May this year is the first anniversary of the General Data Protection Regulation law, designed to protect the personal information of individuals. It’s had a massive impact on working practices, and every school in the country has likely been changed by it in some way.
Before the law came into effect, scandalous infringements of privacy were being carried out by large corporate companies. They had no incentive to do anything about this, because it wasn’t in their commercial interests to do so. The ability to fine companies 4% of their global revenue for data breaches has given those previously responsible for privacy infringements a very powerful reason to change, and will go on to protect consumers, just as the law intended.
It’s also given schools an understandable and achievable way of protecting themselves, their staff and students. However, it can be felt in some schools that GDPR has simply created a rod for their backs due to the huge amount of work it involves. It’s certainly true that setting up good, compliant systems, and keeping them refreshed and up to date is an enormous task.
Yet the real reason why many schools believe that GDPR has created a monster is because the past few years have seen the number of subject access requests (SARs) increase tenfold. This is where an individual – usually a member of staff or a past or present student – can request to be sent all the personal information held about them. The information has to be sent within 30 days of the request being made.
SARs can consume a horrendous amount of time, but having good GDPR systems in place can actually help. The Information and Records Management Society (see irms.org.uk), for example, publishes advice on how long you need to keep different types of information. Student records only need to be kept for seven years after they’ve left school – records should be deleted after this time, with schools recording that they’ve done so. Otherwise, if they hold the data and a student asks to see it, the school has to provide it. If schools keep everything, they are taking a big risk.
There is, however, some information that has to be kept longer, such as medical data, information of incidents relating to asbestos or radioactive materials, or – more pertinently for schools, unfortunately – child abuse data records. The IRMS is a great, underused resource. So too is the DfE’s Data Protection Toolkit for Schools (see tinyurl.com/dfe-data-toolkit). which is available to download from the DfE’s website.
Another area where GDPR has created change within schools is in relation to securing consent or contracts using photos and images. Consent can be given via email or even on a slip of paper, but that consent could be withdrawn at any time. You might have spent thousands on printing a new school brochure; if consent is withdrawn, you’re suddenly unable to use it.
A contract signed by both parents, on the other hand, will explain the terms of agreement to cover such situations. This is where GDPR, backed up by good working practices, helps protect schools.
I recently attended the Information Commissioner’s Office conference, and a key message I came away with was that the ICO isn’t looking to punish schools and make life harder. It’s trying to ensure we’re all protected, while managing our data in an informed and measured way.
Dr. Richard Harrold is data protection officer at ACS International Schools in Cobham, Surrey