Back to school on data protection

School children iStock 000006736409XSmall 146x219Shelley Thomas and Michelle Morgan review the Information Commissioner’s recent report on the data protection guidance given to schools during 2012.

Overview

The Information Commissioner (‘ICO’) has recently issued guidance designed to assist schools in complying with their obligations under Data Protection, and Freedom of Information, law. This guidance has followed reports produced by the ICO for schools in several local authorities and the completion of self-assessment questionnaires by various schools within those areas.

The aim of the guidance was to draw together the ICO’s findings and reflects the main areas in respect of which the ICO is asked questions by schools. It sets out a number of recommendations to ensure that schools comply with their legal obligations and provides links to other useful documents.

Introduction

Along with all other organisations in the UK that process ‘personal data’, schools are required to comply with the Data Protection Act 1998 (‘the Act’). The Act applies to information relating to an identifiable living individual (‘the data subject’) which is processed by the school (‘the data controller’). The term 'processing' covers virtually any use which can be made of personal data, including storing, editing, disclosure, archiving and the destruction of data.

Schools are obliged to comply with the 8 Principles set out in the Act which govern their ‘processing’ of personal data. In addition, schools need to be aware of the additional rules and safeguards which apply to ‘sensitive personal data’, which includes information relating to the data subject’s racial or ethnic origin, religious beliefs, physical or mental health or sexual orientation.

In the event that a school breaches its obligations under the Act, the data subject has the right to make a complaint to the ICO and/or, in some circumstances, bring a claim in the civil court for damages. If the ICO finds that there has been a breach of the Act, it has various enforcement powers, including the power to issue a monetary penalty up to a maximum of £500,000.

ICO guidance

The ICO guidance highlights a number of issues which are of particular relevance to schools and makes a number of recommendations to ensure that schools comply with their obligations under the Act.

In summary, the recommendations are as follows:

Notification

Schools are required to notify the Information Commissioner of all the purposes for which they are processing personal data so that they have an entry on the ICO’s register of data controllers and to update the ICO if it introduces any new purposes (e.g. if it installs CCTV to deter crime). Failure to notify is a criminal offence.

Fair Processing

Schools must ensure that personal data is processed “fairly and lawfully”. This requires that schools inform parents and pupils how they will use the information they collect (by means of a fair processing or privacy notice). Where schools are collecting personal data which is particularly confidential or potentially controversial (for example, CCTV footage and/or identifiable photographs of pupils), it is particularly important that parents and pupils are made aware of how that data is going to be used by the school. As well as complying with Data Protection law, this should help to avoid any unnecessary friction with parents and pupils, which could potentially lead to a breakdown of relations and/or negative publicity.

Information Security

Probably one of the most important areas for schools to focus on is ensuring that personal data is kept securely at all times. This includes taking precautions for the physical security of buildings, storage systems and electronic devices, as well as measures to ensure the security of electronic data (e.g. use of encryption software and password protection). It is essential that staff and governors receive training in how to safeguard personal data and that each school has in place (and enforces) effective policies and procedures relating to data protection and the use of personal electronic devices (such as laptops, mobile phones and memory sticks) for school business.

Disposal of Information

Schools must ensure that personal data is relevant, up to date and only kept for as long as necessary. Schools are responsible for ensuring that personal data is disposed of in an appropriate way in order to minimise the risk of unauthorised use of the information and/or confidentiality being breached. Again, schools should have in place a data retention policy, which details how long information is retained for and how it is disposed of.

Sharing Information

Section 7 of the Act gives individuals (or a parent acting on behalf of a young child) the right to be given access to their (or the young child’s) personal data. Schools must respond to such a request within 40 calendar days. However, not only can dealing with such a request be time consuming, it can also often present difficulties as the information requested may contain third party personal data (for example, relating to another pupil or a member of staff) and/or confidential or sensitive data relating to the school. Where schools are unsure of what information they can disclose, they are advised to take legal advice.

In addition to the above, schools are routinely required to share personal data with other organisations, including other schools, local authorities and social services. In sharing such information, schools need to ensure that they are compliant with the Act and do not breach any obligation of confidentiality that they are under. Consideration also needs to be given to the method of transfer of the information. For example, email and fax can present security difficulties, as it is all too easy to send an email to the wrong email address or for a fax to be picked up by an unattended recipient.

Third party contractors

As the data controller, a school is ultimately responsible for any personal data which is processed by a third party contractor on its behalf. Therefore, schools need to ensure that all contracts with third party contractors (such as IT or security companies) contain appropriate provisions obliging the contractor to comply with the Act.

Freedom of Information Act (‘FOI’)

All maintained schools and academies are public authorities under the FOI and are therefore required to make certain information routinely available to the public, such as minutes of meetings, annual reports or financial information. Schools are advised to put in place a policy dealing with the school’s approach to the release of personal information in response to an FOI request, in order to avoid a breach of the school’s duties under the Act.

Conclusion

It is essential that all schools are aware of and comply with their obligations under the Act, as a failure to do so may result in a legal claim, enforcement action by the ICO (including a substantial monetary penalty) and, perhaps most damaging of all, negative publicity. 

Shelley Thomas is a Partner and Michelle Morgan is a Solicitor in the Commercial team at Hill Dickinson LLP.  They can be contacted by email This email address is being protected from spambots. You need JavaScript enabled to view it.and This email address is being protected from spambots. You need JavaScript enabled to view it. respectively.