How the Department for Education ran into trouble with the ICO

Being as clear as mud when it comes to Data Protection

A key principle of data protection is transparency. You must be upfront about what you plan to do with personal data.

A failure to be transparent has recently brought the Department for Education into the Information Commissioner’s Office’s sights. Information from the annual census returns was apparently shared with Immigration Officials, without the data subjects being informed. This is the opposite to what you should be doing.

According to an article in the Guardian the ICO position is that:

“Our view is that the DfE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far reaching issues, impacting a huge number of individuals in a variety of ways.”

It’s not clear yet what the consequences for the DfE will be from these findings.

Just a few days before the news about the DfE broke, the Information Commissioner felt compelled to ensure that political parties understood their data protection responsibilities as we head towards the election in December.

In addition to telling the parties that they needed to follow the principles of data protection, she also specifically addressed the controversial issue from the Brexit Referendum and subsequent elections – advertising on social media.  You can read the Commissioner’s full statement here.

These concerns are about transparency. How do you know what someone is doing with your personal data and how that usage might affect your rights and freedoms? The GDPR is very clear about the information that should be provided especially when your personal data is being used. It’s not always clear how well individuals understand the information presented to them, if they are given any at all.

The principle of transparency doesn’t just apply to political parties and government departments. It should be the cornerstone of the data protection policies and practices for every organisation.

So, what does Transparency mean for an organisation in the Education sector?

  • You must be clear about why you are processing personal data
  • You must be able to show you’re using the minimum data necessary
  • You must be able to show you have a legal basis for your processing and sharing of data
  • You must take action to inform individuals about how their data is being processed

How can you demonstrate that you’re meeting these requirements?

Your data mapping, providing it follows the model set out by the ICO will address the first three and your privacy notices should address the last item.

Our experience is that many schools and colleges haven’t mapped their use of personal data to the level of detail that the regulation expects, and this could become a problem if a complaint is raised by a data subject.

You may know in detail how data is collected, stored, updated and shared, but the legislation requires that this is documented. Does your documentation fully cover the movement of personal data around the organisation?

Do your privacy notices strike the balance of informing individuals about how their data is used while being accessible and unambiguous.

While you try and figure out the fake news from the real around the election it may be a good time to ensure that you’re being properly open about the way you collect and use personal data.

If you are unsure how you process data, or would like some guidance on how to document this, please contact our GDPR experts on 0113 804 2035 or click here.

/by

GDPR Problems Most People Are Facing

Are you facing the same GDPR problems as most?

We asked a number of both Data Protection Officers and GDPR Leads in Education what the most common GDPR problems they come across are, interestingly, most of the answers were the same, so we thought we would put together a list of GDPR problems and some ways of how to resolve them.

1. Not Enough Time

Yes, we all struggle with it. Often, a DPO also has one or more other roles within the School, School Business Managers and Senior Leadership Teams are often the first point of call when seeking a new Data Protection Officer. These roles are often picked because the DPO is required to be a senior manager and needs a really good all-round understanding of the school. However, Business Managers have to co-ordinate much of the non-teaching activity and the members of the SLT have to combine teaching, line management and other development projects.

We can’t make extra time (if only!) but where we can help is to ensure that you focus on the highest priority items. Whether it’s through our GDPR training, getting visibility through the Sentry System or even getting us to take on some of the load,5 we can help you deal with GDPR more efficiently

2. Lack of GDPR Knowledge

It is no surprise that many DPO’s don’t understand the full complexities of GDPR requirements, such as data mapping, retention schedules, when a breach should be reported to the ICO and the web of complexity in a data protection impact assessment. The Data Protection Officer is responsible for advising on the interpretation of the regulations with all difficulties that real life can throw at a situation.

Here at GDPR Sentry, we offer GDPR Training, from basic staff awareness training to complex Data Protection Officer training to ensure you have all the knowledge you need for your compliance journey.

3. 24/7 Availability

DPO’s have holidays, and rightly so! When on annual leave, a Data Protection Officer is unlikely to want to be available to discuss breaches or the response to a subject access request. Most DPO’s would prefer not to have to be available at weekends and in the evenings. However, If a breach occurs and it needs to be reported to the ICO, this needs to be done within 72 hours of when the breach was discovered.

We recommend other members of your team are up to date with GDPR, so that in the event of absence, breaches and SARs can be dealt with efficiently and correctly. We can even provide out of hours or holiday cover to support the DPO.

4. Conflict of Interest

In the real world many decisions are driven by calculations of cost and benefit. The Data Protection Officer is expected to always put data protection first, even when this may create higher costs or cause issues for the organisation. For DPOs who are juggling more than one role this can create conflicts of interest where data protection is balanced against other priorities.

The DPO is meant to have no role in decision making about data processing at the same time as being a senior manager. Outside of very large organisations this is almost impossible to achieve. This is most evident during a data protection impact assessment.

We can support the risk assessment of an impact assessment ensuring that every angle is considered, and you have an objective perspective for your initiative.

5. Getting a Second Opinion

If you are a Data Protection Officer and you come across something you are unsure of, where do you turn? A lot of DPO’s we work with have admitted they feel like there is no support, they are expected to be the ‘go to’ person for all things data protection, however, due to a combination of the points above, unfortunately, a newly appointed DPO can’t know everything about such complex regulation.

 

If you can relate to any of the above GDPR problems, you are not alone. GDPR Sentry are here to support Data Protection Officers with their role, offering a range of one-off or ongoing support services. To speak to our GDPR Experts, click here.

/by

The latest position of Brexit and GDPR…

Wednesday 23rd October 2019

Following on from our latest update last week, ‘How Brexit will affect GDPR’, as always with Brexit, there is another twist in the tail.

In the increasing febrile corridors of Westminster, the latest set of proposals for an orderly Brexit offer a crumb of comfort from the perspective of data protection and the GDPR.

Article 67 of the new Withdrawal Agreement makes it clear that at least until the end of the Transition Period (31/12/2020) data protection between the EU and the UK will continue to be governed by GDPR as it is currently.

This should give plenty of time for any work required to ensure an adequacy decision is in place by the time the Transition Period ends.

Whether you’re for or against leaving the EU, the prospect of not having to prepare rafts of new contractual clauses for EU data controllers must be considered positive.

Of course, given the uncharted territory we’re in, the prospect of a no-deal Brexit can’t be completely discounted. If this should happen then the UK will not be considered a suitable location to transfer data into from the EU.

Although it’s the responsibility of the data controller transferring information, you need to be prepared to demonstrate that you have a solid legal basis to receive personal data. The Information Commissioner’s Office website still has good guidance on what you’d need to do.

Once there is any further clarity, we’ll provide an update, although we’re not holding our breath!

Click for more GDPR News for Education

/by

Schoolboy branded ‘Harry2’ to comply with Data Protection

With the ‘Harry2’ story recently hitting the headlines, we ask, how far do Schools really need to take data protection?

Newhey Community Primary School have branded Harry Szlatoszlavek with a number 2 as his surname, so they can differentiate between him and another boy with the same first name.

The Rochdale based Primary School says they are complying to data protection regulations by not including surnames on notebooks, just in case they are taken out of the classroom.

Harry Szlatoszlavek’s mum Tanya had contacted the Information Commissioners Office and been informed this policy is not necessary.

Tanya strongly believes the School are taking away Harry’s own identity by branding him ‘Harry2’, she said ‘he even received a Christmas card saying ‘Harry2 from Jack2’

With this recent story, we thought it worth considering how far Schools need to go with compliance

The GDPR is a large piece of legislation which many find overwhelming. Schools have to deal with hundreds, sometimes thousands of students and their personal data.

We have outlined below some ‘GDPR Myths’ and the true situations;

  • All data breaches must be reported to the ICO

Truth: If a breach is likely to result in a risk to people’s rights and freedoms then it must be reported to the ICO within 72 hours. Not all breaches need to be reported and this decision ultimately lies with your Data Protection Officer to make the judgement as to report the breach or not.

  • Personal data can’t be processed without consent

Truth: Most of the personal data processed by schools and colleges is done on the basis of performing a public task, or under a contract. Consent is only really used where the data is not obligatory. Good examples are the consent to use photographs and giving information about ethnic origin.

  • All student records must be deleted once they have left the School

Truth: When a student moves school, it is a legal requirement that their main pupil file move with them, this applies to transfers between schools as well as the transition between primary and secondary school. Schools can keep information about the registration of pupils.

  • It is against data protection regulations to take photos of students

Truth: The key word we always need to consider here is “necessary”. If you need photos to demonstrate a pupils’ progress, for example, this can be considered necessary. A photo to be used on a Management Information System is a standard requirement. In other circumstances you may need to gain consent to use photos. Providing you have considered your justification, there is no prohibition on using photos.

  • No surnames should be on any documentation which could be removed from the school premises

Truth: This comes back to the same question of something being necessary. If you have 20 children in a school called Emily, then a surname will be essential to differentiate between them. The GDPR is interested in ensuring that data is protected appropriately when it is being used, not trying to determine how is can be used.

 

If you are unsure on how to be fully compliant with the GDPR, please feel free to get in touch with our Education GDPR specialists here.

/by

Deal or No Deal; How Will Brexit Affect GDPR?

Among the political turmoil as we approach the deadline of the 31st October for leaving the European Union, data protection is now being mentioned. Some schools have received guidance about actions that may need to be taken.

The essentials of the situation are these. Despite us having gone to considerable effort to implement GDPR and to enshrine it within UK law, in the event of a No-Deal Brexit, the UK will not be considered an acceptable country for storing personal data about EU citizens under the GDPR.

It would have been expected that a Brexit deal would have included this ‘Adequacy’ decision.

The question is about the how the GDPR regulates International Transfer of information. It applies when an organisation inside the European Economic Area (EEA) sends data to an organisation in the UK. It does not apply when the data is being provided directly by the data subject themselves.

So, for example if a school in France is providing information about a group of students coming on an exchange trip then this would be a transfer between two data controllers. In contrast, if a student from France registers to attend a college in the UK, that would not count as an international transfer.

What needs to be done?

If we have a No-Deal Brexit you need to consider if a data controller in an EEA country is transferring personal data to you. Examples might be getting funding information about international students or receiving references about members of staff from organisational in the EEA.

The Information Commissioners Office has provided a handy tool to create a contract between controllers to enable this transfer to continue. You can find the tool here and you should definitely consult your data protection officer, who can provide more details.

If you would like further information on GDPR, and how it may affect your education facility, please contact us via our contact form or call 0113 804 2035.

/1 Comment/by

Documenting Data Breaches

Documenting Data Breaches

Why paper and spreadsheets may not be enough…

  • A Breach Scenario

You’ve experienced a breach where information was sent to the wrong person. During the investigation it became clear that the person whose data was breached was aware of it happening. You took the actions that seemed appropriate and decided that it wasn’t necessary to report to the Information Commissioner’s Office (ICO). Case closed.

This is a situation that you might recognise and it’s a pattern that many breaches follow.

If you type ‘data breach’ into a search engine like Google, high in the list of predicted searches is ‘Data breach compensation’. On the pages this search returns you’ll find law firms letting people know about their right to compensation. This compensation can cover both direct losses and emotional distress. It’s very hard to demonstrate that someone didn’t experience distress. You’ll also see that some firms are focused on ‘public authorities’ including schools for raising these claims.

If someone makes a claim it can be strengthened by making a complaint to the ICO. This is quite a simple process although it may take some time. If you’ve provided even fairly basic information to the data subject about what has happened this may be enough for the ICO to make a determination. The first you hear about it may be when you’re informed of the decision.

  • Managing the details

It would be great to think that if you can prevent breaches from ever happening then the problem would be solved. While a breach free world would be excellent it’s not the real world, breaches do happen. Of course, it’s important to put measures in place to reduce the risks of breaches occurring, but it’s also important to pay attention to what happens when they do.

You can have the best measures in place, but if you can’t demonstrate them then they won’t help if a complaint arises.

  • Legal requirement

The time limit for a claim is six years and breach records should therefore be retained for this period of time.

Paper and spreadsheets

There is a risk that using paper and spreadsheets may simply not provide the required level of documentation and could significantly increase the level of risk from a potential claim down the line.

System – Keep track of your actions

By using a system, you can fully document the action that you’ve taken around a breach incident including communicating with data subjects. You can create a timeline, add notes and attachments so that all the information is to hand, whenever you need it.

This is where the Sentry system can help

           

/by
data breaches

Managing Data Breaches

Data Breaches Happen

How will you deal with one?

 

Breaches come in many shapes, sizes, and severities. It’s critical to recognise that an integrity breach with a single inaccurate word can be as serious as a classic confidentiality breach.

Part of your training for all staff needs to be about recognising when a data breach has happened. For schools’ breaches often involve misplaced papers or devices or emails sent to the wrong person. Although hacking does occur it represents a small fraction of the breaches reported by educational establishments.

Staff should know to look for:

  • Information being put in the hands of the wrong people
  • Paperwork or devices being lost or stolen
  • Significant errors in information – including being out of date
  • Issues with email both recipients and content

Handling a breach effectively is practical, preventing breaches is nearly impossible

 

Here are some elements you’ll need in your breach plan:

 

INVESTIGATION

The fundamentals

You’re in the 72 hour window.

  • Get the facts, don’t look for blame
  • Involve the person who discovered the breach
  • Make records, you’ll need them later

Critical things to know.

  • How many people might be affected
  • What sort of data is affected and how much of it
  • An initial understanding of how the breach happened
  • Has anyone been affected by the breach
  • How might people be affected

Difficult, but must be done.

  • If you think criminal action is involved report it to the police
  • You might have to initiate disciplinary action

 

MITIGATION

Where possible;

Depending on the nature of the breach, there may be little that can be done

  • The type of breach governs what can be done
  • The objective is to minimise the harm that may come from the breach
  • By acting quickly then it’s possible to stop any harm

There is no rocket science here.

  • Lost devices may be able to be remotely locked or wiped
  • Credentials can be forced to be changed (even if that’s everyone)
  • Incorrectly distributed material can be recovered
  • Inaccurate information can be updated

But remember:

  • Keep records of all the actions you take
  • Don’t create a new breach by updating with inaccurate information
  • Rushing to tell affected individuals may make the situation worse

 

NOTIFICATION

A need to know basis:

This is where you need a level head and good advice

  • You need the initial investigation and know that mitigation is underway
  • This is a judgement about the risk to the data subjects
  • You don’t have to have evidence of harm before reporting

The basic decision seems simple.

  • What might happen because of the breach
  • How likely are those consequences?
  • What might the emotional impacts of the breach be
  • What might people need to do to protect themselves from further harm

Reporting requirements:

  • All the information gathered in the investigation is required
  • If you can, report by calling the ICO – have the paperwork ready
  • The report is often not the end of the process

 

REPAIR

Stopping it happening again.

The reason why you need to keep a breach record:

  • Record the details of every breach
  • Patterns can tell you something is wrong
  • Having no breaches logged probably means you’re not spotting them

Delivering a long-term fix can require several actions, for example:

  • Identifying that there is a need for additional training
  • Implementing additional protections to existing situations (having lockable drawers for example)
  • Introducing new working methods (cloud storage rather than USB storage)

Sometimes more detailed work is required.

  • If a particular system or process has been involved in more than one breach, you need to understand why
  • Undertaking a Data Protection Impact Assessment will help you isolate the weaknesses
  • This may lead to significant changes to the way you process personal data.

 

For further information on managing breaches, speak to our team today.

/by

Sentry System – Updates

Summer Updates!

With our brand, we didn’t want to completely change the GDPR Sentry our customers know and love, so we made some minor improvements instead, and wanted to share them with you! Can you spot any new features on our website?

As well as website changes, our technical team have also been busy making some improvements to our Sentry System, all as a result of our customers’ feedback.

Sentry System: What’s new?

Restricted Access

Sometimes the information recorded about a subject access request or a breach is highly confidential. Our Sentry System now allows access to records to be limited to the person who restricts them and those users assigned to the case.

The tools you need for this are on the status page. Users who have not been assigned do not even see the item in their list of records.

You might consider using this function if data concerns child protection, any form of criminal action or disciplinary actions where it would be inappropriate for all users to see. Remember that Standard users also see only those items that are assigned to them. If you’d like to discuss how to manage user access levels, please get in touch.

 

 

Auditing

As outsourced DPO’s, we visit schools, trusts, colleges and universities annually to perform compliance audits. We look at things such as display of data, data handling, and security including where paper data is located and secured. We would then put together a report of our findings. All auditing requirements and reports are now available within Sentry, which means you can complete audits and upload the reports directly into the system for your records.

 

Notifications

We have had many requests for a notification feature to be added to Sentry, so we added it. Notifications are extremely useful when managing compliance across a number of schools or a large college. The new notification feature alerts you to any new SARs or Data breaches that are added to the system, for any of your schools or sites.

 

Customer feedback is valuable to us, and we can usually tailor Sentry to work for your individual requirements.

Check out our updated website gdprsentry.com, where you can also look at all of our products and services, such as Training, Auditing and outsourced DPO.

For further information on any of our services, please speak to our team today.

 

/by
DPO

Appointed DPO? But How much do you really know?

Since 2017, Schools, Trusts and Colleges have been bombarded with stories about the requirements and risks of failing to comply with GDPR. The mass of information around the internet can seem daunting even overwhelming, but we are here to help you on your journey to compliance.

Any schools in state sector, including local authority nursery provision, are required to have a data protection officer (DPO) by law. Many schools have already met this requirement, by allocating this role to an existing member of staff, often IT managers or Business managers. Others have bought in services from providers like local authorities, legal firms, IT suppliers and specialised consultants, however, it isn’t always easy.

Being a Data Protection Officer (DPO) demands a deep knowledge of data protection law and practice. It also requires that the DPO has no conflicts of interest. For most schools, and trusts, having a person who can meet these requirements is extremely challenging.

The DPO is responsible for:

  • Informing the organisation on its GDPR obligations
  • Monitoring the compliance
  • Being the first point of contact for employees and supervisory authorities
  • Ensuring that staff are properly trained
  • Conducting audits and supporting data protection impact assessments

GDPR compliance must integrate with the day to day operation of the organisation, how confident are you that you are doing everything required by the ICO?  

As practicing DPO’s ourselves, we are here to support you.  

Being appointed to this demanding role comes with a heap of confusion, our aim is to bring you solutions to control your compliance.

That’s why we have developed the Sentry System, specifically for the Education Sector. Sentry allows you to manage all compliance in one place, whether it is for one school, across a trust or a multi campus college.

To find out more about how our Sentry System can help you, click here. Or, if you require additional support, we are more than happy to help. Contact our support team here.

/by

Why Schools Should Do Their Homework Too

With so much confusion and little understanding around GDPR, we were always expecting some interesting headlines.

This week, The BBC reported how a local authority in Sweden incurred a large fine, after trialling facial recognition on students to keep track of attendance.


The Swedish Data Protection Authority (DPA) fined Skelleftea Municipality  200,000 Swedish Krona (£16,800) for flouting a privacy law.

The trial took place in autumn 2018 and had been so successful, the school considered extending it. The DPA noted that, if the trial had been carried out for longer, the fine would have been significantly higher.

The reasons behind the fine…

The GDPR, which came into force last year, classes facial images and other biometric information as being special category personal data (we used to call it sensitive data), with added restrictions on its use.

Although the Swedish local authority did receive parental consent for such actions, the local authority still needed to show it was necessary to use biometric data rather than an alternative.


The local authority had broken the third principle of data protection by using personal data beyond that which was necessary to manage the task of tracking and monitoring attendance.

As a result, the DPA found that Skelleftea’s local authority had unlawfully processed sensitive biometric data, as well as failing to complete an adequate impact assessment, which would have included consulting the regulator and gaining prior approval before starting the trial.

From the school’s point of view, they may have seen this as a great management initiative, a safe and secure way of tracking attendance, thus reducing the time teachers spend monitoring this, but unfortunately for them, they had not done their homework on GDPR.

Read the full story here

/by