The General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA)
If you cannot find the answer to your question from the information provided on each of the Information Governance pages, schools should in the first instance contact their Data Protection Officer (DPO). If your school has purchased the DPOaaS from SPS or Cantium Business Solutions please email firstname.lastname@example.org or call 0208 0501387 or 07487 264222.
General Data Protection Regulation
GDPR has replaced the Data Protection Act 1998 (DPA) and represents the biggest change to data protection law for 20 years. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros (approx £17 million), now is the time to start planning. Individuals have stronger rights to be informed about how organisations use their personal information.
For the first time in data protection law, the GDPR will introduce the requirement of “accountability”. In basic terms, accountability means that organisations will not only be required to comply with data protection requirements, but also that they must demonstrate that they comply. The big difference around GDPR is that it’s very much focused around being able to prove compliance.
Many of the GDPR’s main concepts and principles are much the same as those in the old Data Protection Act, however, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
The Data Protection Act 2018
The UK's third generation of data protection law. The new Act aims to modernise data protection laws to ensure they are effective in the years to come.
- The DPA 2018 has a part dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context.
- It also has a part that transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and Part 3 of the DPA 2018 sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’. The ICO has produced a detailed Guide to Law Enforcement Processing
- National security is also outside the scope of EU law. The Government has decided that it is important the intelligence services are required to comply with internationally recognised data protection standards, so there are provisions based on Council of Europe Data Protection Convention 108 that apply to them.
- There are also separate parts to cover the ICO and their duties, functions and powers plus the enforcement provisions. The Data Protection Act 1998 is being repealed so it makes the changes necessary to deal with the interaction between FOIA/EIR and the DPA.
What is the difference between the GDPR and the DPA?
The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DP Bill is the details of these. It is therefore important the GDPR and the Bill are read side by side.
Take a look at the ICO website for more information
The Regulator (Information Commissioners Office)
ICO website has lots of very useful information to assist organisations with their compliance.
Data Breach Reporting Webinar. This webinar is aimed at Data Controllers and gave advice and guidance on how and when to report security breaches to the ICO. You can view this webinar by clicking here.
GDPR e-learning course
We have developed a GDPR e-learning course for school staff to take to ensure they are aware of their responsibilities. This course will provide an overview of the new legislation and what the changes will mean for your schools. We recommend that all staff complete this module as part of their induction; this learning will also form part of your school mandatory training cycle and should be revisited regularly.
To take the course please visit Kent CPD Online. Once you have completed the course and submitted the evaluation form the system will generate a certificate.
GDPR help for schools
- Every school is classed as a Data Controller under the data protection legislation because they decide how personal data for which they are responsible is processed. Each school and every employee has a legal duty to protect the privacy of information relating to individuals that it processes.
- Here is the new Model GDPR and Data Protection Policy for Schools. (DOC, 93.0 KB) together with the new Appendix 1 procedure (DOC, 56.0 KB).
- Review the schools' Information Security Policies and/or Procedures to make sure you have the right procedures in place to detect, report and investigate a ‘personal data’ breach. Certain breaches must be reported to the ICO within 72 hours and you may be required to inform the individuals whose data has been put at risk. For more information see relevant section below and the Information Security page .
- If the school has engaged with any third parties who process personal data on behalf of the school (Data Processors) the school will need to have data processing agreements (basically, transparent agreements about what happens to the data to ensure it is GDPR compliant) in place. Any contracts that do not contain the necessary provisions will need to be amended. Schools need to look at what they have in place and whether it is adequate.
- Ensure data privacy is at the heart of all future projects, by carrying out Data Protection Impact Assessments (DPIA’s). Look at how to implement them by following the ICO guidance and by using the ICO template available on their website. If teachers want to introduce a new piece of subject-specific software or use any new processing system there needs to be a clear process in place to inform the DPO and ensure it is done compliantly by carrying out a DPIA.
- Take a look at the GDPR pages on the SPS website. You can also find out about GDPRiS a cloud-based platform designed specifically for Data Protection Officers (DPOs), schools, and 3rd party data processors in schools. It reflects existing processes and the way schools work, whilst pro-actively prompting them to meet and exceed the new General Data Protection Regulations. The simple and intuitive GDPRiS platform has been designed to help schools meet and exceed the new GDPR regulations at a price they can afford. Please contact the team on 03000 41 11 15 for more information on GDPRiS.
Data protection fee
See the new data protection fee guidance (PDF, 217.1 KB) from the ICO. The new fee replaces the requirement to 'notify' or register which is in the Data Protection Act 1998. This was previously £35 annually for schools. There are now three tiers of fee and controllers are expected to pay between £40 and £2,900.
- Tier 1 - micro organisations - you have a maximum turnover of £632,000 or no more than 10 members of staff. The fee is £40
- Tier 2 - small and medium organisations - you have a maximum turnover of £36 million or no more than 250 members of staff. The fee is £60
- Tier 3 - large organisations - if you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 of £2,900.
See the ICO website for more information and to take a quick self-assessment test to find out if you need to pay the fee.
Data Protection Officer (DPO)
Schools must appoint a Data Protection Officer. Therefore you need to consider who in the school is going to fulfill this mandatory role? It is possible for groups of schools, or MATs to share a DPO, or schools can use an external DPO. Read this document (DOCX, 16.8 KB).
We have also produced a Job Description and Person Specification for a DPO (DOC, 74.0 KB) in schools, which we hope will help you.
The GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
These principles should lie at the heart of your approach to processing personal data. For more detailed information take a look at the ICO webpage.
Personal data is defined in the GDPR as:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
This means personal data has to be information that relates to an individual. That individual must be identified either directly or indirectly from one or more identifiers or from factors specific to the individual.
Special category (sensitive) personal information
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These are:
- Racial or ethnic origin
- Political opinions
- Trade union membership
- Religious of similar beliefs
- Health or sexual life
- Genetic data
- Biometric data
The special categories specifically include genetic data and biometric data where processed to uniquely identify an individual.
Lawful basis for processing
The requirement to have a lawful basis in order to process personal data is not new. However, the GDPR places more emphasis on being accountable for and transparent about your lawful basis for processing.
The six lawful bases for processing are similar to the old conditions for processing, although there are some differences. You now need to review your existing processing, identify the most appropriate lawful basis, and check that it applies.
The biggest change is for public authorities, who now need to consider the new ‘public task’ (e) basis first for most of their processing, and have more limited scope to rely on consent or legitimate interests.
The GDPR brings in new accountability and transparency requirements. You should therefore make sure you clearly document your lawful basis so that you can demonstrate your compliance in line with Articles 5(2) and 24.
If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
For more detail on each lawful basis, read the relevant page on the ICO website.
You should consider which lawful basis best fits the circumstances. You might consider that more than one basis applies, in which case you should identify and document all of them from the start.
You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR.
You may need to consider a variety of factors, including:
- What is your purpose – what are you trying to achieve?
- Can you reasonably achieve it in a different way?
- Do you have a choice over whether or not to process the data?
- Are you a public authority?
If you are a public authority and can demonstrate that the processing is to perform your tasks as set down in UK law, then you are able to use the public task basis. If not, you may still be able to consider consent or legitimate interests in some cases, depending on the nature of the processing and your relationship with the individual. There is no absolute ban on public authorities using consent or legitimate interests as their lawful basis, but the GDPR does restrict public authorities’ use of these two bases.
Processing special category data
If you are processing special category data, you need to identify both a lawful basis for processing and a special category condition for processing in compliance with Article 9. You should document both your lawful basis for processing and your special category condition so that you can demonstrate compliance and accountability.
Further guidance can be found on the ICO website in the section on special category data.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Privacy notice guidance
- Privacy Notice template for parents and pupils (DOC, 77.5 KB)
- Privacy Notice template for school workforce (DOC, 63.0 KB)
- Privacy Notice template for Early Years Settings (DOC, 62.5 KB)
- Visit the DfE for access to all Privacy Notices
- Privacy Notice for SEND
- Privacy Notice for Governors
For more information on privacy notices take a look at the ICO guidance.
Personal data breaches
- The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
- You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
- You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
For more information on data breaches take a look at the ICO guidance.
DfE GDPR Toolkit for Schools
The DfE have published a GDPR Toolkit for Schools (PDF, 614.1 KB). It’s a clear and concise document outlining 9 key steps for schools to take towards to ensure compliance with GDPR. The document provides tips and guidance only and is intended to support schools draw out areas of risk.
Data protection and photography in schools
Policy and guidance (PDF, 461.5 KB) is available for Kent schools, settings and Kent County Council services on the use of photographic images of children. Look at the e-safety pages for more guidance and information.
Parents wishing to capture the moment their child crosses the finish line at their school sports day should not be deterred by data protection myths. The Information Commissioner's Office (ICO) is reminding parents that the Data Protection legislation does not prevent them taking photographs of their children and friends participating in school events. Read the full press release