GDPR Compliance in Schools

For those of us in education, GDPR has become a buzzword in recent years. Since its introduction in May 2018, it imposes pages and pages of requirements for organisations anywhere in the European Union (EU) if they collect or target data related to people. These requirements must be met by all organisations in the Education Sector as well as in other sectors.

Data Rights Matter reports that data breaches in the sector have been on the rise in the last 12 months. Schools and universities can be prime targets for cybercriminals due to the nature of the data that they keep. However, despite there being instances of hackers, ransomware and cybercrime, most breaches within the education sector are caused by human error.

A data breach in school creates added work and stress for those in charge. It can be difficult to investigate and rectify the source as well as notify the relevant authorities. Awaiting feedback from the breach can also be a difficult time. Let us break it down more simply and help those working in schools understand the complexities of GDPR compliance.

What is GDPR?

According to the European Union (EU), the General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Despite being created and passed in the EU, it enforces requirements onto any organisation in the world if it collects or uses data belonging to any EU citizen.

The European Convention on Human Rights (1950) states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” And it is from this right to privacy part of the convention that the EU has created legislation to ensure protection.

Protecting data in any sector is imperative. Such protection affords respect and privacy for all concerned as well as the freedom in knowing that data is protected against manipulation. However, there has been some worry following the GDPR from the European Union, due to to huge fines being imposed for violations of the standards, which can reach millions of pounds.

The regulation is a sign of just how seriously Europe is taking data security and privacy. This is increasingly relevant because of the number of people who are now trusting their data with a cloud service due to remote working.

What does GDPR mean in schools?

For schools, extra protection is needed when it comes to GDPR because of the amount of children’s data that is stored and needs protecting. Given that money is tight in the education sector, there is rarely the funding or resources for a specific data security team. Additionally, aside from the legal implications of GDPR, there is an often-conflicting legal requirement for schools to retain student data for years after the student has left. This means that the amount of data retained by a school at any one time can be huge.

Having said that, the GDPR could help schools eventually as it requires that data is reduced and that measures are put in place to support this, which should eventually save the organisation money.

Since the introduction of the GDPR, schools must have increased accountability for their data. As such, they should only collect or store data when it is absolutely necessary. The regulation itself calls this “data minimalisation” and, again, this could be beneficial for schools in the long run.

Schools must give students (or their parents/carers) the right to access and also review the information that the school has relating to them. This can, therefore, work to reassure individuals that the data stored is reasonable and can be queried or altered if they are unhappy.

What schools are not always aware of, however, is that there is no set way that they must store or process personal information. Schools can use and process data as long as they can outline the legal reason for doing so. Such reasons are generally broad and typically align easily with a school’s data processing practices under the Data Protection Act 1998 (the GDPR’s predecessor).

The majority of school data processing is justified on the basis of public interest i.e., any activity that is required to perform a certain task to safeguard the welfare of the public or to apply official authority. However, the data must be proportional to the reasons why you need it rather than collecting additional data for the sake of it.

What does GDPR compliance mean?

You may have heard that schools need to be compliant with GDPR. Primarily, this means following the requirements as outlined in the regulations. However, it also means that an organisation must have processes and policies in place to ensure that all interactions with students’ data are considered carefully. What is more, the organisation (in our case, the school) must review its policies and processes regularly.

However, complexity comes when you look into the requirements in more detail. They are vague and leave a lot to the individual organisation’s interpretation. The organisation must protect its data to a ‘reasonable’ level. Yet, the GDPR does not clarify the meaning of what this would constitute.

Compliance, therefore, depends on what the personal data is and the amount of it. Logically, the greater the sensitivity of the data, the greater the protection needed to prevent breaching the GDPR.

What is the difference between personal and sensitive data?

Many people confuse personal and sensitive data. Personal data is essentially information that can identify someone or someone in their family. For schools, this is information such as a student’s name, address, contact information, their grades, progress reports and behaviour records. This data is always personal, even in the case of a student publicising it themselves.

Some data is more sensitive and is considered special category data. This data needs additional protection due to its nature. For schools, this includes students’ biometric data such as photographs or fingerprints.

Other sensitive data includes a student’s religious beliefs (including whether they opt out of religious activities or lessons), their health including allergies or specific dietary requirements; the latter of which can also indicate or suggest the student’s religion or their health. Understanding GDPR and the role of confidentiality with such data is paramount. The processing of this data is often risky and, as such, it can only be processed when certain conditions are met. Usually, it can only be used with parental consent.

What is the difference between data controllers and data processors?

There are two roles when it comes to ensuring GDPR compliance in schools. These roles can be an individual responsible for either a particular role or a part of a wider entity.

A data controller

A data controller decides the ways and intentions of processing any data.

This includes deciding:

• Whether data is to be shared with a third party.
• When the subjects’ rights apply.
• Whether amendments should be made to any data.
• How long the data will be stored.

A data processor

The data processor manages the data on the controller’s behalf. Many different forms of data processors work with or in schools. They may be a third party or a department within the school.

They can include:

• School photographers.
• Shredding companies.
• Software.
• Online learning platforms.
• Online storage systems.

Each data processor is responsible for ensuring that the data is securely stored and that data transfers are well controlled. Also, if a data processor has a retention schedule, it is their responsibility to ensure that they adhere to it. At the end of a scheduled retention, it is the data processor’s role to ensure that any sensitive data is disposed of safely.

The legal responsibilities for each of these roles differ but they are responsible in equal measure for GDPR compliance. If there is a breach, either is liable for disciplinary action.

In the education sector, the school itself will usually be the ‘data controller’. It needs to ensure that there is a secure contract with the ‘data processor’. Any third-party data processor must, therefore, have legally binding contracts outlining how the processor will fulfil its role.

Who is responsible for GDPR compliance in schools?

In a school, it is the leadership team that must make sure that the school complies with GDPR. On the senior leadership team, there should be at least one member of staff who has had specialist GDPR training. There are appropriate qualifications too such as the GDPR Practitioner qualification.

They also need to ensure that they pass on their training to everyone else within the staff so that everyone knows what to do when it comes to personal data. It is best practice that schools adopt a GDPR or data protection policy with clear procedures for all to follow, creating a school that has a data-privacy culture.

Data protection officer in schools

Most schools need a designated Data Protection Officer (DPO). The DPO is responsible for ensuring that the school manages data correctly and should be able to advise others on how to do so effectively and legally.

As such, this person must have a strong understanding of how the school uses any personal and sensitive data as well as an understanding of GDPR and data protection laws. Even if a school does not specifically need a DPO, it is good practice to have one as it shows that a school is taking its handling of data seriously.

Consulting pupils over their data processing

The GDPR is very clear that schools and other organisations cannot obtain consent legally from those who are considered minors, with just one exception. Each country is responsible for defining the age of minors. In the UK, this age is under 13 years old. If a student (the ‘data subject’) is under 13, the school must gain approval from an adult with parental responsibility for the child.

They also must ensure that they make a “reasonable effort” to verify the identity and relationship to the child of the person who claims parental responsibility. For those over 13, the school can obtain consent in the same way as it would for an adult.

Having said that, the GDPR requires that communication surrounding it, including consent, must be able to be understood by those it is intended for – in this case, children. The language, therefore, must be accessible to those children.

As mentioned above, there is one instance in which parental consent does not need to be sought when it relates to data obtained for minors. This is regarding any information that is gathered for counselling or preventative services that the child is offered, including therapy, child protection sessions, or any health and wellbeing services.

For these data collection opportunities, direct child consent is permitted without parental responsibility approval. This data must also be kept separate from data and files where the parents would automatically have access. This is so that, in the event of data access requests from parents/carers, this sensitive data is not revealed to the child’s parents.

What happens if GDPR is breached in schools

As explained in the introduction, the majority of data breaches in schools are due to human error. This can be as simple as forgetting to bcc an email to a group of parents so that all parents can see others’ email addresses, or it could be a lot more significant involving much more sensitive data. Whatever the breach, it must be investigated immediately.

The process should involve determining whether the breach merits being reported to the supervisory authority. This is definitely the case if the breach “poses a risk to the rights and freedoms of natural living persons”. Simply speaking, this means that the individual may face social damage (including bullying), economic issues or financial losses, fraud, or their reputation may be damaged.

• Social damage – This is the case when the breach includes information about special needs, pupil or staff records, child protection information, children’s progress information or information regarding staff pay.
• Fraud or identity theft – If someone’s date of birth, address and name has been leaked in a data breach, this can pose a real risk of fraud for the individual.
• Financial or economic issues – This could occur if an individual’s bank information is breached from payroll data or a new starter form for a member of staff.
• Damage to a reputation – In schools, a teacher or pupil’s reputation could be damaged if information about them regarding their performance, conduct or child protection information is breached.

A school has 72 hours from the discovery of the breach to report it to the Information Commissioner’s Office (ICO). The school must provide certain information to the ICO in the instance of a breach.

This includes:

• A detailed account of the breach.
• When and how it occurred.
• When and how it was discovered.
• The extent of any damage.
• The response to the incident and how any issues will be fixed or mitigated.
• The individuals whose information it affects.
• The data protection training that staff have undergone and completed before the breach.
• The contact information of the person responsible should the ICO require further information on the breach.

During this 72-hour period, you do not need to provide a detailed analysis at this stage. However, the school does need to show that it understands what has happened and how it should try to rectify the damage. The ICO confirms the receipt of all notifications, and it will then usually contact the school soon after if it is happy with the school’s actions.

If the ICO suspects that there has been a significant violation, it may start an investigation, which could take many months to complete.

The takeaway

The talk of GDPR in schools often instils panic in those involved as the severity of what could occur during a breach can be significant. However, thanks to training courses and support, those working in schools should be in a good position to ensure that their establishments meet all GDPR requirements.

To see how much you know about GDPR, why not try our GDPR Quiz?