We were inundated with questions at our recent GDPR conference. Browne Jacobson lawyer Dai Durbridge answers the most popular ones.
There is no reason why staff cannot continue to access personal and confidential information remotely. What is important is to have a robust policy in place that addresses how that information is managed (including how it is accessed, where it is saved/stored, whether it can be printed and how it should be destroyed), ensuring the importance of that policy is understood by all staff and taking steps to ensure the policy is followed.
That would be good practice, yes. From a data protection viewpoint, it is only the security of personal information that would be of interest to the Information Commissioner's Office (ICO), but given the sensitive nature of governor email conversations and minutes, it is sensible for all email traffic to come from school email addresses.
While some legislation requires certain documentation to be retained for a particular period (e.g. some recruitment documentation), there is no hard and fast rule for how long the majority of documentation created and held by schools should be retained.
Life would be more straightforward and practices more consistent if timeframes were set out in law or guidance.
For the moment, the closest we have is the Information Management Toolkit for Schools provided by the Information and Records Management Society (IRMS).
You also need to be aware of any local requirements, particularly those of your local safeguarding children board (LSCB) regarding safeguarding records, which can vary from one local authority to another.
Best practice is to bring the new policies into effect on 25 May 2018, until then it is better to remain with your current policies. There is some sense in having your new policies ready and available for viewing from late April to let stakeholders know about the changes and to get used to them before they take effect.
You need to obtain consent from the person whose personal information you will be processing. In doing so, you need to be satisfied that the individual has capacity to provide consent – in other words, does the individual understand what is being asked of them, what will happen to the information if consent is provided and what will happen if consent is withheld.
Through discussing the issue with the individual you should be able to satisfy yourself that they do or do not have consent. If they do, you are entitled to rely on it, regardless of the views of parents or others.
The only caveat to add is to be aware of court orders restricting the publishing of information relating to the individual and/or any additional information the parent may have that the individual does not that could impact upon the decision to use the photo. An example might be a child who is at risk of abduction or harm but the child is unaware of that risk.
The time period is set by the legislation and so is a legal requirement. It can be extended by up to two additional months ‘where necessary, taking into account the complexity and number of the requests,’ but a school holiday does not fall under either of those categories so relying on the extension brings with it a high risk of non-compliance.
The time period runs from ‘receipt’ of the request but currently there is no guidance in the GDPR as to when a request is deemed to be received. A school could run the argument that requests made during school holidays are not received until the first day of the new term, but doing so does run the risk that receipt could be deemed to take place when the letter/email is delivered to the school. So it could be a risky strategy.
If adopted, then a statement setting out this approach should be included in your Fair Processing Notice where the rights of the data subject are set out. Until we have clarity on this matter, the safest approach is to take steps to reply to subject access requests within the set timeframe.
Our GDPR for Schools conference will be providing more information and guidance on the new ePR, as well as an update from the ICO.
Taking place in London on 27 November and Manchester on 24 January 2019, you can secure your place now.