Posts

Why Schools Should Do Their Homework Too

With so much confusion and little understanding around GDPR, we were always expecting some interesting headlines.

This week, The BBC reported how a local authority in Sweden incurred a large fine, after trialling facial recognition on students to keep track of attendance.


The Swedish Data Protection Authority (DPA) fined Skelleftea Municipality  200,000 Swedish Krona (£16,800) for flouting a privacy law.

The trial took place in autumn 2018 and had been so successful, the school considered extending it. The DPA noted that, if the trial had been carried out for longer, the fine would have been significantly higher.

The reasons behind the fine…

The GDPR, which came into force last year, classes facial images and other biometric information as being special category personal data (we used to call it sensitive data), with added restrictions on its use.

Although the Swedish local authority did receive parental consent for such actions, the local authority still needed to show it was necessary to use biometric data rather than an alternative.


The local authority had broken the third principle of data protection by using personal data beyond that which was necessary to manage the task of tracking and monitoring attendance.

As a result, the DPA found that Skelleftea’s local authority had unlawfully processed sensitive biometric data, as well as failing to complete an adequate impact assessment, which would have included consulting the regulator and gaining prior approval before starting the trial.

From the school’s point of view, they may have seen this as a great management initiative, a safe and secure way of tracking attendance, thus reducing the time teachers spend monitoring this, but unfortunately for them, they had not done their homework on GDPR.

Read the full story here

/by

New Term, New Data, New Risks?

 

We are all guilty of shuddering a little when hearing the words ‘GDPR’, right? This is especially true when facing the beginning of the new academic year. The maze of legislation, the do’s and don’ts of data, what to do when a data breach occurs? These are common concerns for many education providers around the UK. The bad news is, data breaches need to be taken seriously and dealt with appropriately, the good news, there is support available to help you deal with them. Any organisation within the Education sector, dealing with the personal data of students and staff must be compliant. It is also a legal requirement for schools and colleges in the state sector to have a data protection officer (DPO).

What does ‘being compliant’ mean?

You should be able to answer the questions below confidently, but also show how you do them – where do you keep a record of all data breaches? How do you know when these should be reported to the ICO? • How does personal data flow across your school, trust or college? • Having does your organisation deal with data breaches? • What happens if someone makes a subject access and other requests? • Who has data protection expertise within the organisation? • Have all your staff been trained? Breaches come in many shapes, sizes, and severities. It’s critical to recognise that an integrity breach with a single inaccurate word could be as serious as a confidentiality breach.

We have put together a ‘To Do’ list when dealing with a data breach;

• When dealing with a breach, you should always start with the assumption that you’ll be notifying the ICO, in which you only have 72 hours to do so. • Get the facts, don’t look for blame and always involve the person who discovered the breach. • You’ll need records later, so begin making records now with every action you take. • Get the initial investigation going and know that mitigation is underway. • You must make a judgement about the risk to the data subjects. • You don’t have to have evidence of harm to make a report, gather all the information for the investigation. If you can, report by calling the ICO with the paperwork ready. Remember, the report is often not the end of the process The above outlines a simple checklist for dealing with a data breach, but as we all know, data breaches are just a small percentage of compliance. As practicing Data Protection Officers, we can provide support and advice on data breaches as well as SAR’s, DPIA’s, processes, supplier data and more. Speak with our team today.

/by