Autumn Data Protection Update – SchoolPro TLC Monthly Newsletter – Issue 21 – November ’21

It has been a long time since our last monthly newsletter. We have been extremely busy supporting our schools with their data protection needs as well as our other services like confidential waste, governor support, safeguarding training and timetabling. A lot has happened since we last sent you a newsletter so we have a bumper edition for you and next month’s ready with all the topics we couldn’t fit into this one!

The main topic this month focuses on Subject Access Requests (SARs). We’ve created a new checklist to assist you with managing the process as well as template documents such as letters for data subjects to acknowledge and respond to their request. We will also have more specific advice regarding extending SAR deadlines, applying exemptions, and managing emails with SARs over the coming months. There is also:

  • guidance for staff to reduce their risk of becoming a victim to a cyber attack;
  • an overview of the exciting new features now available on our online training platform; 
  • information on the ICO’s Children’s Code and how it impacts on schools;
  • the lowdown on the latest ICO guidance regarding Freedom of Information (FOI) requests;
  • a previously asked question about publishing historical photos in closed social media groups and/or on a public website; and
  • the latest on the new & updated resources in Global Documents since the last newsletter.

As always, if you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite now many schools are accepting visitors, please get in touch via our new email address DPO@schoolpro.uk. And don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.

Stay safe and healthy!

Subject Access Requests

Subject Access Requests can feel like a very daunting and time consuming process to work through, especially when there are a huge number of other priorities taking your attention. We’ve created a straightforward checklist to assist you with this process and help streamline it for you. You can click on the image below to download a copy for future reference. Remember, we are always on hand to provide advice and guidance throughout.


The first point is key – Don’t Panic! After that, it is important to inform us of the request so that we can start to provide support. You can notify us by logging the SAR on the Data Protection Portal (SchoolPro TLC) or contacting us directly.

Next, it is important to ensure that the request is authentic (especially if it has come in electronically) and this may also give you the opportunity to clarify the request. You can’t “narrow down” the scope of the request but you can ask if the requester is looking for anything specific which may reduce the scope anyway and speed up the process for you and them.

As part of authentication, you should also consider if the data subject needs to provide consent for data to be released. If the request comes from a third party acting on behalf of the data subject (for example, a parent or a solicitor), the data subject may need to give consent for the data to be released. This will depend on the age of the data subject and their competence/maturity to understand their data rights. Remember, data belongs to the individual and not their parents or another individual.

Global Documents on our portal (SchoolPro TLC) contains two letter templates. The first can be used as an acknowledgement of the request and it confirms what the individual has requested, expected timeframes and the likelihood of exemptions and redactions to the data. This can be sent once all of the information has been confirmed, the request authenticated and consents provided (if needed). At this point, the data can be collated and any exemptions identified. We can certainly support when it comes to identifying appropriate exemptions and understanding what should/shouldn’t be redacted.

The second letter acts as a covering letter to the data when it is sent to the requester and confirms what has been done and why. It also is an opportunity to clarify exemptions although there are some exemptions that you would not identify as this would prejudice their use. Again, we can advise on this for you.

The data for the SAR should be securely returned with supporting information, most of which will be in your privacy notices and Data Protection Policy. This includes:

  • your purposes for processing;
  • categories of personal data you’re processing;
  • recipients or categories of recipient you have or will be disclosing the personal data to (including recipients or categories of recipients in third countries or international organisations);
  • your retention period for storing the personal data or, where this is not possible, the criteria for determining how long you will store it;
  • the individual’s right to request rectification, erasure or restriction or to object to processing;
  • the individual’s right to lodge a complaint with the Information Commissioner’s Office (ICO);
  • information about the source of the data, if you did not obtain it directly from the individual;
  • whether or not you use automated decision-making (including profiling) and information about the logic involved, as well as the significance and envisaged consequences of the processing for the individual; and
  • the safeguards you have provided where personal data has or will be transferred to a third country or international organisation.
    (What is the right of access? | ICO)

We are going to publish further information on how extensions to the one month timeframe may apply and how to manage requests that include emails. We will share that with you over the coming months. The detailed advice on SARs from the ICO is helpful and does answer most questions as well – Right of access | ICO. Ultimately, we are here to support you and, as we said at the start, don’t panic!

Cyber Security Risks

We’ve sent out some dedicated emails regarding this topic but we want to remind everyone again of the basics as we are still seeing breaches as a result of cyber security issues:

  • Be wary of any unexpected emails that you have received, especially if they have attachments or links in them that you are asked to open or click on.
  • If an unexpected email like this has come from someone you know (either internally or externally to your organisation), check with them that the email has come from them. They should be able to confirm if it is a legitimate email that they meant to send to you or if it is something malicious.
  • Speak to your IT Support and make sure that you have the most up-to-date software running on your systems and that your system has adequate and up-to-date security.
  • Make sure that you, your staff, and your organisation have good password procedures in place and are practicing what you preach.

And please don’t forget the resources that are available through the National Cyber Security Centre:

See the new features on our online training system!

Over the summer, we added a new feature to our training platform to make setup and reporting easier for schools and also more customisable. We have been rolling it out over the past term to the schools using the platform but wanted to take time to show you how it works. The system is called Classrooms and it allows us to create ‘Classrooms’ within the training site and assign specific courses and staff to them. That way, when staff login they only see the course you want them to see and your reporting is much easier. A .csv export will give you a really clear overview of who has and hasn’t completed which course and is more user friendly than the previous progress reports the system provided. An imminent update to the Classroom system will also enable you to see completion dates for each staff member on the reports. On the normal Group Management page (Group Management – SCHOOLPRO TLC) there is now a button that takes you to you Group Classrooms. There, you will see a page that looks like this:

 

The Classrooms themselves are managed in the top section and reporting below. We have already put in place the Classrooms for you, it is now over to you to populate them and get the staff training. And we can support you with that too of course! You can download our new guide to setting up users in the system by clicking below:

Finally, to aid with navigation around our site, we have added a search function and changed the menu options in our site header to the following:

  • School Portal Login – access to the Data Protection Portal for reporting breaches, SARs and Data Decisions, as well as our document library in Global Documents.
  • My Training Account – access to the training courses and, for Group Leaders, the Group Management and Classrooms pages.

And finally, you may also have noticed that we have changed our main data protection email address from GDPR@schoolpro.uk to DPO@schoolpro.uk. Don’t panic if you forget and use the old address though, we will still get your email!

 

ICO Children’s Code


The ICO’s Children’s Code came into effect in September 2021 after a year of consultation and build up. So what is it and what does it mean?

“The Children’s code (or Age appropriate design code to give its formal title) is a data protection code of practice for online services, such as apps, online games, and web and social media sites, likely to be accessed by children” (Children’s code: additional resources | ICO). Schools, therefore, aren’t directly impacted by the code but the online services that you use, are.

However, the ICO does encourage schools to aspire to meet the 15 standards set out in the code (Code standards | ICO) which include “best interests of the child”, “age appropriate application”, “transparency” and “detrimental use of data” among others. 

The ICO has produced this handy set of FAQs for schools with regards to the code on the education technologies (edtech) that it applies to:

FAQs for education technologies (edtech) and schools | ICO

The FAQs do provide some interesting clarification around when an edtech supplier is a processor of your data and when they are a controller in their own right. This will impact your relationship with them and the agreements you will need in place. This is something that we can support with and will form part of the initial due diligence and compliance checks that should be done when taking on a new edtech provider, no matter how large or small.

The biggest take-away that we have identified from the implementation of the code so far is the need for Data Protection Impact Assessments (DPIAs – essentially, risk assessments for data processing activities) for ALL online services that children access.

Previously, this was done on a risk basis – low risk services did not need a DPIA, higher risk ones did. But now they ALL need a DPIA. Which is going to involve a lot of work to implement. We have discussed and clarified this with the ICO and they have confirmed that this is the case. 

As a consequence, we are going to be working on this over the coming months to assist you with getting these in place. We still believe that we should start with the higher risk systems first, but over time we will need to have them in place for everything!

Freedom of Information Guidance Update

The ICO recently released an updated Freedom of Information Definition Document for Schools in England. This document is written for all schools in England that are subject to the Freedom of Information Act 2000 (FOIA) including academies and free schools. The document gives examples of the kinds of information that the ICO would expect you to provide routinely in order to meet your commitments under the model publication scheme.

If you are subject to the FOIA, the ICO expects you to implement a Freedom of Information Policy and to adopt and publish their Model Publication Scheme. We have a template for a FOI Policy in Global Documents (SchoolPro TLC) as well as a copy of the Model Publication Scheme. You do not need to amend or edit the Model Publication Scheme.

The Definition Document then identifies the specific information the ICO expects the schools in England to publish under each of the seven classes of information set out in the Model Publication Scheme.

 

If you are a small school (mainly if you are a nursery or small primary), you can adopt the template guide to information for schools instead although you must make it clear which document you are using.

Both of these documents are also available for you in the Global Documents section of the SchoolPro TLC portal as well as our other FOI documentation including our guide to responding to FOI requests. Please ask us if you need support implementing any of these.

 

Previously Asked Question

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on the website for these and all of our answers are published there. You can find this on the Data Protection page of the website or in the blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:

We spoke to the ICO about this as one of our schools was looking to use historical photos as part of a large anniversary celebration. The first thing the ICO said was that if photos are used in a closed group (such as a Facebook group where members have to be admitted by an administrator) it poses a low risk to individuals and therefore can be done. The legislation is not too specific around old photos, especially if they have been taken in public places where less privacy is to be expected. It is more complicated using current pupils’ photos and you will need to assess the risk and review consents if photos are published. The risk with historic photos is probably low and there is an exemption in DPA 2018 about use of data in closed groups. The ICO also said that when using photos in a closed group, “we would not expect that you would be seeking consent of those individuals in the photo.”

But what about on a public website? The ICO would not consider it to be a data breach if it is used for school purposes, the photos are taken in a public space, and it is low risk to the individuals. If you can say ‘yes’ to all of those points, you should be able to publish. If you receive objections to publishing, you should consider the request.

So taking those points onboard, it may be that not every image shared on a closed group is appropriate to go into a public, historical gallery. For example, the behaviour of the pupils in the photo may be embarrassing and therefore not ‘low risk’ or it could be a photo from a school residential in a dorm room that wouldn’t be considered a public space.

Equally, any photos that are recent and for which you may have still have photo consents, you should consider the photo consent. So, if you have consents going back 10 years, it would be appropriate to apply those same consents to photos of those children even if they left the school nearly 10 years ago (unless they have specifically said they are happy to have the photo shared).

It would also be worth having a statement on your public gallery that says that images are either from the school’s historical archive or have been shared by former pupils and staff. And that they are deemed appropriate to share as part of any specific event or historical celebration. But if anyone has a specific objection to any of the photos, to contact the school and request removal.

There is more useful information on schools and photos in this blog post published by the ICO:

Blog: Don’t get caught out when it comes to pupil photos | ICO

Next month – we are going to look at how you can manage data contained in emails as part of a Subject Access Request.

New & Updated Resources on the Portal

Since our last newsletter, we have added fifteen new documents and two updated documents:

New Documents

  • DPIA – Admissions+ (Applicaa Ltd)
  • DPIA – Budget Planning Software (SaaS) – IMP Software Ltd
  • DPIA – Medical Tracker
  • DPIA – ParentPay
  • DPIA – Payroll Software – EduPay (Orovia Group Ltd)
  • DPIA – Safeguarding Storage and Communication – Provision Map (Class Charts – EduKey Education Ltd)
  • DPIA – Storage and Communication of Health & Medical Data – Coronavirus Update (to accompany Medical Tracker DPIA)
  • DPIA – Wonde
  • Policy – Acceptable Use Agreement (Staff)
  • Policy – Freedom of Information – Definition Document Schools in England
  • Policy – Freedom of Information – Template Guide to Information for Schools
  • Privacy Notice – Job Applicant
  • Privacy Notice – Visitors
  • SP Service Level Agreement – Full Service for Individual Schools
  • SP Service Level Agreement – Full Service for Trusts

Updated Documents

  • Policy – Acceptable Use
    • Improved wording clarifying organisation’s ability to monitor network activity including email.
  • Privacy Notice – Workforce School
    • Minor update to correct text.

Browser tracking protections won’t stop tracking, warns DuckDuckGo | The Register

Booking.com fined €475,000 for reporting data breach too late | The Record by Recorded Future

Facebook Hack: Data on 533 Million Users Is Online for Free | Bloomberg

Apple is getting serious about enforcing its new privacy rules for iOS apps | TechRadar

Vaccine Passports: Privacy Concerns and Tech Challenges | Flipboard

The hidden fingerprint inside your photos | BBC Future

LinkedIn Data Breach – 500M Records Leaked and Being Sold | CyberNews

Pets’ names used as passwords by millions, study finds | BBC News

Facebook will not notify the half a billion users caught up in its huge data leak, it says | The Independent

Clubhouse Data Leak – 1.3M SQL Database Leaked Online | CyberNews

UK’s National Cyber Security Centre recommends password generation idea suggested by El Reg commenter | The Register

Estate agent’s hi-tech house tour exposes personal data | BBC News

‘This was not a breach’: How Big Tech gaslights the world on data leaks | POLITICO

Uber hit with default ‘robo-firing’ ruling after another EU labor rights GDPR challenge | TechCrunch

Dartington Hall Estate dossier ‘breached data protection rules’ | BBC News

University of Hertfordshire pulls the plug on, well, everything after cyber attack | The Register

Facebook faces mass legal action over data leak | BBC News

Microsoft received almost 25,000 requests for consumer data from law enforcement over the past six months | The Register

TikTok faces claim for billions in London child privacy lawsuit | Reuters

East London council blurts thousands of residents’ email addresses in To field blunder | The Register

What not to expect when you’re expecting: Fertility apps may be selling intimate health secrets | The Register

They Told Their Therapists Everything. Hackers Leaked It All | WIRED

Privacy activist Max Schrems on Microsoft’s EU data move: It won’t keep the NSA away | The Register

Google Play to require privacy labels on apps in 2022, almost two years after Apple | The Register

​Please contact us if you do have further questions at DPO@schoolpro.uk.
 

SchoolPro TLC Ltd (2022)

SchoolPro TLC is not responsible for the content of external websites.