The General Data Protection Regulation (GDPR) is legislation that acts to protect data, altering how people, businesses and public sector organisations handle personal data. It increases privacy and helps data resist any manipulation. So are there any GDPR implications for schools?
The following information will help you to safeguard the data of students, children and other young people.
- The Implications of GDPR for Schools
- Data Controllers vs. Data Processors
- The Difference Between Personal and Sensitive Data
- The Best Practices for GDPR
The Implications of GDPR for Schools
When GDPR was implemented in 2018, it changed the landscape of data protection, making Europe the continent with the most rigorous data protection rules in the world. While it’s a beneficial system, it does pose a number of new implications and challenges for schools.
There are a number of things you should be aware of:
- Accountability: This is one of the key focuses of GDPR which schools have to take into account.
- Data breaches: Data breaches have to be reported within 72 hours.
- Data processors: It’s a school’s responsibility to ensure that third parties comply with GDPR legislation.
- Data protection officers: As a public authority, schools must appoint a Data Protection Officer.
- Evidence: Schools must demonstrate compliance in GDPR legislation.
- Suppliers: Formal contracts or Service Level Agreements (SLA) are mandatory with all suppliers.
- Individual rights: GDPR gives individuals more power over their data, with the ability to redact any.
Data Controllers vs. Data Processors
Data is recorded within any organisation, be it from clients, partners or staff. When recording this data and determining a use for it, there are two important positions you need to be aware of: the data controller and the data processor.
A data controller is the person or body who determines what the recorded data is used for. In our case, it is that of the school or, more accurately, members of management. The data processor handles the data on behalf of the controller, acting as an intermediary between the controller and those the data belongs to.
The act of ‘processing’ covers anything from collecting data, sorting it or even destroying it. A processor could take the form of many different things - an event photographer, an online software or even a school-wide learning platform.
GDPR highlights these two entities as being important because they’re effectively in charge of personal data that has been freely given. They each have different legal responsibilities.
The Difference Between Personal and Sensitive Data
When it comes to GDPR, there are two types of data: sensitive and personal.
Sensitive data (also known as special category data) can include any of the following:
- Biometric data.
- Religious beliefs.
- Dietary requirements.
- Health information.
These topics are, as the name suggests, sensitive and personal. This type of data can be mismanaged, manipulated or ‘leaked’ and could therefore pose a risk to its owners if used maliciously. It is likely that schools (or any other organisation) cannot use this kind of information without parental consent.
On the other hand, personal data is made up of information that can help identify who a person is and who their relations are. This could be made up of:
- Contact details.
- Progress reports and disciplinary record.
This data is always known as ‘personal’ data, even if it’s widely known and available to the public.
The Best Practices for GDPR
With the two forms of data and the two types of recipient, here are some best practices to help ensure you don’t suffer from any of the GDPR implications for schools:
Abide by The Six Lawful Bases
There are six lawful bases when it comes to processing data under GDPR legislation:
- Legal obligation.
- Vital interests.
- Public task.
- Legitimate interests.
They describe a reason for the collection of data by a school or organisation. The one that applies most to schools is public task. Data is collected from individuals and families in the interest of the public.
Data collected for one purpose cannot be used for another.
Audit Any Data Processes
In a school setting, where is personal and sensitive data stored? Who is allowed to access it?
Maintaining a good relationship with GDPR legislation means performing an audit of your data-processing practices to determine any weaknesses.
Ensure There Are Security Measures in Place
Data breaches can happen under any circumstances. A stolen laptop, curious third parties or malicious software can all lead to breaches.
Set up a number of regulations all staff can follow to further protect data. For example, staff should use strong passwords, only store personal data on school equipment and set their devices to auto-lock.
USBs should be encrypted and password protected. Staff should also be trained on how to cultivate data-safe spaces by learning about ransomware attacks, phishing, how to stay safe using cloud technologies and other modern technologies.
Issue Privacy Notices to Parents
Prospectuses, newsletters and reports can be amended or sent out to include a privacy notice that states the school’s GDPR policies and data collection processes. It should further state whether any third parties are privy to this data.
Educate Yourself and Staff
Staff, adults and even children need to be taught about data protection, especially as we advance further into a future where technology becomes more wide-reaching.
This can sometimes be difficult, but fortunately the Joint Research Centre developed a mobile game called Cyber Chronix. Set on a futuristic planet, players must advance by tackling GDPR-related obstacles.
You can also contact the Data Protection Authority for more information.
GDPR is just one part of effective safeguarding within a school or other educational setting. To discover more safeguarding policies and protocols, download our handbook.
Explore Effective Safeguarding Today
Safeguarding is something that needs to be embedded within every level and process of your school. Our Safeguarding Handbook explores everything you need to know about these practices and can be easily distributed amongst staff.
The Handbook covers the basics of safeguarding, safeguarding scenarios, legalities and responsibilities amongst many other things.
Click the link below to download.