Data Reform, Online Checks for Job Applicants, and DfE Updates – SchoolPro TLC Monthly Newsletter – Issue 26 – July ’22

In this month’s newsletter:

The UK Data Protection and Digital Information Bill has been introduced

Read our advice for conducting online checks on job applicants as per KCSIE 2022

Review the latest DfE updates – biometric data, use of personal data, choosing an MIS

Throw a spotlight on a partner we recommend working with

Ensure that you are aware of some of the latest cyber threats

Discover what Data Protection question we have answered this month

New and updated compliance templates from our online platform

A round up of data protection in the news

The end of another academic year is here and our breach log has been lighting up with incidents of end of year reports being sent to the wrong person! If your school has fallen foul of this particular breach, now would be a good time to review your systems in advance of 12 months’ time.

Are there additional or more robust checking processes that you can introduce?
Are there alternative systems you can use to get reports home?
Have you considered going digital with reporting and communication?

The start of the new academic year is also a time when many schools are still sending out Data Collection Sheets to families. This can be another breach risk and it would be worth asking yourself those same three questions about this process too. Pre-empt the breach before it happens!

The main topic this month focuses on the now-introduced UK Data Protection and Digital Information Bill. It is still early days for the new Bill but we give our early takes at this stage. There is also:

information on making online checks on job applicants as per KCSIE 2022;
updates from the DfE on biometric data, how the DfE handles personal data and information about choosing an MIS;
our partner spotlight highlighting a company we work with and recommend;
the latest information on recent and current cyber threats;
a previously asked question about releasing CCTV footage to a member of the public; and
the latest on the new & updated resources in Global Documents since the last newsletter.

Due to the topics we have included this month, we haven’t created an ‘All Staff’ update. We expect there will be one with the next newsletter in the new academic year.

And, as always, if you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite now many schools are accepting visitors, please get in touch via our new email address DPO@schoolpro.uk.

Don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.

Stay safe and healthy!

The UK Data Protection and Digital Information Bill

On the 18th July, the Government introduced their new Data Protection and Digital Information Bill (formally known as the Data Reform Bill). We broke down some of the implications of their consultation response last month and not a lot has changed now that the bill itself has been introduced.

Whilst timescales are still unclear, it could be that the new Bill will come into force by early 2023. However, potential ministerial and/or Government changes in that time could impact both the Bill and the timescales around it. As could the various readings as it goes through parliament.

This is the first area that we want to focus on at this early stage:

Senior Responsible Individuals

The new Bill replaces the current requirement to have a Data Protection officer with a requirement to appoint a ‘senior responsible individual’ (SRI). The SRI has to be “a designated individual [who] must be part of the organisation’s senior management” or two or more individuals who act jointly if people are employed part-time and share a single senior management role.

Just like a DPO currently, the details of the SRI must be publicly available and the SRI must be “individuals who play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised.” This would seem to rule out the possibility of an externally appointed SRI and also raised questions about conflicts of interest.

The Bill then goes on to list the tasks of the SRI (many of which overlap with a current DPO) in paragraph 30:

(a) monitoring compliance by the controller with the data protection legislation;
(b) ensuring that the controller develops, implements, reviews and updates measures to ensure its compliance with the data protection legislation;
(c) informing and advising the controller, any processor engaged by the controller and employees of the controller who carry out processing of personal data of their obligations under the data protection legislation;
(d) organising training for employees of the controller who carry out processing of personal data;
(e) dealing with complaints made to the controller in connection with the processing of personal data;
(f) dealing with personal data breaches;
(g) co-operating with the Commissioner on behalf of the controller;
(h) acting as the contact point for the Commissioner on issues relating to processing of personal data

The Bill continues with, and this is key, “The senior responsible individual designated by a controller must be responsible at least for performing the tasks listed in paragraph 30 or securing that they are performed by another person.”

This then, brings back the role of the externally appointed individual or company and addresses the potential issues around conflicts of interest that the SRI might have when performing those tasks. In fact, the Bill clearly states that “Where the performance of one of its tasks would result in a conflict of interests, the senior responsible individual must secure that the task is performed by another person.”

When identifying who ‘another person’ could be, the Bill states that “the senior responsible individual must consider, among other things:

(a) the other person’s professional qualifications and knowledge of the data protection legislation,
(b) the resources likely to be available to the other person to carry out the task, and
(c) whether the other person is involved in day-to-day processing of personal data for the controller or processor and, if so, whether that affects the person’s ability to perform the task.”

For a more in depth review of how the new Bill compares to the old requirements of the GDPR, see the IAPP’s comparative analysis – UK DPDI Bill: Comparative analysis with the EU GDPR and ePrivacy framework | IAPP

Here is an accessible version of the Data Protection and Digital Information Bill.

KCSIE 2022 – Online Checks for Job Applicants

Paragraph 220 of Keeping Children Safe in Education 2022 states that “schools and colleges should consider carrying out an online search as part of their due diligence on the shortlisted candidates. This may help identify any incidents or issues that have happened, and are publicly available online, which the school or college might want to explore with the applicant at interview.”

We have been contacted by a few schools about the possible data protection implications of this. They are as follows:

Consider the purpose of this processing. In this case, it is part of your recruitment process so any data that you collect or process as part of this, should only be used for that purpose.
Make sure you know what lawful basis you are using for this processing. As this is being proposed within statutory legislation (i.e. KCSIE 2022), the lawful bases that apply are likely to be Article 6(c) legal obligation or Article 6(e) public task. In this case, Article 6(e) would seem to be the most appropriate.
Consider what actual data you are going to be processing – are you going to be keeping any results from these online searches? If so, what? And for how long? And how are you going to keep the data secure? This essentially covers a number of the principles of the UK GDPR such as data minimisation, storage limitation, and integrity and confidentiality.
In terms of retention, use your retention schedule (refer to the IRMS Toolkit or similar) to identify how long you might consider keeping any relevant data from the searches. Make sure this is proportionate to the purpose.
And finally, consider transparency. Your job applicant privacy notice should make it clear that this data is going to be processed and explain the points above.

We know that our privacy notice templates need an update as a result of this update to KCSIE 2022. We will be looking to get those updates done over the summer and the new templates available on the portal in time for the new academic year.

Biometric Guidance & Other DfE Updates

Over the past month, the DfE has sent out a number of updates to their guidance which impact on data protection work. These are as follows:

The final update of these three is simply a new tool for digging into the information of a number of MIS tools and comparing features. However, the other two require a little more explanation:

Protection of Biometric Information of Children in Schools

The updated guidance was only released yesterday morning (21st July) so we haven’t had a chance to fully process it yet. However, we will be doing so over the summer and getting out any updates to schools in advance of the new school year. It may mean an update to our:

Biometric Data Policy template
Biometric Data DPIA template

These are both documents that you should have in place if you are processing biometric data so we will look at ensuring the most up to date templates are available for schools before the start of the new academic year.

How to Apply for Access to Personal Data from the DfE and its Executive Agencies

For this update, the DFE has uploaded new versions of the National Pupil Database data tables, School Workforce data tables, Individualised Learner Record data tables and the Higher Education Statistics Agency data tables. They have also made minor updates to the application form, guidance and information security questionnaire.

There isn’t any specific action that you need to take here as our privacy notice templates already contain links to this DfE page and so will link to the latest guidance on it as it is updated.

Partner Spotlight

Each month we throw the spotlight on a different partner. This month it is Cloud Happi who say:

“We’re on a mission to shake up IT in schools, and to show you there is a better way. Very quickly, we’ll switch your school to fast, secure and affordable cloud-based technology. No mess, no loss of access, and no disruption to your pupils and staff – the only thing your staff will notice is fast, secure, fuss-free technology. Contact us today, and start your journey to better IT.”

Recent and Current Cyber Threats

Increased Ransomware Threat

Organisations can get advice about how to prevent and protect against ransomware at the NCSC ransomware hub here:

A guide to ransomware – NCSC.GOV.UK

Warnings continue to go out with regards to an increased cyber threat as a growing consequence of the on going situation in Ukraine. More information on what actions you can take can be found here:

Actions to take when the cyber threat is heightened – NCSC.GOV.UK

Email Security Tool

The NCSC has recently launched an email security tool to assist organisations in checking their defences. The security service check helps organisations to identify vulnerabilities. More information can be found here:

New email security tool launched to help organisations… – NCSC.GOV.UK

NCSC Expands Services to Protect Against Online Scams

A record number of scams were removed online in 2021. This was due to the Active Cyber Defence programme and the National Cyber Security Centre has significantly expanded its services in order to protect the UK against this new level of threat. Read on for more:

NCSC significantly expands services to protect UK from… – NCSC.GOV.UK

Other Threats Identified…

Facebook Phishing Scam – Security company PIXM has warned of a Facebook scam, active since Q4 2021, which has ensnared nearly 10 million users. The credential harvesting scam uses a fake Facebook login page. When a user logs in, the threat actor gets their credentials and can then use an automated program to send out the link to the user’s Friends via Facebook Messenger. The advice is to take extra care with any messages received through Facebook Messenger. (Cheltenham IT Support | Reform IT)
Child-Monitoring Android App Eavesdropping Risk – Cybernews researchers have warned that many popular child-monitoring Android mobile apps may also be leaking the parents’ data to potentially malicious third parties via the third-party trackers in the apps. The researchers have also warned that the insecurely implemented Secure Sockets Layer (SSL) certificate handling and open-source code in some of these apps could leave them vulnerable to man-in-the-middle attacks. The advice is for parents to either research these apps fully online before choosing one, or consider the merits of focusing more on teaching children how to recognise online threats e.g., grooming, and how to spot and avoid dangerous websites. (Cheltenham IT Support | Reform IT)
Threat From Exploiting Macros in Microsoft Word Due to macOS Flaw – Microsoft’s 365 Defender Research Team has warned that a flaw in macOS coupled with Microsoft Word’s backward compatibility could allow the circumvention of App Sandbox rules. This could enable potentially malicious macros to run in Word, leading to users downloading malware, or ransomware. The advice is for macOS users to install the security updates released by Apple on May 16, 2022, as soon as possible. (Cheltenham IT Support | Reform IT)

Previously Asked Question

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on the website for these and all of our answers are published there. You can find this on the Data Protection page of the website or in the blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:

We’ve been asked for CCTV footage by a member of the public of an incident in our car park. They want it for insurance purposes. Should we share this footage?

Answered May ’22.

The Surveillance Camera Code of Practice states the following:

7.2 There may be other limited occasions when disclosure of images to another third party, such as a person whose property has been damaged, may be appropriate. Such requests for images or information should be approached with care and in accordance with the data protection legislation, as a wide disclosure may be an unfair intrusion into the privacy of the individuals concerned.

7.3 A system operator should have clear policies and guidelines in place to deal with any requests that are received. In particular:

Arrangements should be in place to restrict disclosure of images in a way consistent with the purpose for establishing the system.

Where images are disclosed, consideration should be given to whether images that may identify individuals need to be obscured to prevent unwarranted identification.

Those that may handle requests for disclosure should have clear guidance on the circumstances in which disclosure is appropriate.

The method of disclosing images should be secure to ensure they are only seen by the intended recipient.

Appropriate records should be maintained.

7.4 Judgements about disclosure should be made by a system operator. They have discretion to refuse any request for information unless there is an overriding legal obligation such as a court order or information access rights. Once they have disclosed an image to another body, such as the police, then the recipient becomes responsible for their copy of that image.

We’ve highlighted some of the key points in bold. It is down to the school to decide if it is appropriate and you will need to demonstrate you have guidance on this (which should be in your CCTV Policy) and a way of recording requests. We have a CCTV Request Log template in Global Documents on the portal that could be used for this, or it could be logged as a Data Decision.

Other legislation to consider is the UK GDPR and DPA 2018. This is technically a SAR although you are disclosing a third party’s data. This guidance is the most relevant – What should we do if the request involves information about other individuals? | ICO. The guidance states that you can release data about a third party without their consent if you feel it is reasonable to comply with the request without that individual’s consent. Step Three of the guidance on ‘information about others’ shows the considerations that the school should take about releasing this information. As long as you are making the considerations as seen in the guidance, taking into consideration that context, then you will not go too far wrong.

You could also consider limiting the amount of information too – perhaps if you are able to extract and release stills of the footage rather than the footage itself, or even just the details of the car/driver – this may assist with this decision.

We spoke to the ICO about this specific situation and they said:

These decisions can be tricky to make, but with the use of the guidance and your knowledge of the context of the situation, you should be able to justify either holding the information back, or releasing it. In either case you will be balancing up the information rights of all parties involved.

So, in summary, the key actions will be:

Ensure that the CCTV Policy is in place and contains the correct information (as well as ensuring there was appropriate signage at/near the location)
Decide based on the above whether it is appropriate to release the data
Record that decision making process
Record that the data has been shared (appropriately securely).

Answered May ’22.

The Surveillance Camera Code of Practice states the following:

7.2 There may be other limited occasions when disclosure of images to another third party, such as a person whose property has been damaged, may be appropriate. Such requests for images or information should be approached with care and in accordance with the data protection legislation, as a wide disclosure may be an unfair intrusion into the privacy of the individuals concerned.

7.3 A system operator should have clear policies and guidelines in place to deal with any requests that are received. In particular:

Arrangements should be in place to restrict disclosure of images in a way consistent with the purpose for establishing the system.

Where images are disclosed, consideration should be given to whether images that may identify individuals need to be obscured to prevent unwarranted identification.

Those that may handle requests for disclosure should have clear guidance on the circumstances in which disclosure is appropriate.

The method of disclosing images should be secure to ensure they are only seen by the intended recipient.

Appropriate records should be maintained.

7.4 Judgements about disclosure should be made by a system operator. They have discretion to refuse any request for information unless there is an overriding legal obligation such as a court order or information access rights. Once they have disclosed an image to another body, such as the police, then the recipient becomes responsible for their copy of that image.

We spoke to the ICO about this specific situation and they said:

These decisions can be tricky to make, but with the use of the guidance and your knowledge of the context of the situation, you should be able to justify either holding the information back, or releasing it. In either case you will be balancing up the information rights of all parties involved.

So, in summary, the key actions will be:

Ensure that the CCTV Policy is in place and contains the correct information (as well as ensuring there was appropriate signage at/near the location)
Decide based on the above whether it is appropriate to release the data
Record that decision making process
Record that the data has been shared (appropriately securely).

New & Updated Resources on the Portal

Since our last newsletter, we have added a large number of links to websites we think you will find useful. These can be found in the ‘Important Weblinks’ folder in Global Documents and includes links to sites such as Action Fraud, the National Cyber Security Centre and the ICO.

We have also added a new folder where we are going to put Data Processor Agreements (DPAs) that have been signed by companies (processors) and that can be used by schools. At present, there is a single DPA in the folder for Squirrel Learning Ltd – GoRead, GoWrite, GoApps.