Being as clear as mud when it comes to Data Protection
A key principle of data protection is transparency. You must be upfront about what you plan to do with personal data.
A failure to be transparent has recently brought the Department for Education into the Information Commissioner’s Office’s sights. Information from the annual census returns was apparently shared with Immigration Officials, without the data subjects being informed. This is the opposite to what you should be doing.
According to an article in the Guardian the ICO position is that:
“Our view is that the DfE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far reaching issues, impacting a huge number of individuals in a variety of ways.”
It’s not clear yet what the consequences for the DfE will be from these findings.
Just a few days before the news about the DfE broke, the Information Commissioner felt compelled to ensure that political parties understood their data protection responsibilities as we head towards the election in December.
In addition to telling the parties that they needed to follow the principles of data protection, she also specifically addressed the controversial issue from the Brexit Referendum and subsequent elections – advertising on social media. You can read the Commissioner’s full statement here.
These concerns are about transparency. How do you know what someone is doing with your personal data and how that usage might affect your rights and freedoms? The GDPR is very clear about the information that should be provided especially when your personal data is being used. It’s not always clear how well individuals understand the information presented to them, if they are given any at all.
The principle of transparency doesn’t just apply to political parties and government departments. It should be the cornerstone of the data protection policies and practices for every organisation.
So, what does Transparency mean for an organisation in the Education sector?
- You must be clear about why you are processing personal data
- You must be able to show you’re using the minimum data necessary
- You must be able to show you have a legal basis for your processing and sharing of data
- You must take action to inform individuals about how their data is being processed
How can you demonstrate that you’re meeting these requirements?
Your data mapping, providing it follows the model set out by the ICO will address the first three and your privacy notices should address the last item.
Our experience is that many schools and colleges haven’t mapped their use of personal data to the level of detail that the regulation expects, and this could become a problem if a complaint is raised by a data subject.
You may know in detail how data is collected, stored, updated and shared, but the legislation requires that this is documented. Does your documentation fully cover the movement of personal data around the organisation?
Do your privacy notices strike the balance of informing individuals about how their data is used while being accessible and unambiguous.
While you try and figure out the fake news from the real around the election it may be a good time to ensure that you’re being properly open about the way you collect and use personal data.
If you are unsure how you process data, or would like some guidance on how to document this, please contact our GDPR experts on 0113 804 2035 or click here.