From 25 May 2018, there will be a change to the law on data protection as the Data Protection Act 1998 is replaced by the General Data Protection Regulation (GDPR). All organisations will need to comply with the new law but, due to the nature and volume of the personal data they hold, schools may regard the task of preparing for GDPR as being a particularly challenging one. However, now is not the time to panic. In fact, if your school already complies with the principles of the Data Protection Act it is likely that only a few changes to the way in which you collect, store and process personal data will be necessary. We have set out below some pointers and practical tips to help you on the way to being “GDPR ready”.
Carry out a data audit
Before deciding what measures to put in place to comply with GDPR you will need to get a handle on exactly what personal data the school holds, the reasons why it needs that data and what the school does with it. Remember that the school will not just have personal data about its students but also parents, staff and volunteers. There are likely to be many different places where data is stored, some of which will be more obvious than others, so consider involving staff at an early stage to assist in identifying these.
Review and update current policies
In particular, you will need to ensure that you have an up to date privacy notice in place. Once you have updated the school’s policies relating to the gathering, storage and processing of data, make sure that staff and governors are aware of any changes, especially those that are likely to impact upon the way they do their jobs.
Consider any risks where data is disclosed
There are likely to be many examples across a school where personal data is disclosed to third parties either on a regular or one off basis. This could involve disclosure to the local authority, payroll provider or after school club to name a few. You will need to be satisfied that you are legally permitted to disclose the information and that the data is going to be secure once it has left your control. You should, therefore, review the arrangements you have with third parties and obtain any further assurances you require before any data is released.
All staff and governors will be required to have a certain level of understanding about the new rules and the measures your school puts in place to comply. Most individuals within schools will come in to contact with personal data in some form or another so you should ensure they can recognise it and know what to do with it when they do.
Appoint a Data Protection Officer
Schools will need to have a data protection officer to monitor compliance with GDPR. This individual will be the first point of contact for those making subject access requests and supervisory bodies, such as the Information Commissioner. They should have an understanding and experience of data protection but it should not be someone who makes decisions about the way in which data is collected or processed by the school. For example, the Headteacher and Business Manager of a school are unlikely to be able to carry out the Data Protection Officer role without there being some conflict with their substantive role.
Document your preparations
Unfortunately, there is not a one size fits all approach for GDPR compliance. Each school will have its own unique set of circumstances to which it will need to apply the rules. However, if you keep records of the decisions taken and the thought process behind them, you will be better placed to justify them should you need to at a later stage.
How Nelsons Solicitors Can Help
Laura Evans is a specialist Education and Employment Law Solicitor at Nelsons.
Should you require any support, advice or training on preparing for GDPR in your school, please contact Nelsons’ Education team on 0800 0241 976 or contact us via the online form to find out how we can help.