With the General Data Protection Regulation (Regulation) expected to come into force in mid-2018, educational organisations will need to ensure they are ready to meet their compliance obligations concerning data protection. Failure to prepare now may result in the inconvenience of a last minute rush, or worse, a fine for non-compliance.
How does this affect you?
Every year large amounts of personal data is collected and stored by schools, academies, colleges and universities (Educational Organisations). As ‘data controllers’ Educational Organisations are required to comply with the data protection laws concerning personal information, including those within the Regulation when it comes into force.
What do you need to be aware of?
The majority of the principles and requirements of the Regulation are the same as those currently in the Data Protection Act 1998 (DPA). If Educational Organisations are compliant with the requirements of the DPA they are in a good position for the arrival of the Regulation and the changes it will bring. Some of the key areas which will affect Educational Organisations under the Regulation are:
- Increased obligation to notify for Data Breaches
The Regulation will require all Educational Organisations to notify the Information Commissioner’s Office (ICO) of serious personal data breaches. Personal data breaches are broadly defined and extend to accidental loss or destruction of personal data. Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals,” however, considering Educational Organisations hold sensitive personal data (soon to be called special categories of data), the application of this exclusion will be limited.
Failing to report a beach could result in a fine for the Educational Organisation, in addition to the fine for the breach itself.
- Introduction of mandatory risk assessments
The Regulation makes it a legal requirement for certain organisations to carry out a Privacy Impact Assessment (PIA) to identify the most effective ways to comply with their data protection obligations, and the ICO will provide a list of organisations who will be subject to this requirement. Although it is not certain that this requirement will apply to Educational Organisations, compliance is highly recommended by the ICO as a way to analyse how your organisation deals with the privacy of personal data and would highlight areas for improvement – in the event of security breaches, the ICO always asks for a copy of your PIA.
- Consent required for children
You will need to obtain a parent or guardian’s consent to process personal data concerning children; (in the UK this is likely to be anyone under 13).
- Communicating privacy information
Educational Organisations will now be required to tell individuals the legal basis for processing their data, how long they will keep the data for and that individuals have a right to complain to the ICO if they think there is a problem with the way their data is being handled.
- Rights of individuals
Individuals will have the right to have inaccurate personal data corrected, prevent direct marketing and request that companies which store their data provide them with a copy of all stored data. Going forward, you will also only have 30 days to respond to an individual’s data subject access request, and the data must be provided in a commonly used format. These requests could easily be costly and time-consuming, especially if you deal with regular requests, and the shorter timescale will make it even harder.
What can you do to be ready?
- Raise awareness: Ensure that your organisation’s management, teachers, lecturers and support staff are aware of the changes brought about by the Regulation and what the impact is likely to be.
- Carry out a Privacy Impact Assessment: A PIA will allow you to identify and reduce privacy risks and highlight what action needs to be taken to comply with data protection obligations.
- Amend your procedures: Ensure that your organisation is able to meet its new obligations, (for example that you have the systems in place to verify individual’s ages, gather parental or guardian consent, deal with requests by individuals within the timescales, detect, report and investigate data breaches etc.).
- Train employees: Management, teachers, lecturers and support staff should be given effective training on the requirements of the Regulation and how it affects their roles.
- Review data protection systems: Ensure that personal data is adequately protected by making sure it is properly encrypted and that the IT and security systems are proficient. Avoid keeping physical copies of personal data as it is harder to protect them, keep track of who they have been disclosed to and where they are located.
- Budget for the changes: Training employees, ensuring data management and IT systems are effective, carrying out a PIA and dealing with requests for copies of data are likely to be time consuming and costly. You may be required to take on extra employees to meet the demands. If these costs are ignored until 2018 you may struggle to allocate the necessary funding at short notice.
The Information Commissioner’s Office (ICO) has recently published guidance to help organisations prepare for the changes the Regulation will bring which is available here.