On the 25th May 2018 the Data Protection Act (DPA) was replaced by the new and updated General Data Protection Regulation (GDPR) aka the Data Protection Act (2018). This legislation signified a change in the way that all businesses and organisations, including schools and trusts, process and manage their data.
What was the original Data Protection Act (DPA)?
The original DPA law was passed in 1998, marking a big step forward in the way information about people was legally used and handled. The main purpose of the legislation was to protect individuals against misuse or abuse of information about them. This prevented companies, bodies or businesses selling or passing on information about their customers and staff.
Databases are easily accessed, searched and edited. And with more and more organisations (including schools) using computers to store and process personal information, there was an increase in the likelihood of these details ending up in the wrong hands, The DPA was a way to regulate misuse and prevent the selling of data.
What is the General Data Protection Regulation (GDPR)?
To put it simply, the GDPR is a new data protection regulation designed to strengthen and unify the safety and security of all data held within an organisation (including schools, academies and other educational establishments).
The GDPR replaces the DPA and affects all UK companies who collect or process personal information. It's focused on looking after the privacy and rights of the individual, and based on the premise that consumers and data subjects should have knowledge of what data is held about them and how it's used.
Steve Sands, Chief Information Security Officer (CISO) and Data Protection Officer (DPO) at Synectics Solutions
The 6 Principles of GDPR as defined by Article 5 requires that personal data shall be:
- (a) processed lawfully, fairly and in a transparent manner in relation to individuals
- (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that the data controller shall be responsible for, and be able to demonstrate, compliance with the principles.
The main differences between the GDPR and the DPA are:
- Down from 8 principles to 6
- Any data accessed and used to be lawful, fair and transparent
- Data being adequate, relevant and limited to what's necessary in relation to the purpose of the data access
- Consideration given as to how accurate and up-to-date the data is
- Looks into the technical and organisational measures in place to protect against unlawful authorised processing, accidental loss or destruction
- Businesses in breach of the GDPR will reach fines up to 4% of a business's turnover
- The GDPR requires you to show how you comply with the principles
- Two different types of financial jeopardy: fines for Personal Data Breaches (PDBs); and fines for Administrative breaches. (The fines are between 2-5% of the previous year annual turnover)
- Under the GDPR it will be illegal to not have a formal contract or Service Level Agreement (SLA) in place with your chosen Data Processor.
- It will also be a criminal offence to choose an IT recycling partner/Data Processor who doesn't hold the minimum competencies and accreditations for IT asset disposal (ADISA, ISO 27001, Blancco etc.)
- You must be able to demonstrate you are working with an accredited company when it comes to disposing of your data bearing end of life IT assets (details of parents, staff, students no longer at the school).
Under the GDPR, marketing consent must be explicit. It should be:
- Time limited opt-in
- In plain language (age appropriate to the Data Subject)
- With the requirement that the Data Subject is able to opt-out of profiling and object to the results of profiling.
The definition of consent within GDPR
The GDPR has ultimately changed the way schools, academies and trusts handle their data and the way information is managed, by ensuring that the giving and receiving consent online and the usage of personal data has never more in the spotlight.
Many companies have been in trouble with the ICO for not protecting and storing data correctly, or for using it without the owner’s specific consent (this has included very large fines) meaning it’s vital that schools are adhering to the GDPR legislation.
It's also important that children and young people grow up understanding how, where and where their data has been used and when it’s being used without their consent.
Consent is defined within the GDPR as being 'freely given, specific, informed and unambiguous
In order to be freely given, “it must be given on a voluntary basis”. This means that the data subject must have a real, genuine choice in the matter of consenting and signing up to something - if there is any element of inappropriate pressure or influence, then this consent can be rendered invalid.
Informed and Specific
For consent to be “informed and specific” the individual must be made aware of who is looking after their data, what information will be processed and how it will be used. They also need to have an easy, clear option to withdraw their consent and unsubscribe, whenever they want to, and they also have the ‘right to be forgotten’ which means that they can ask a company or organisation to remove any record of them and erase them from their systems.
The consent must be also be “unambiguous” which means that the data subject knows exactly what they are signing up and consenting to. They now have to opt in rather than opt out, which means that companies can no longer assume an ‘automatic opt in’ to their marketing or assume that customers are happy for their data to be used in certain ways. Companies can also no longer have pre-ticked consent boxes on forms - individuals need to physically choose to opt in to receive communications or to share their data with a company, game or website.
Finally, it is important to note that to give consent, the data subject must be aged 13 or older. Prior to this age, it would be the data subject's parent who would need to give consent on their behalf.
It's important that as a school, you:
- Remind your school staff of the existence of GDPR, especially those in Marketing or Administrative roles who may deal with data on a regular basis.
- Regularly audit the information you hold and what Data Processing policies are in place.
- Regularly review your privacy agreement and cookie policies for your school website
- Ensure your procedures cover all the rights individuals have (including how you delete personal data).
- Regularly review how you are seeking, obtaining and recording consent for data processing.
- Make sure you have the correct procedures in place to investigate and report a personal data breach.
- Check your systems are able to verify the age of individuals and to gather consent from parents or guardians in regard to data processing.
- Designate a Data Protection Officer to take responsibility for data protection compliance.
- Have an e-safety policy in place to ensure all key stakeholders know what needs to be done to remain compliant.
- Choose an accredited Data Processor who is also compliant with GDPR obligations and IT asset disposal.
How do e4education help schools and trusts to stay safe in regard to consent, data and privacy on their websites?
We have done a lot of work surrounding the introduction of GDPR to help the Schools and Trusts that we work with ensure their website is GDPR compliant and their data is secure.
We have introduced valid SSL certificates for all websites and given our customers the option to add in privacy policies and cookie policies to their websites, and update these as required.
We’ve also ensured there is full encryption on all of our databases and we continue to work closely in line with the GDPR regulations to ensure our platforms are fully-up-to-date and compliant.
- Top Tips
- e4education News
- Product Updates
You might also like...
New year, new start
A new year (calendar or academic) is the chance for a fresh start. Goals are set, mistakes are relegated to the past and there’s generally a feeling of ‘newness’ in the air. Whether you’re looking for a new school website design, wanting to improve your school newsletter f...
DfE Compliance: Displaying your curriculum on your school website
Your school website is key source of information for parents, students, staff and the community, but there is certain content that you must always have visible on your website, and which will be checked by Ofsted inspectors prior to a visit. We have a full guide to all of these requirements which...