The Optimus blog

The blog that inspires leaders in the UK education sector

The Optimus blog

The blog that inspires leaders in the UK education sector

Dai Durbridge

GDPR: your questions answered

We were inundated with questions at our recent GDPR conference. Browne Jacobson lawyer Dai Durbridge answers the most popular ones.

1. What are the implications of staff working remotely with access to confidential information?

There is no reason why staff cannot continue to access personal and confidential information remotely. What is important is to have a robust policy in place that addresses how that information is managed (including how it is accessed, where it is saved/stored, whether it can be printed and how it should be destroyed), ensuring the importance of that policy is understood by all staff and taking steps to ensure the policy is followed.

2. Should we insist that governors use school email addresses for all school correspondence?

That would be good practice, yes.  From a data protection viewpoint, it is only the security of personal information that would be of interest to the Information Commissioner's Office (ICO), but given the sensitive nature of governor email conversations and minutes, it is sensible for all email traffic to come from school email addresses.

3. Is there a list available that gi​ves clear timescales schools must keep categories of data? Pupil records, employment files, pension, tax, etc?

While some legislation requires certain documentation to be retained for a particular period (e.g. some recruitment documentation), there is no hard and fast rule for how long the majority of documentation created and held by schools should be retained.  

Life would be more straightforward and practices more consistent if timeframes were set out in law or guidance.

For the moment, the closest we have is the Information Management Toolkit for Schools provided by the Information and Records Management Society (IRMS).

You also need to be aware of any local requirements, particularly those of your local safeguarding children board (LSCB) regarding safeguarding records, which can vary from one local authority to another.

4. Can we change policies now for GDPR or do we have to stay under the 1998 Data Protection Act until 25 May?

Best practice is to bring the new policies into effect on 25 May 2018, until then it is better to remain with your current policies. There is some sense in having your new policies ready and available for viewing from late April to let stakeholders know about the changes and to get used to them before they take effect.

5. If a child over 13 gives consent for something like photographs but you believe/know their parents/carer wouldn’t, what do you recommend?

You need to obtain consent from the person whose personal information you will be processing. In doing so, you need to be satisfied that the individual has capacity to provide consent – in other words, does the individual understand what is being asked of them, what will happen to the information if consent is provided and what will happen if consent is withheld.

Through discussing the issue with the individual you should be able to satisfy yourself that they do or do not have consent. If they do, you are entitled to rely on it, regardless of the views of parents or others. 

The only caveat to add is to be aware of court orders restricting the publishing of information relating to the individual and/or any additional information the parent may have that the individual does not that could impact upon the decision to use the photo.  An example might be a child who is at risk of abduction or harm but the child is unaware of that risk.

6. Does the timescale of one month for subject access requests still apply during school holidays?

The time period is set by the legislation and so is a legal requirement. It can be extended by up to two additional months ‘where necessary, taking into account the complexity and number of the requests,’ but a school holiday does not fall under either of those categories so relying on the extension brings with it a high risk of non-compliance.

The time period runs from ‘receipt’ of the request but currently there is no guidance in the GDPR as to when a request is deemed to be received. A school could run the argument that requests made during school holidays are not received until the first day of the new term, but doing so does run the risk that receipt could be deemed to take place when the letter/email is delivered to the school. So it could be a risky strategy.  

If adopted, then a statement setting out this approach should be included in your Fair Processing Notice where the rights of the data subject are set out. Until we have clarity on this matter, the safest approach is to take steps to reply to subject access requests within the set timeframe.

GDPR for Schools

Our GDPR for Schools conference will be providing more information and guidance on the new ePR, as well as an update from the ICO.

Taking place in London on 27 November and Manchester on 24 January 2019, you can secure your place now.

More from Optimus

Webinar: GDPR – the role of the data protection officer

GDPR: how to undertake a data audit

 

Similar Posts

Tiffany Beck

Multi-academy trust governance: your questions answered

Governance was a hot topic at our annual MATs Summit. Tiffany Beck, chair of trustees at Maritime Academy Trust, answers some popular questions from the event. 1. We have a shortage of governors and trustees and require more skilled professionals. Can you share any tips on recruitment? Ask your...
Read more...
Lisa Griffin

What is the ePrivacy Regulation?

Thought you’d heard the last of changes to data compliance? Get ready for the new ePrivacy Regulation. The EU have proposed that the current ePrivacy Directive be replaced by the ePrivacy Regulation (ePR) and sit alongside the General Data Protection Regulation (GDPR), which came into force in May...
Read more...
John Viner

We need to talk about Ofsted

New proposals from Ofsted have prompted a shift in the rhetoric around inspection. John Viner summarises the changing times. With the departure of Her Majesty’s Chief Inspector of Schools, Sir Michael Wilshaw, Ofsted moved into a new phase under the leadership of Amanda Spielman. Out went the old-...
Read more...