The Optimus blog

The blog that inspires leaders in the UK education sector

Dai Durbridge

GDPR: your questions answered

We were inundated with questions at our recent GDPR conference. Browne Jacobson lawyer Dai Durbridge answers the most popular ones.

1. What are the implications of staff working remotely with access to confidential information?

There is no reason why staff cannot continue to access personal and confidential information remotely. What is important is to have a robust policy in place that addresses how that information is managed (including how it is accessed, where it is saved/stored, whether it can be printed and how it should be destroyed), ensuring the importance of that policy is understood by all staff and taking steps to ensure the policy is followed.

2. Should we insist that governors use school email addresses for all school correspondence?

That would be good practice, yes.  From a data protection viewpoint, it is only the security of personal information that would be of interest to the Information Commissioner's Office (ICO), but given the sensitive nature of governor email conversations and minutes, it is sensible for all email traffic to come from school email addresses.

3. Is there a list available that gi​ves clear timescales schools must keep categories of data? Pupil records, employment files, pension, tax, etc?

While some legislation requires certain documentation to be retained for a particular period (e.g. some recruitment documentation), there is no hard and fast rule for how long the majority of documentation created and held by schools should be retained.  

Life would be more straightforward and practices more consistent if timeframes were set out in law or guidance.

For the moment, the closest we have is the Information Management Toolkit for Schools provided by the Information and Records Management Society (IRMS).

You also need to be aware of any local requirements, particularly those of your local safeguarding children board (LSCB) regarding safeguarding records, which can vary from one local authority to another.

4. Can we change policies now for GDPR or do we have to stay under the 1998 Data Protection Act until 25 May?

Best practice is to bring the new policies into effect on 25 May 2018, until then it is better to remain with your current policies. There is some sense in having your new policies ready and available for viewing from late April to let stakeholders know about the changes and to get used to them before they take effect.

5. If a child over 13 gives consent for something like photographs but you believe/know their parents/carer wouldn’t, what do you recommend?

You need to obtain consent from the person whose personal information you will be processing. In doing so, you need to be satisfied that the individual has capacity to provide consent – in other words, does the individual understand what is being asked of them, what will happen to the information if consent is provided and what will happen if consent is withheld.

Through discussing the issue with the individual you should be able to satisfy yourself that they do or do not have consent. If they do, you are entitled to rely on it, regardless of the views of parents or others. 

The only caveat to add is to be aware of court orders restricting the publishing of information relating to the individual and/or any additional information the parent may have that the individual does not that could impact upon the decision to use the photo.  An example might be a child who is at risk of abduction or harm but the child is unaware of that risk.

6. Does the timescale of one month for subject access requests still apply during school holidays?

The time period is set by the legislation and so is a legal requirement. It can be extended by up to two additional months ‘where necessary, taking into account the complexity and number of the requests,’ but a school holiday does not fall under either of those categories so relying on the extension brings with it a high risk of non-compliance.

The time period runs from ‘receipt’ of the request but currently there is no guidance in the GDPR as to when a request is deemed to be received. A school could run the argument that requests made during school holidays are not received until the first day of the new term, but doing so does run the risk that receipt could be deemed to take place when the letter/email is delivered to the school. So it could be a risky strategy.  

If adopted, then a statement setting out this approach should be included in your Fair Processing Notice where the rights of the data subject are set out. Until we have clarity on this matter, the safest approach is to take steps to reply to subject access requests within the set timeframe.

Foundation training for DPOs

Having a DPO with the appropriate skills and knowledge to discharge their duties is a crucial element of complying with the GDPR. That's why we've teamed up with Browne Jacobson to organise three interactive, one-day training courses, covering everything a DPO will be expected to put into practice from 25 May. 

With a mix of keynote presentations and workshops, and the opportunity to have your burning questions answered, these events are not to be missed!

Secure your place

More from Optimus

Webinar: GDPR – the role of the data protection officer

GDPR: how to undertake a data audit

 

Tags: 

Subscribe to Optimus Education's Blog

Join other educators and get the latest Optimus blogs direct to your inbox.
Your data is safe with us: Privacy Statement

Similar Posts

Elizabeth Holmes

Bouncing back from a disappointing inspection outcome

Your Ofsted inspection has come and gone, but the outcome wasn't what you'd hoped. What are the next steps? If social media is anything to go by, an Ofsted inspection remains a source of dread for those who work in schools. While much work has been done by Ofsted – and particularly its national...
Read more...
John Viner

When inspection is not by Ofsted

While the majority of state schools focus on the Ofsted inspection process for their self-evaluation, around a third must also prepare for a separate inspection of their faith character. Ofsted inspection is carried out under sections 5 and 8 of the Education Act 2005, and every headteacher in the...
Read more...
John Viner

Another year, another education secretary

Unexpected departures and new arrivals at the DfE have brought the future of government education policy into question. Just as the profession was developing a good working relationship with a new secretary of state for education, we looked up and, instead of Justine Greening, found Damian Hinds...
Read more...