GDPR in schools – ensuring best practice

It's been almost two years since the GDPR came into force. We look at its impact and the ways schools can develop best practice in data protection.

When it came into force in May 2018, the General Data Protection Regulation, more commonly known as the GDPR, brought to everyone's attention the importance of protecting personal data.

The GDPR affects the use, storage and other processing of personal data, i.e. information relating to an identifiable living person, ranging from a name and address, to bank details and ID numbers and includes a host of other identifying information .

Whilst the GDPR was an evolution rather than a revolution of the previous regulations governing personal data, the introduction of fines up to €20 million or 4% of annual turnover (if higher) focused the minds of organisations on the importance of protecting personal data.

This article will look back at some of the action the UK's data protection authority, the Information Commissioner's Office ("ICO"), has taken since the introduction of the GDPR to guide schools and academy trusts when looking to improve their practice.

Enforcement action

The ICO made headlines in July 2019 when it announced its intention to fine British Airways £183.39 million following a breach of its security which led to the financial information of around 500,000 customers being compromised.

The key message here is that, even though this was a malicious cyber attack on British Airways, the company had failed to put in place appropriate security measures to protect the personal information it held. This reinforces the importance of network security in IT systems and of ensuring that adequate security measures are in place, which are both key parts of any risk management strategy.

The National Cyber Security Centre provides useful guidance on the risks posed by internet systems and communications and identifies some key security controls that can be put in place. These range from straightforward measures, such as password protection of sensitive documents (to limit access to such documents) and the use of secure passwords, to more technical measures such as encryption as a means of increasing security.

Schools may be vulnerable to cyber attacks given the sensitive information they hold (including financial information) and the number of users able to access their IT systems. Appropriate training should be given to all members of staff to ensure that they can identify potential attacks and take steps to prevent such attacks being successful.

Audits of educational organisations

The ICO has undertaken several audits of academy trusts and other education institutions since the introduction of the GDPR, analysing their compliance with data protection law and advising on ways in which to improve data protection compliance moving forward.

Many of the reports are accompanied by an executive summary of the issues identified and suggestions for improvement. Some of the common suggestions from these executive summaries are:

• Improved, bespoke training should be delivered to staff at an appropriate level and advanced training should be given to those responsible for data protection (such as the appointed data protection officer and those who routinely share personal data);
• Responsibility for handling data protection matters should be assigned at a senior level to improve compliance;
• Arrangements for sharing personal information with third parties need to be reviewed (both immediately and on an ongoing basis) to ensure they contain adequate safeguards to protect personal data. This applies equally to relationships with other data controllers (who decide what to do with the information they receive) and relationships with data processors (who handle personal information only on the instruction of the school).

In addition to the above, the ICO found that many academy trusts have failed to put in place some of the key documentation required under the GDPR (such as records of processing activities).

Schools and academy trusts should use the ICO reports to identify and address weaknesses in their own data protection compliance.

Further guidance available

There are many general and school-specific data protection guides available.

A good starting point is the Department for Education's Data Protection toolkit for schools. The ICO's website has education-specific FAQs, which were prepared in the lead up to the GDPR, alongside a wide range of other resources and guidance addressing specific issues of GDPR compliance.