Most schools are aware that the Data Protection Act 1998 (DPA) applies to the data they hold, but what that means in practice is not always clear. This can present significant risks, given the volume and variety of data which schools collect, much of which is potentially sensitive personal data.
To help schools make the right decisions (and avoid hefty fines), the Information Commissioner’s Office (ICO) published a report on 17 September specially designed for the education sector. This bulletin sets out the summary of the key points from the ICO’s report, as well as a link to the report itself. The key points from the ICO’s report are:
- Notification – make sure you notify the ICO accurately of the purposes for your processing of personal data.
- Personal data – recognise the need to handle personal information in line with the data protection principles.
- Fair processing – let pupils and staff know what you do with the personal information you record about them. Make sure you restrict access to personal information to those who need it.
- Security – keep confidential information secure when storing it, using it and sharing it with others.
- Disposal – when disposing of records and equipment, make sure personal information cannot be retrieved from them.
- Policies – have clear, practical policies and procedures on information governance for staff and governors to follow, and monitor their operation.
- Subject access requests – recognise, log and monitor subject access requests.
- Data sharing – be sure you are allowed to share information with others and make sure it is kept secure when shared.
- Websites – control access to any restricted area. Make sure you are allowed to publish any personal information (including images) on your website.
- CCTV – inform people what it is used for and review retention periods.
- Photographs – if your school takes photos for publication, mention your intentions in your fair processing/privacy notice.
- Processing by others – recognise when others are processing personal information for you and make sure they do it securely.
- Training – train staff and governors in the basics of information governance; recognise where the law and good practice need to be considered; and know where to turn for further advice.
- Freedom of information – after consultation, notify staff what personal information you would provide about them when answering FOI requests.
The ICO’s report provides a short, practical, easy-to-read guide to help schools tackle the most common data protection issues facing the education sector. Much of the report will also be useful for other organisations, particularly in the public sector. That said, both schools and any other organisations subject to the DPA must be careful to comply with the eight principles of the DPA, not just the recommendations of the report. Bearing that in mind, the ICO’s report is a very useful tool in raising awareness of data protection issues and how best to avoid them. The ICO’s “prevention is better than cure” approach is no doubt very welcome.