Is your school meeting its obligations under the Data Protection Act? Law expert Paula Williamson looks at the new tougher penalties for breaching data protection law and what schools need to do to get compliant
Penalties for breaching the Data Protection Act (DPA) have just increased sharply and did you know that not only the school can be liable for a breach but also a senior member of staff? Complaints about potential privacy violations soared by 30 per cent last year, according to regulator the Information Commissioner’s Office (ICO), so if you have not done so already, now is the time to get your head around data protection so that it can be hardwired into school governance and culture.
If you do plan on ducking out of data protection compliance you should at least understand the risks involved. A school that chooses not to get to grips with data protection law will automatically be operating at a higher level of risk than others who are compliant. It is also more likely that it will, at some point in time, violate a pupil or other individual’s privacy.
The risk of breaking the law has increased in proportion to the many new ways of working. Off-site working is now better facilitated by technology. Add to this the increasing appetite for social networking, school websites and blogs and it is easy to see why scarcely a week goes by without a data protection blunder being reported in the media.
If a school ignores its legal data protection obligations, at best it will suffer reputational damage, unwelcome scrutiny from the media, and possible intervention from the ICO. At worst in could result in a criminal record, fines and civil compensation claims.
Furthermore, the information commissioner now has the power to issue a Monetary Penalty Notice (MPN) fining organisations up to £500,000 for serious breaches of the Act which are likely to cause damage or distress. In order to issue an MPN, the information commissioner needs to be satisfied that the breach was either deliberate or negligent and that the organisation failed to take reasonable steps to prevent it.
An example of this could be if a school laptop is stolen which contains pupil/staff names and addresses including health information. Some of the pupils and parents suffer worry and anxiety that their sensitive personal data might be made public. The fact that those worries never materialise is irrelevant.
Data protection is the area of the law that governs what you may and may not do with personal data. Personal data is information which identifies a living individual and can be held manually (e.g. hand-written notes, photographs, printed emails and letters) or electronically (e.g. databases, CCTV images, unprinted emails etc). Data protection law sets out the legal rules about obtaining information from your pupils and staff; the ways in which the school may (and may not) use personal information – whether it can or cannot be shared with external organisations and the all important security obligations for the storage of personal data, for example. Data protection also regulates the use of personal data for marketing purposes.
All schools hold enormous amounts of personal data. The DPA will be engaged whenever that personal data is processed by the school. Sometimes it is pretty obvious when data protection law is engaged. For example, pupil attendance records, contact sheets, records of pupil achievement, consents for administration of medicine, a teacher’s sickness record, emails between staff concerning pupils or staff, and written records of an exclusion meeting.
However, sometimes the DPA will be engaged without you even realising it. For example, implementation of pupil biometric systems for catering, library book borrowing or to record attendance. A teacher’s “private” notes on pupils or posting pupil data on the website or in the school magazine. Simply sharing pupil data including CCTV images with an external organisation such as the police, a consultant or a commercial contractor, will all engage the Act and you need to ensure that such sharing is fair and lawful.
So what does a school need to do to comply?
The DPA contains a range of legal obligations which your school needs to understand and comply with. The most well known of these obligations is to register (or notify) with the ICO. Failure to notify or to keep your notification up-to-date is a criminal offence.
The DPA also requires all schools to process personal data in accordance with eight principles. These principles govern the standard of processing and require the school to ensure that personal information is:
- 1. Fairly and lawfully processed: Has your school issued up-to-date Privacy Notices to pupils and staff? Is your use of personal data on your website both fair and lawful?
- 2. Processed for limited purposes: Information collected for a stated purpose should not be used for other unrelated purposes. For example, having obtained parental consent to take a pupil’s photograph for a library pass, this photograph should not then be used for the school website or supplied to the press.
- 3. Adequate, relevant and not excessive: Is your contact information for primary and secondary carers sufficient?
- 4. Accurate and up-to-date: How often do you update your parental consents and by what method? What if a parent fails to confirm their contact information is up-to-date?
- 5. Not kept for longer than necessary: How long should you retain a child protection allegation for? How about CRB data?
- 6. Processed in line with an individual’s legal rights: One of the legal rights a data subject has is the right to ask for a copy of their personal data (known as a Subject Access Request or SAR). It is crucial that the school knows how to recognise and process a SAR and what information it can withhold. If your school is maintained it also needs to be able to distinguish a SAR from a parental request for access to the educational record of their child. Why? Because these two requests are governed by different legislation.
- 7. Kept safe and secure: See below.
- 8. Not transferred to other countries without adequate protection: If your school website contains pupil or staff information this rule will be engaged simply because this information is available to the world at large. What about sending pupil information overseas for a school trip or exchange?
Principle 7 (the requirement to keep personal data secure) attracts a lot of media attention – think theft or loss of an unencrypted laptop or memory stick. Principle 7 requires the school to take “appropriate” technical and organisational steps to prevent data from being accidentally lost, stolen or destroyed or from being handled by someone without authority.
The technical steps needed depend upon the sensitivity of the data concerned but would almost always include appropriate encryption solutions, off-site automated back-up to a secure server, use of passwords and keeping an audit trail of all portable computing devices. Sensitive personal data such as health, sexual life, religion and ethnicity data requires enhanced protection.
Because teachers often work from home they need portable computing devices. That is fine, but if you think keeping data secure at school is tricky then keeping it secure in a teacher’s lounge or on the back seat of their car requires real thought. The astute head knows that all employment contracts should include an obligation to process personal data in line with the DPA and the school’s data protection policy. By tethering data protection to the employment contract in this way, teachers will have a “contractual interest” in protecting data because if they do not they face disciplinary action.
Principle 7 also requires the school to ensure that all staff who handle personal data have received data protection training that is regularly refreshed – one and a half to two hours suggests the ICO. If your staff have not received this training then the school is automatically in breach of principle 7. But getting staff trained brings other benefits apart from compliance with the law. If the worst comes to the worst and your school finds itself at the centre of a data security incident, the fact that staff have received appropriate training will be taken into account by the Information Commissioner’s Office in its investigation and will help determine what enforcement action it chooses to take against the school.
Ensuring your staff are data protection savvy also demonstrates to those that matter – your parents, auditors the media and the public – that you take your legal obligations seriously and helps with incident management from a PR perspective.
Finally, it is worth knowing that as well as the school, senior individuals that have deliberately or recklessly breached the law can also be prosecuted. Given that data protection complaints are on the up, no school, not even the smallest, will want to put off data protection for another year.
• Paula Williamson is the principal solicitor at the Information Law Practice, a niche law firm specialising in data protection and freedom of information in the education sector. They run courses for schools. Visit www.theinformationlawpractice.com.
If you do plan on ducking out of data protection compliance you should at least understand the risks involved. A school that chooses not to get to grips with data protection law will automatically be operating at a higher level of risk than others who are compliant. It is also more likely that it will, at some point in time, violate a pupil or other individual’s privacy.
The risk of breaking the law has increased in proportion to the many new ways of working. Off-site working is now better facilitated by technology. Add to this the increasing appetite for social networking, school websites and blogs and it is easy to see why scarcely a week goes by without a data protection blunder being reported in the media.
If a school ignores its legal data protection obligations, at best it will suffer reputational damage, unwelcome scrutiny from the media, and possible intervention from the ICO. At worst in could result in a criminal record, fines and civil compensation claims.
Furthermore, the information commissioner now has the power to issue a Monetary Penalty Notice (MPN) fining organisations up to £500,000 for serious breaches of the Act which are likely to cause damage or distress. In order to issue an MPN, the information commissioner needs to be satisfied that the breach was either deliberate or negligent and that the organisation failed to take reasonable steps to prevent it.
An example of this could be if a school laptop is stolen which contains pupil/staff names and addresses including health information. Some of the pupils and parents suffer worry and anxiety that their sensitive personal data might be made public. The fact that those worries never materialise is irrelevant.
Data protection is the area of the law that governs what you may and may not do with personal data. Personal data is information which identifies a living individual and can be held manually (e.g. hand-written notes, photographs, printed emails and letters) or electronically (e.g. databases, CCTV images, unprinted emails etc). Data protection law sets out the legal rules about obtaining information from your pupils and staff; the ways in which the school may (and may not) use personal information – whether it can or cannot be shared with external organisations and the all important security obligations for the storage of personal data, for example. Data protection also regulates the use of personal data for marketing purposes.
All schools hold enormous amounts of personal data. The DPA will be engaged whenever that personal data is processed by the school. Sometimes it is pretty obvious when data protection law is engaged. For example, pupil attendance records, contact sheets, records of pupil achievement, consents for administration of medicine, a teacher’s sickness record, emails between staff concerning pupils or staff, and written records of an exclusion meeting.
However, sometimes the DPA will be engaged without you even realising it. For example, implementation of pupil biometric systems for catering, library book borrowing or to record attendance. A teacher’s “private” notes on pupils or posting pupil data on the website or in the school magazine. Simply sharing pupil data including CCTV images with an external organisation such as the police, a consultant or a commercial contractor, will all engage the Act and you need to ensure that such sharing is fair and lawful.
So what does a school need to do to comply?
The DPA contains a range of legal obligations which your school needs to understand and comply with. The most well known of these obligations is to register (or notify) with the ICO. Failure to notify or to keep your notification up-to-date is a criminal offence.
The DPA also requires all schools to process personal data in accordance with eight principles. These principles govern the standard of processing and require the school to ensure that personal information is:
- 1. Fairly and lawfully processed: Has your school issued up-to-date Privacy Notices to pupils and staff? Is your use of personal data on your website both fair and lawful?
- 2. Processed for limited purposes: Information collected for a stated purpose should not be used for other unrelated purposes. For example, having obtained parental consent to take a pupil’s photograph for a library pass, this photograph should not then be used for the school website or supplied to the press.
- 3. Adequate, relevant and not excessive: Is your contact information for primary and secondary carers sufficient?
- 4. Accurate and up-to-date: How often do you update your parental consents and by what method? What if a parent fails to confirm their contact information is up-to-date?
- 5. Not kept for longer than necessary: How long should you retain a child protection allegation for? How about CRB data?
- 6. Processed in line with an individual’s legal rights: One of the legal rights a data subject has is the right to ask for a copy of their personal data (known as a Subject Access Request or SAR). It is crucial that the school knows how to recognise and process a SAR and what information it can withhold. If your school is maintained it also needs to be able to distinguish a SAR from a parental request for access to the educational record of their child. Why? Because these two requests are governed by different legislation.
- 7. Kept safe and secure: See below.
- 8. Not transferred to other countries without adequate protection: If your school website contains pupil or staff information this rule will be engaged simply because this information is available to the world at large. What about sending pupil information overseas for a school trip or exchange?
Principle 7 (the requirement to keep personal data secure) attracts a lot of media attention – think theft or loss of an unencrypted laptop or memory stick. Principle 7 requires the school to take “appropriate” technical and organisational steps to prevent data from being accidentally lost, stolen or destroyed or from being handled by someone without authority.
The technical steps needed depend upon the sensitivity of the data concerned but would almost always include appropriate encryption solutions, off-site automated back-up to a secure server, use of passwords and keeping an audit trail of all portable computing devices. Sensitive personal data such as health, sexual life, religion and ethnicity data requires enhanced protection.
Because teachers often work from home they need portable computing devices. That is fine, but if you think keeping data secure at school is tricky then keeping it secure in a teacher’s lounge or on the back seat of their car requires real thought. The astute head knows that all employment contracts should include an obligation to process personal data in line with the DPA and the school’s data protection policy. By tethering data protection to the employment contract in this way, teachers will have a “contractual interest” in protecting data because if they do not they face disciplinary action.
Principle 7 also requires the school to ensure that all staff who handle personal data have received data protection training that is regularly refreshed – one and a half to two hours suggests the ICO. If your staff have not received this training then the school is automatically in breach of principle 7. But getting staff trained brings other benefits apart from compliance with the law. If the worst comes to the worst and your school finds itself at the centre of a data security incident, the fact that staff have received appropriate training will be taken into account by the Information Commissioner’s Office in its investigation and will help determine what enforcement action it chooses to take against the school.
Ensuring your staff are data protection savvy also demonstrates to those that matter – your parents, auditors the media and the public – that you take your legal obligations seriously and helps with incident management from a PR perspective.
Finally, it is worth knowing that as well as the school, senior individuals that have deliberately or recklessly breached the law can also be prosecuted. Given that data protection complaints are on the up, no school, not even the smallest, will want to put off data protection for another year.
• Paula Williamson is the principal solicitor at the Information Law Practice, a niche law firm specialising in data protection and freedom of information in the education sector. They run courses for schools. Visit www.theinformationlawpractice.com.