Is your school breaching data protection rules by information sharing?

In a report relevant for academies and maintained schools, an ICO investigation concluded that charities had breached the Data Protection Act.

Summary

The Information Commissioner's Office (ICO) has recently reported on the findings of its investigation into the data protection practices of two charities (available here) as part of an on-going investigation into practices reportedly common to the third sector. We take a look at this decision in the light of the ICO's new focus on information sharing and consider its relevance for schools.

ICO decision

The ICO found that the RSPCA and the British Heart Foundation have breached the Data Protection Act by:

• sharing donors' information (without their consent) with wealth management companies and screening donors to assess their wealth and the likelihood of them leaving a legacy to the charity;
• hiring companies to find the new contact details of previous donors; and
• swapping personal data with other charities without clearly explaining to donors which organisations data would be shared with.

Fines for data protection breaches

The ICO has fined the RSPCA £25,000 and the British Heart Foundation £18,000. The ICO made clear that the fines levied could have been higher, but that the ICO did not wish to add to the distress of donors. Under the current rules, fines cannot exceed £500,000. Fines are intended to act as a sanction and a deterrent to the organisation and to others but the ICO will take into account factors such as the sector and size of the organisation and their financial resources.

It has been reported that the charities contest the findings. The RSPCA has stated that its practices are widespread in charity fundraising and that appropriate information was given to donors before their information was shared. The charities may appeal the ICO decision.

New data protection rules are due to come into force from 25 May 2018 under which the maximum fine for data protections breaches will rise to the greater of €20 million or 4% of the organisation's annual global turnover.

The ICO has commented that other charities involved in similar practices may also face penalties in the future. Investigations are on-going into the PDSA, the Diabetes Research and Wellness Foundation and the Cancer Recovery Foundation. Publication is also expected of the ICO report into Oxfam, the NSPCC and Macmillan Cancer Support, concerning allegations that an agency working on the charities' behalf was exploiting loopholes in the Telephone Preference Service.

Charity Commission response

The Charity Commission has opened a compliance investigation in response to the ICO action. The Commission has commented that the data protection breaches are "very serious and highly regrettable" but that the charities had "acted properly" by reporting the investigations to the Charity Commission and co-operating fully. There are plans for an educational event on data protection obligations for third sector organisations jointly hosted by the Charity Commission, the ICO and the Fundraising Regulator.

Information sharing by schools

Schools, and academies, should be aware that sharing information with other organisations and sending information to third parties, including parents, could be in breach of the data protection rules and give rise to both reputational damage and significant fines.

All organisations which hold, or process, personal data are required to register with the Information Commissioner.  This can be readily done online. 

If you hold personal data, and in particular any sensitive data, then you need to ensure that you have the consent of the data subject. How does your school document this?

Who is the data subject?  Schools will hold details about a range of individuals, including pupils, students, parents and staff, as well as third parties such as those who regularly visit the school and suppliers.

Schools must usually have the consent of data subjects before sharing personal data such as phone numbers and addresses, even if the information has been requested by a public body (e.g. the police or other safeguarding agency). There is an exception to this rule where a failure to share information may place a child at risk of harm. In such a case, the duty to safeguard children will outweigh the duty to protect someone's personal data. Data protection rules are sometimes used incorrectly to block the sharing of student data; it is important that schools understand what and when it must and can share data.

However, this does not mean that a school must surrender pupil, or parent information, whenever an outside agency requests it.  For example, the police do have a formal procedure (and forms) which are used to support any proper request for data and a school will have failed in its data protection and management duties if a request is not properly documented.

The management of more day to day information and data relating to pupils and parents can easily cause difficulty.  Different statutory reporting requirements apply to maintained schools and to academies which will cover some (but not all) of the information regularly reported to parents.

Schools do need to exercise particular caution when sending information to parents who do not live together, or using online processes, for example when seeking to update student data such as contact details. Schools should ensure that information about one parent is not shared with the other without consent.

With regard to student data, where a student is capable of making their own decisions about personal data (usually taken to be children over the age of 12) then that student will need to consent to any sharing of their data, for example with an estranged parent. Schools should take legal advice in these circumstances.