist – systematic data sharing

Information Commissioners Office (ICO) (supervisory authority) Data Protection model under the GDPR Assessment Enforcement Data Processor Security? Data Controller (organisations) Duties Rights Data subject Inform? Third countries GDPR awareness… Guarantees? Disclosure? Police (section 29) Third parties

Data Controllers determine 'the purposes and the means of the processing of personal data'. This applies to both public and private sectors. Data Controller For instance, a company is the controller of data on its clients and employees; a sports club is controller of its members' data and a library of its borrowers' data. Data controllers must respect the privacy and data protection rights of those whose personal data is entrusted to them. They must: • • GDPR awareness… Collect and process personal data only when this is legally permitted; Respect certain obligations regarding the processing of personal data; Respond to complaints regarding breaches of data protection rules; Collaborate with national data protection supervisory authorities. Source: http: //ec. europa. eu/justice/data-protection/data-collection/index_en. htm

Important Responsibilities as a Data Controller Data controllers may only appoint data processors which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR. • Personal Data must be processed legally and fairly; • It must be collected for explicit and legitimate purposes and used accordingly; • It must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed; • It must be accurate, and updated where necessary; • Data controllers must ensure that data subjects can rectify, remove or block incorrect data about themselves; GDPR awareness… • Data that identifies individuals (personal data) must not be kept any longer than necessary;

Data Processors ‘process the personal data only on documented instructions from the controller'. This applies to both public and private sectors. Data Processor Data processors must also respect the privacy and data protection rights of those whose personal data is entrusted to them. They must: GDPR awareness… • Ensure the persons authorised to process data have committed themselves to data confidentiality. • Assist the controller by appropriate technical and organisational measures, insofar as is possible. • Assist the Controller in ensuring compliance with its obligations. • Delete or return all data to the Controller at the end of provision of services, unless there is a legal requirement to retain.

Data Protection Officer GDPR awareness… DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. These are: • Inform and advise the controller or processor and the employees of those organisations. • Monitor compliance with GDPR, including the assignment of responsibilities, awareness and training of staff involved in data processing and related audits. • Provide advice on the data protection impact assessment and monitor its performance. • Cooperate with the supervisory authority (ICO); • Act as the contact point for the supervisory authority on issues related to the processing of personal data. DPO position can be contracted out (outsourced) to an external individual or company if no other access is possible.

There are 6 legal bases for processing of personal data. These are: • Contract Performance of a contract, or required to enter into a contract. Note: Use for Staff as consent cannot be deemed to be given freely. Legal basis for processing • Legal obligation Processing of personal data to fulfil a legal obligation of a UK or EU law, not to be used in either contract or non EU member law. • Vital interests Protection of vital interests of data subject i. e. processing to ensure subject survival in an emergency if no other option. • Public interests Necessary for the public interest or exercise of official authority of controller. . i. e Whistle blower, journalism, administration of justice etc. • Legitimate interests Of controller or third party, unless overridden by rights of subject. i. e. debt collection, warranty on goods, promotion of services B 2 B. • Consent GDPR awareness… Very tight conditions on informed, explicit and evidenced…most schools will only used for services outside the normal school day. i. e. before/after school club, school community news letter etc.

GDPR Principles of data processing 6 Principles of data processing 1) Processed lawfully, fairly and in a transparent manner 3) Adequate, relevant and limited to what is necessary 4) Accurate and, where necessary, kept up to date 5) Retained only for as long as necessary 6) Processed in an appropriate manner to maintain security GDPR awareness… Accountability 2) Collected for specific, explicit and legitimate purposes

• Comes into effect on 25 May 2018 • Fines of up to € 20 Million (or 4% of global turnover) GDPR Key elements • New subjects right to compensation • New specific consent with evidence and rights to withdraw consent* • New subject right to be forgotten (deletion)* • 1 Month for subject access requests with charges removed* • Mandatory privacy impact assessment's • Mandatory documentation of compliance • Mandatory breach notifications within 72 hrs of discovery GDPR awareness… *Exceptions exist however advice should come from your DPO in order to ensure correct usage within the context of your organisation and data involved. Therefore exceptions are outside the scope of this presentation.

Potential impact on administration • Subject access requests • Data transfers • User account creation • Privacy impact assessments • Mobile devices • Breach notifications (A sample, not a complete list) GDPR awareness… Accountability Unfortunately, under the GDPR, there is an increased emphasis on accountability or demonstration of compliance including policies, procedures and records for:

The are currently several GDPR toolkits available on the market which contain all of the policy, procedures and records templates required under the GDPR: Accountability Reducing impact on administration GDPR awareness… Sample of pre-populated policies, procedures and records contained within the IT Governance GDPR toolkit.

• Physical files Printouts, correspondence etc. Possible locations of Personal data • Physical archived files HR records, Pupil records etc. • Locally kept electronic files Files, databases, spreadsheets, etc. • Internet based electronic files (Cloud) Website, backups, emails, online storage etc. • Physical Backups USB sticks, removeable drives, backup tapes etc. • Mobile devices Laptops, mobile phones, tablets etc. GDPR awareness…

Reported incidents to the ICO (January - March 2017). Risk awareness Human Factors Source: ico. org. uk GDPR awareness… GDPR

Reported incidents to the ICO (January - March 2017): Risk awareness Technical Factors Source: ico. org. uk GDPR awareness… GDPR

Reported incidents to the ICO (January - March 2017). Risk awareness Penalties Source: ico. org. uk GDPR awareness…

Reported incidents to the ICO (January - March 2017). Risk awareness Penalties GDPR awareness… Source: ico. org. uk

Privacy culture Mitigating risk GDPR awareness… As you increase: Your risk of: • Awareness • Data breach • Training • Severe penalties • Security • Use of formal Processes • Loss of reputation …will decrease. • Use of contracts • Accountability

Step 1) Create a team IT / IT Support Company SENco Recommended next steps… CPO (Chief Privacy Officer) Learning Mentor GDPR awareness… Business Manager Step 2) Appoint or assign the role of a Chief Privacy Officer

Step 3) Use what internal/external resource you have. Recommended next steps… Step 4) Send out your supplier due diligence letter Step 5) Identify if you have access to a DPO either local authority or through your trust. Step 6) Audit all IT, documentation, physical locations as well as existing policies, procedures and records. Step 7) Create a register of processing activity – (legal requirement). Step 8) Ensure all staff within your school are trained and aware. Step 9) Embed a culture of “Ask…Don’t guess” within your school (just as you do for safeguarding). GDPR awareness…