How will GDPR affect schools?
The European General Data Protection Regulations (GDPR) are established to protect the fundamental rights of data subjects and to ensure the processing of this data is conducted fairly and lawfully. Therefore, schools across Europe will need to be aware of the GDPR, as these regulations will directly affect schools due to the personal data which they process. Schools process the personal data of pupils and employees; therefore, a school needs to have a sound understanding of the GDPR to protect personal data and to avoid data breaches.
Personal data processed by schools:
Schools are large organisations, encompassing lots of pupils and employees, whose personal data will be stored by the school. The school will process personal data, in the form of medical information, birth dates, exam results and photographs. Moreover, a school will process sensitive data, which is explicitly referred to in the GDPR as ethnicity, biometric data and race.
Schools will have to prove their compliance to GDPR through providing documentation and records of how they process personal data and sensitive data. Schools will have to prove which aspects of their data processing is carried out by third parties and demonstrate a clear written contract with this third party to uphold data protection.
Data subjects have the right to request subject access to view their personal data held by their school, the school should co-operate with this action if it follows the GDPR. GDPR demands that there is more restriction and control placed upon sensitive data, and therefore subject access to this data may be restricted at times. Consequently, schools should be aware of the GDPR to ensure it deals with subject access appropriately.
Data Protection Officers (DPO's)
The GDPR states that schools legally should appoint a DPO, as protection officers can be utilised to help schools organise their protection regulation and to comply with the GDPR properly. The Key, an organisation which provides expert information to schools, conducted a survey to examine how many schools in the UK were prepared for the changes which would occur due to the GDPR. The Key concluded that, of the 1,032 schools asked, around 50% of the schools had not prepared for a protection officer to be installed. Mostly, schools in the countryside appeared to be the least prepared for the introduction of a protection officer.
Schools have been intimidated by the number of changes they have been required to make in order to comply with the GDPR. Therefore, Iain Bradley from the Department for Education has issued a video which consists of guidelines and simplifies the transition which schools have been required to make.
Repercussions of a school's data breach:
The Information Commissioner's Office (ICO) are responsible for handling a data breach, therefore if a school considers that a data breach has occurred, they should report the breach to the ICO within 72 hours. Failure to do so could lead to accusations that the school were attempting to conceal the data breach.
The ICO will warrant fines against a school, in alignment with the scale of the data breach. In 2015, 66 schools reported themselves to the ICO as they had considered a data breach had taken place, but none of the schools were subject to any severe ICO action.
In June 2018, just following the new implementation of the GDPR, Rochester Grammar School were found guilty of a data breach. Rochester Grammar School reported itself to the ICO following the realisation that a USB stick had been lost, which contained the personal data of pupils and employees. The personal data of these data subjects included names, email addresses, and birth dates, as well as the special education needs of certain pupils. The USB also contained sensitive data, including race, ethnicity and language of pupils. The ICO have been notified about this breach and will warrant the appropriate repercussions for this data breach.
Consequently, if a school wants to remain GDPR compliant and avoid a data breach, well trained knowledge of the GDPR is essential.