Yes, every organisation or business that handles personal data needs to review its data protection policies and bring them in line with the General Data Protection Regulation.
Any information that can identify a natural person (‘the data subject’). This person can be identified, directly or indirectly, such as – name, email address or where they are, but also online identifiers such as IP address, types of website cookies and other device identifiers. Thus, an email from a parent carrying data such as their name, email address, and their child’s name can clearly identify both the child and the parent.
If you have implemented processes in line with the existing data protection act, DPA (1998), then you are well placed to meet the new requirements. Changes are mainly based on clarification and qualification of existing directives. A major change is that you can no longer say you meet the requirements you must be able to offer evidence that this is happening.
A data controller, in the context of schools, is the organisation that determines purposes and means of processing personal data. Data processors provide services to the data controller and must follow the conditions laid down in the data controller’s instructions. The GDPR applies to both data controllers and processors. When data controllers collect data from the data subject, they must clearly tell them how they will use the data. They must also establish the legal basis for processing. Another category is called sub-processors or third-party data processors. These process data for a data processor and although they do not have direct communication with the data controller they are still wholly accountable for the protection of personal data.
Without a doubt, reviewing your data protection processes throughout the school will help you to restore confidence and trust in both your internal procedures and those of your suppliers. A review of the Data Protection Act is long overdue. The previous Act became law in an era when some technologies were just emerging. Ensuring that you protect an individual’s fundamental rights will give you confidence in your policies and data sharing agreements.
Yes, as a public sector organisation you are obliged to have a DPO. However, you shouldn’t allow the fact that you don’t yet have a DPO to delay your journey to compliance with the GDPR.
In simple terms, the DPO oversees GDPR compliance – independently – and acts as an intermediary between the organisation, data subjects, and the supervisory authority, ICO. The minimum tasks of a DPO are defined as:
Sensitive personal data which “uniquely identify a person” are classed in the GDPR as Special Category Personal Data. For example, genetic and bio-metric information. This data must be limited to only the people entitled to see or use it and extra provision must be taken to ensure this happens
The GDPR is introducing a duty on all organisations to report certain types of data breaches to the “relevant supervisory authority” and to individuals when they have been affected. Even if a data breach is not reported to an authority outside school, it is important to get a full overview where minor breaches are taking place and ensure they are not repeated.
Since you hold and process data on individuals, you must tell them in simple terms how their data is processed. The regulation states that this should be clear, easy to access and free of charge.
If the privacy notice applies to children, you’ll need to write it in a way they will understand.
Data Protection has always been an ongoing area that schools should be complying with already. As such, there is no additional funds at the moment to support any changes and improvements.