GDPR in Schools: The View from a DPO and School Governor

Written by

The UK Government Department for Education has recently released an excellent document detailing some of the steps necessary to demonstrate compliance with GDPR called DfE GDPR Toolkit for Schools.

However, like all good government documents, it does not cover all the scenarios of GDPR and/or how to implement the policies necessary to help ensure the rules are followed. The areas covered by DfE GDPR toolkit for schools include the following steps:

  • Raising awareness;
  • Creating a high level data map;
  • Turn your data map into a data asset register;
  • Documenting the reasons for processing data;
  • Documenting how long you need to retain information;
  • Reassurance and risks;
  • Decide on your Data Protection Officer role;
  • Communicate with data subjects;
  • Operationalize Data Protection, and keep it living. 

Unfortunately, the DfE GDPR toolkit for Schools does not provide guidance on consent, and when legitimate interest should and could be used. Furthermore, there is very little about accountability – a guiding principle of GDPR (article 5) as each head teacher will be expected to be able to explain who, what, where and why when it comes to personal data.

Of course the real danger is the possibility of parent/carers asking or exercising their ‘Individual Rights’ – rights to access data about their children, performance and all manner of previously unreachable data. Furthermore, a school must respond to these requests within 30 days. 

This could be a new type of data feeding frenzy, with every helicopter parent/carer demanding access to the data or threats of court injunctions, ICO regulator action, HM Inspectors whistle blowing and private litigation cases. Could this all become the new talk at the school gates? 

The ICO has provided some great information and documented what each of the eight (8) Rights will mean for organizations (including schools). What it hasn’t done is explain what head teachers and Governors could do if they become inundated with such requests It literally could become an entire new administration function (and that’s on top of an already over stretched school office!). 

However, what is missing in this DfE document is the lack of coverage on data security and third party access. My child’s data or the data that I have registered with the school or DfE, is held in databases that I have little or no knowledge about. My guess is that many of these third party relationships (data exchanges) date back to a bygone era and relies on vague agreements or loosely worded government or local council contracts.

Many of these contracts would now be considered as ’controller to controller’, or ‘controller to processor’ agreement and my worry is; how would accountability play out if any one of them (the school, DfE or the third party) became victims of e-crime or suffered from a major data loss/leak. Who would pick up the loss, damage or liability?

Take my local provider of schools meals, I have to pay in or ‘top-up’ my daughter’s account so she can spend £2.20 on her lunch. This may be fine, but this processor [on behalf of my local school] stores sensitive personal data (e.g. medical data such as allergies) and my credit card data, making it prime candidate for hacking or e-crime. The problem is, I’ve no idea about the level of accountability or security, or even if there is a contract in place, and if yes, does the processor have to notify my school [and the ICO] if it’s been hacked within 72 hours? 

So I am powerless, and yet GDPR is all about taking back control. Giving back the ability to control my data, including whom has access to what, why, where and when – especially when it comes to our children’s data.

Then there is the question of consent. Did I consent to my daughter’s photos being used on the school website? Moreover, why do I need cookies? It’s not like the school are going to tailor messages to suit my browsing habits.

If I go to the website, it’s usually because I need the phone number or to check if it’s closed when its snows. For that matter, I don’t recall giving my explicit, and unambiguous consent to receiving marketing messages about Zumba classes being held in the school hall on a Tuesday evening?

So there is much to be done across the 24,000 schools in England and Wales, and fortunately (for some schools), there are a few of us experienced and qualified DPOs that are giving up their time and money to help out.

Once again, the great British (unrecognized) economy of hard working volunteers is being relied upon to sure up what really should be done by the DfE.

What’s hot on Infosecurity Magazine?