Data protection services (UKGDPR)
Data protection services
Devon Education Services provide a wide range of data protection solutions targeted at maintained schools, academies, and education providers at affordable prices to suit your budget.
Our experience is in education. We provide our customers with the tools and support needed to manage their journey to compliance. From routine questions to complex data subject access requests, we are on hand to support you, every step of the way. Our DPO is qualified to offer advice and guidance on complex and difficult cases.
The wide range of data protection and privacy programme management services we provide suit a wide range of budgets and can be tailored to suit your needs. Our services include:
- Provision of a Data Protection Officer or Privacy Programme Manager and access to a subscription only site with access to a range of useful support tools
- Support services for your school DPO, Data Privacy or Senior Privacy Lead
- Termly DPO Networking Forums
- GDPR e-learning covering staff awareness, subject access requests and personal data breaches
- Face to face training sessions for governors and trustees
- Support with Data Protection Impact Assessments (DPIAs)
- Personal data breach management
- Data protection compliance audits
Personal data breaches
Under UK GDPR, schools are legally required to notify the Information Commissioner’s Office (the ICO) of any breaches which are likely to result in a risk to the rights and freedoms of individuals. For example, if the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. In such cases, the school must notify the ICO within 72hrs of becoming aware of the breach and carry out a full internal investigation. The school is also required to inform the individual whose personal data has been put at ‘high risk’ as soon as possible
Fines
The UK GDPR introduces significantly higher financial penalties to organisations that fail to comply. Failing to comply with the UK GDPR could be costly with fines up to £17.5 million being enforced by the ICO. The ICO has new powers to levy these hefty fines and is required by law to ensure that these are ‘effective, proportionate and dissuasive’. When considering whether or not to fine and how much, the ICO will take into account (amongst other things) the:
- nature, gravity and duration of the breach
- number of people affected and the level of damage suffered by them
- intention or negligence of the person or organisation who caused the breach
- actions taken by the organisation to mitigate the damage
- previous breaches suffered by the organisation
- co-operation of the organisation with the ICO during their investigation
- the measures the organisation had in place to protect the data
The UK GDPR sets out the maximum fines the ICO can issue for particular types of breaches. Here are some examples:
Up to £17.5 Million
- Breaching any of the data protection principles
- Failing to comply with the conditions for obtaining and managing consent
- Failing to provide adequate privacy notices
Up to £8.7 Million
- Failing to appoint a Data Protection Officer (when required to)
- Failing to implement appropriate security controls to protect personal data
- Failing to notify the ICO of data breaches likely to result in risks to individuals
Compensation
In addition to fines for personal data breaches, the UK GDPR provides individuals with the right to compensation if they suffer damage as a result of a breach involving their personal data. It is therefore imperative that schools review how they handle personal data to ensure it is in line with the UK GDPR in order to avoid potential fines and compensation claims.
Data protection officers
Under the UK GDPR, schools are legally required to appoint a Data Protection Officer (DPO) for their school; failure to do so could result in a fine up to £17.5 million.
The Data Protection Officer can be an employee of the school or the school can contract out the post to an external person. The legislation states that the DPO must have the freedom to carry out the role independently and must not have a conflict of interest.
Individuals' rights
Individuals are given several rights under the UK GDPR, here is a quick summary of some of these rights:
Transparency and information
There are new requirements to publish certain types of information in your Privacy Notices, such as the contact details of your Data Protection Officer; the purpose and lawful basis for processing the information you are collecting; how long you intend to keep the data for; who you will share the data with and so on.
Access to personal data
This is known as a Subject Access Request (SAR or DSAR) and under UK GDPR, this right entitles pupils, parents/carers, staff, governors etc to receive a copy of the information the school holds on them for free and within one month.
It should be noted, this right does not affect or replace the existing rights for parents/carers of children in maintained schools to access their child’s education record under the Education (Pupil Information) (England) Regulations 2005 within 15 school days.
Rectification and erasure of personal data
As with the current Data Protection Act, individuals are entitled under UK GDPR to have inaccurate personal data rectified or incomplete information completed.
In addition, individuals are entitled to have their personal data deleted in cases where the data is no longer needed or the individual withdraws consent. This right does not require a school to delete data upon request if the school is complying with a legal obligation in holding it, for example if the school is required under statute to collect and retain the data for a certain length of time.
Object to direct marketing
Parents/carers and pupils have the right not to receive direct marketing which means that schools will have to gain explicit ‘opt in’ consent before sending out marketing material. This will be relevant in cases where schools target parents/guardians for fundraising, advertise their school prospectus or put advertising literature in pupils’ book bags about other organisations!
Consent
Most of what schools do, does not require consent from parents/guardians or pupils, however there are some occasions when they must obtain it. For example, if they photograph a school event and publish these images; take pupils on school trips; collect and use biometric information or send direct marketing material to parents/guardians and pupils. Under UK GDPR rules, schools need to demonstrate that consent has been obtained freely, it is specific and not general, the person giving it is fully informed and the consent wording is unambiguous.
Schools are required to keep clear records of all consent they obtain and they must inform individuals of their ‘right to withdraw consent’ at the time, and offer easy ways to do this. When obtaining consent directly from children, schools are required to adapt the wording according to the children’s level of understanding.
Obligations
There are several obligations and duties for schools to fulfil under UK GDPR. These include:
- having appropriate and effective data protection policies, procedures and training;
- assessing the suitability of companies and contractors who process personal data on behalf of the school, and issuing written contracts to them setting out their data protection obligations and restrictions on the use of the data;
- keeping a record of the processing activities of the school eg a description of what personal data is collected, why, how long it is kept for, who it is shared with and the security measures in place to keep it safe;
- implementing technical measures, policies and procedures that ensure data protection compliance is built into everyday practices, which includes only processing personal data if it is absolutely necessary to do so, keeping it for appropriate timeframes and limiting access to it;
- carrying out Data Protection Impact Assessments prior to processing personal data, which could result in high risks to the rights and freedoms of people;
- appointing a Data Protection Officer (employee or a contractor) and involving them in all data protection matters and giving them the appropriate resources and support to keep the school compliant.
DPO cover service
Our qualified DPO can provide sickness and absence cover for your school.
DPO toolkit
Support for your school based DPO including templates and exemplar policies, staff awareness e-learning, termly newsletters, access to qualified DPO for advice and support via email/phone (6 hours), access to termly DPO network meetings.
