The lawful processing of data is a challenge that will affect schools when the new regulations come in to play from May 25th 2018. It is one of the principles at the heart of the new regulations. So let’s look at what the new regulations say.
Article 5 in the new regulations explains that there are the six data protection principles, the first of which sets out that personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).”
For processing to be Lawful (Article 6) for a public body, such as a school it must fulfil one of the following criteria;
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
In the past, we have relied heavily on consent to provide schools with the legal right to process the data of children and in some cases that of their parents or carers. In most cases, we have relied on parents to give consent on behalf of the child or in some cases, asked young people for their consent. In the latter, we have to show that the child has the ability to understand what they are signing up for. This however may not be the best way forward. Under Article 7 “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”. This means that we must show that we have gathered consent for each data processing purpose. We also have to recognise that consent can also be withdrawn, stopping the data being used. This ability is something that is being emphasised in the new regulations, we’ll explore more about that in future blogs.
A key activity that schools should start to undertake is to review the data it collects and what it does with the data to see which of the above conditions apply. By doing this it can help avoid the need to seek consent for its use.
Take for example when we complete a return to the DfE, which we may be doing so under a legal obligation, this would allow us to share this without seeking consent so removing the need to request it for this purpose. This makes managing the data much simpler and less reliant on consent which should only be sought when required, but this will only become apparent if we look at the data we collect, and this is one of the responsibilities placed on the Controller under Article 24;
“… to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
As part of the process, schools are required to share the details explaining how their data is being processed (privacy notice) with the subject in a format appropriate to them under Article 13 whether consent is required or not.
The emphasis sits squarely on the controller to show that the school is compliant with the regulations and is processing data accordingly. Failure to be able to show this compliance could lead to a significant financial penalty in the worst cases.
To find out how ICT4C can help your school address the challenge of implementing the new regulations, contact us at firstname.lastname@example.org