At this year’s ASCL (Association of School and College Leaders) conference, a guest said to us: “The GDPR? Wasn’t that last year?”
Our heads fell into our hands. How was it possible for someone to be so misguided about such a well-publicised regulation? Granted, 2018 was very much ‘the year of the GDPR’ in some circles. It came into effect in May 2018, following much discussion and a last-minute surge from organisations that left compliance until the last minute.
But compliance isn’t a one-time thing. It continues to be effective for any organisation that processes the personal data of, or monitors the behaviour of, EU residents.
A brief summary of the GDPR
The GDPR works like this: there are data subjects (that’s individuals like you and me), and we own our own personal data. The GDPR considers personal data to be anything that identifies, or can be used to identify, a living person, such as your name, National Insurance number or email address, whether it’s a personal or work account.
The GDPR outlines a list of steps organisations must take to protect that information. It also contains eight data subject rights that give individuals more control over the way organisations use their personal data.
- The right to access the personal information organisations store on them;
- The right to request that organisations rectify any information that’s inaccurate or incomplete;
- The right to erase personal data when it’s no longer necessary or the data was unlawfully processed; and
- The right to object to processing if the individual believes the organisation doesn’t have a legitimate reason to process information.
Organisations that fail to meet these requirements face fines of up to €20 million (about £18 million) or 4% of their annual global turnover, whichever is greater.
GDPR compliance in schools
Schools have a particularly hard time of it when it comes to the GDPR. They often work with tight budgets and lack the resources to retain a dedicated information security team.
Additionally, schools process large amounts of children’s data, which merits extra protection. In some cases, there are specific rules that apply to children, which means data processors must work out whether the data subject qualifies as a child (defined as under 13 in the UK) before proceeding.
If that’s the case, the data processor must account for requirements concerning:
Can you use consent?
Organisations cannot legally obtain consent from children. Instead, they must seek the approval of a person holding “parental responsibility”, and make “reasonable efforts” to verify that the person providing the consent is indeed a parental figure.
This requirement doesn’t apply in the context of preventive or counselling services offered directly to a child.
Organisations must ensure that privacy notices targeted at children are written in plain language that could reasonably be understood by data subjects.
This is similar to general rules about privacy notices, but it’s important to remember that the language you use must be appropriate to the intended audience. What’s considered plain language to a 12-year-old will probably be a lot different than, say, a 5-year-old.
Online services offered to children
In most cases, consent requests for children will relate to online services, or what the GDPR refers to more generally as information society services. These include things such as online shopping, live or on-demand streaming and social networks.
The GDPR states that consent must be closely regulated in these services because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details.
Schools aren’t GDPR-compliant
These are reasonable requirements, but many schools still fail to understand the importance of compliance or make the necessary changes. The ICO (Information Commissioner’s Office) reported that breaches in the education sector increased by 43% in the first three months that the GDPR was effective.
The number of security incidents increased from 355 in the second quarter of 2017–18 to 511 in the same period last year. Meanwhile, the number of incidents involving data breaches increased from 239 to 353.
The ICO found that common disclosure issues included:
- The loss or theft of paper or digital files;
- Emailing information to the wrong recipient; and
- Accidental verbal disclosure.
There has also been a sharp increase in the number of cyber attacks targeting schools, with a 69% rise in malware, ransomware and phishing scams between 2017 and 2018.
Mark Orchison, managing director of cyber security firm 9ine, warned that “schools don’t have the internal expertise” to deal with cyber attacks, and they lack “the skills to understand the risks or what to do when [an attack] happens”.
“Schools are seen as an easy target,” he added. “Sending false invoices, for example, is easy money.”
The figures aren’t all bad news, though. Orchison suggested that the rise in data breach reports may well be a case of schools becoming more aware of what breaches are and when they need to be reported.
GDPR checklist for schools
Staying on top of your GDPR compliance requirements can seem daunting, which is why we encourage all organisations to create a plan of action.
Anyone looking for help on what that should include should take a look at our GDPR checklist for schools. It will help you record your school’s progress towards GDPR compliance and identify any areas where development may be required.
A version of this blog was originally published on 28 March 2019.