What do schools need to look out for and do differently to other organisations?
No matter what type of organisation you are there are some key steps you should be taking to prepare for the General Data Protection Regulations (GDPR) including data mapping, analysis of the lawful basis for processing data and implementation of changes to policies and procedures. In this article we highlight particular issues arising for academy trusts.
Public Authority status
Those familiar with academies will know, academy trusts are already designated as public authorities for the purposes of Freedom of Information Act queries. There is no separate definition of a "public authority" in the GDPR and whilst the government has power to redefine particular organisations and remove public authority status for the purposes of GDPR it has expressed no intention to do so for academies.
What does this definition mean for academy trusts?
Appointment of a data protection officer (DPO)
All academy trusts must appoint a DPO whose tasks include;
- advising the academy trust with regard to its data protection obligations;
- monitoring the academy trust's compliance with GDPR; and
- first point of contact for ICO and data subjects.
The DPO should report at Board level but should operate independently and will have statutory protection against dismissed or being penalised for performing the role. The DPO maybe an employee providing there is no conflict with their existing professional duties or the position may be contracted out.
"Legitimate interest" basis for processing data will not apply
Generic advice on GDPR states that all organisations processing personal data must do so within one of the six prescribed legal bases; these are:
- performance of a contract with the data subject;
- to comply with a legal obligation;
- to protect the vital interests of the data subject;
- legitimate interest pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject; or
- performance of a task carried out in the public interest or in exercise of official authority.
Academy trusts, will have additional hurdles to overcome if seeking to rely on (1) consent and in any event can not rely on (5), legitimate interests.
Consent as a basis for processing data may not be appropriate
Academy trusts will not necessarily be able to rely upon the legal basis of consent to justify processing personal data either. In draft guidance published earlier this year the Information Commissioner's Office (ICO) confirmed it considers public authorities' use of consent to be unfair where there is an imbalance of power. It says:
Consent will not usually be appropriate if there is a clear imbalance of power between you and the individual. This is because those who depend on your services, or fear adverse consequences, might feel they have no choice but to agree – so consent is not considered freely given. This will be a particular issue for public authorities and employers.
In the context of an academy trust this will be most relevant when processing the personal data of employees, parents and pupils.
The draft ICO Guidance also states consent will not be a fair basis for processing where you would still process the personal data on a different lawful basis even if consent were refused or withdrawn. In such circumstances the ICO considers seeking consent from the data subject to be misleading and inherently unfair, presenting the individual with a false choice and only the illusion of control. Therefore it may not be lawful to rely on consent as a type of "catch-all" where there is some other more relevant basis for processing.
What legal basis for processing data can academy trusts use?
Academy trusts (and other public authorities) will need to identify the most appropriate lawful basis for processing data from the start. This will depend on what you hold and why.
Consider processing data about staff, pupils and parents as a key, but no means only, concern. Consent is not sufficient if it can not be shown that such consent was freely given (as referenced in the ICO guidance noted above). In any event consent may be withdrawn at any time.
Legitimate interest is not available to a public authority.
In the case of employee data, processing may be necessary for the performance of a contract to which the data subject is a party (being the employment contract). Alternatively, some processing may be necessary for compliance with a legal obligation to which the academy trust, as data controller, is subject such as collecting PAYE payments.
Of the two remaining bases,
- protecting the vital interests of the data subject or another person is only likely to apply in "life and death" situations; and
- The ICO suggests public authorities should rely on the sixth basis where processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller. This basis has been further defined in the Data Protection Bill to cover processing of data where it is necessary for the exercise of a function….. conferred on a person by an enactment.
At first glance it seems difficult to see what lawful basis an academy trust may have for processing pupil and parent data. Consider data relating to a pupil's academic progress for example. What is the lawful basis for an academy trust to send home reports?
It is important to bear in mind that, for secondary students they (and not the parent, guardian or other responsible adult) are the data subject and can therefore exercise data subject rights and withdraw consent.
There is a clear legal obligation to report to parents annually, under the Education (Independent School Standards) (England) Regulations 2010. The situation is not so clear cut when contemplating more frequent, e.g. termly reports.
Academy trusts could argue the processing of data to produce regular school reports is necessary to exercise the function of an academy as conferred by the Academies Act 2010 and thereby follow the ICO's advice and use the legal basis of necessary for … or in exercise of official authority as set out at (2) above. Why is regular reporting necessary? Regular information to parents regarding a pupil's progress may be viewed as necessary to support the home/school contract and to further the pupil's education by engaging those with parental responsibility in the process.
Given the ink is not yet dry on the draft legislation or the ICO's guidance on consent, the situation may change and we may gain more clarity. In the meantime analysis of the issues surrounding production of school reports highlights the importance of identifying the purpose for which data is held and seeking to identify the legal basis for processing. At the same time academy trusts should review existing home/school contracts and privacy notices to consider whether they describe the purpose and lawful basis upon which data is processed in light of the legal bases available to them.
Chris Billington, Head of Education at Wrigleys notes that "Academy trusts must move beyond any assumption that they are entitled to process personal data as and when they wish. Compliance with the new data processing rules does require an extensive data mapping exercise so that the academy trust can identify what data it holds and why. The academy trust will then need to ensure that they are covered by one of the legitimate bases under GDPR. However, there is no need to go it alone. All academy trusts, maintained schools and local authorities are going through this process; some are further along than others. This is an opportunity for academy trusts to engage with others and help develop best practice".