We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. Here is a collection of those questions answered for you and weβll keep adding to them over the coming months:
Are emails encrypted in Microsoft 365?
Answered July β20.
A number of schools have asked about this in order to ensure that their emails are secure when sending personal information. The guidance from Microsoft states the following:
Outlook for Microsoft 365 β When you need to protect the privacy of an email message, encrypt it. Encrypting an email message in Outlook means itβs converted from readable plain text into scrambled cipher text. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading. Any recipient without the corresponding private key, however, sees indecipherable text. Outlook supports two encryption options:
- S/MIME encryption β To use S/MIME encryption, the sender and recipient must have a mail application that supports the S/MIME standard. Outlook supports the S/MIME standard
- Microsoft 365 Message Encryption (Information Rights Management) β To use Microsoft 365 Message Encryption, the sender must have Microsoft 365 Message Encryption, which is included in the Office 365 Enterprise E3 license.
So unless you know the recipient uses Microsoft 365, we recommend that you still use a secure email tool like Egress. And speak to your organisationβs IT Support if you are unsure!
Is Zoom GDPR compliant?
Answered July β20.
Zoom certainly came under fire early in the pandemic as a lot of people were switching on to working from home and video conferencing (many for the first time). Zoom suddenly went from being quite niche to very popular and wasnβt really prepared for it. Some of the big security concerns that came up included:
- Facebook data sharing
- Incomplete (or lack of in some cases) end to end encryption on calls/conferences
- Zoom-bombings β people joining Zoom meetings without an invite by either finding or guessing the meeting ID and then posting inappropriate or explicit content (clearly a safeguarding concern!)
- Vulnerabilities that allowed malicious actors to access usersβ webcams (another safeguarding concern)
Clearly these were pretty serious concernsΒ and we recommended that schools avoided running live lessons altogether (something which was also advised by the unions) and used pre-recorded videos instead.Β If schools did choose to run live lessons, we recommended using software like Microsoft Teams or Google Meets which suffer from fewer issues and are GDPR compliant.
It is ourΒ understanding is that Zoom has worked hard since March to fix a number of these security issues and make the platform safer and more compliant.Β HereΒ is an example of a more recent article highlighting the progress that Zoom has made in many of these areas and with advice around how to make your meetings more secure.Β A number of sources will also highlight how Zoom fails to comply with GDPR such as thisΒ blog post.
That being said, Zoom claims to have done work in recent months to fix a number of these issues and claims it is GDPR compliant on its website and in its documentation.Β But then Zoom have claimed compliance since the GDPR was implemented in 2018.
There are schools out there using Zoom but our advice would be to avoid it.Β Are there alternative platforms that you can use?Β Or are there alternative methods that you can use to achieve the same result?
Can we retain photos of pupils as part of our school's historical record?
Answered October β20.
You are indeed able to store the photos as an historical record. There is an exemption in the Data Protection Act (2018) which applies to βArchiving in the Public Interestβ which this comes under. (Schedule 2, Part 6, Paragraph 28 of the DPA 2018)
The best way to address this is to ensure that your retention policy states that photos will be kept for the purposes of archiving in the public interest and creating an historical record. It may also be worthwhileΒ adding that statement to your photo consents going forward so that parents/pupils are aware in advance.Β Technically, you donβt have to get consent for this (thatβs what the exemption means) but you might want to let people know that photos will be archived in this way.Β You donβt have to though!
Within the exemption itself, it states that itΒ is available only where personal data is processed in accordance with Article 89(1) of the GDPR. This is essentiallyΒ stating that the processing must be subject to appropriate safeguards for individualsβ rights and freedoms β among other things, you must implementΒ data minimisationΒ measures.Β
You must ensure the personal data you are processing is:
- adequate β sufficient to properly fulfil your stated purpose;
- relevant β has a rational link to that purpose; and
- limited to what is necessary β you do not hold more than you need for that purpose.
And it is important to ensure that they are kept securely as well of course, as that would also constitute anΒ appropriate safeguard for individualsβ rights and freedoms!
Can we share data with the police if they request it?
Answered October β20.
Essentially, the ICO has been keen to stress that data protection should not be a barrier to sharing data with the police where it is necessary.Β They have written a blog post clarifying this which can be foundΒ here.
The key message is that the GDPR and DPA 2018 do not prevent data sharing but it must be done appropriately.Β To quote:
βOrganisations should remain confident that when asked for personal data to assist the police whether in an emergency, or in their ongoing community policing activities, necessary, relevant and proportionate data can be disclosed in compliance with the law.β
Depending on the detail in the data request, it would be worth clarifying that with them to make you able to appropriately assess whether the information you are disclosing is necessary, relevant and proportionate.Β This links to the following quote:
βIn particular it is in the DPA2018 where organisations will find the rules surrounding the processing of data for law enforcement purposes. In addition, Part 3 of the Act specifically applies to organisations defined as βcompetent authoritiesβ β such as police forces, criminal courts and prisons.
Requests for information made by competent authorities must be reasonable in the context of their law enforcement purpose, and the necessity for the request should be clearly explained to the organisation.β
They give an example which weΒ think is relevant:
ββ¦take the example of a social worker, who is asked to pass on case files to police containing details of young teenagers. β¦ the social worker might feel reluctant to voluntarily disclose information to the police if the request appears excessive, or the necessity or urgency appears unjustified. So the onus is on the police to provide as much clarity as they can without prejudicing their investigation.β
WeΒ recommend:
- confirming the authenticity of the request,
- clarifying the request to allow you to make the judgement as to whether the information you are sharing is necessary, relevant and proportionate, and
- recording this in full as a data decision on our portal.
How long should we retain emails as a school?
Answered November β20.
There isnβt anything specifically in the GDPR or DPA 2018 that states how long you should or shouldnβt keep email. We recommend that schools keep them for the shortest amount of time that is practical and delete as soon as possible. It might be that some emails need to be kept for record but they could be copied to a pupil or personnel file. The rest could then be deleted. The length of time is up to the school really.
The guidance from the IRMS toolkit (Information and Records Management Toolkit for Schools Version 6.0) states the following:
How long do we keep e-mails?
E-mail is a communications tool, and e-mail applications are not designed for keeping e-mail as a record. E-mail that needs to be kept should be identified by content, for example:
- Does it form part of a pupil record?
- Is it part of a contract?
- Does it relate to an employee?
The retention for keeping these e-mails will then correspond with the types of records found in the Retention Schedule for schools below. These e-mails may need to be saved into an appropriate electronic filing system or printed out and placed on paper files. Similarly, information contained within these e-mails should be recorded in the appropriate place (e.g. the MIS or behaviour management system). Once this is done the original could be deleted.
Consider implementing an electronic rule whereby e-mails in inboxes are automatically deleted after a period of time, assuming they have been filed away. This will assist greatly in reducing the amount of information potentially disclosable in the event that a subject access request is received. Consider implementing procedures for the management of inboxes of staff who have left the organisation.
Limiting the information which is retained will also mitigate the schoolβs liability in the event of a breach and will reduce the amount of electronic storage required.
The IRMS toolkit also makes the following point which is something that we discuss in our training:
Itβs not a filing system
E-mail systems are commonly used to store information which should be stored somewhere else. E-mails and attachments should be saved into any appropriate electronic filing system or printed out and placed on paper files.
Where the text of the e-mail adds to the context or value of the attached documents it may be necessary to keep the whole e-mail. The best way to do this, and retain information which makes up the audit trail, is to save the e-mail in .msg format. Where you just want recipients to read a document, consider sending a link to the documents rather than attaching them.
Should Governors use school email accounts?
Answered November β20.
There are a few different ways to look at this situation.
Firstly, the school is the data controller. As the data controller, the school should be retaining control over its data and that includes communication conducted by and on behalf of the school. The best way to do that is to ensure that it stays within the schoolβs systems β so, in the case of email, within the schoolβs email systems.
Secondly, as the data controller, data protection by design is the overarching priority of data law. Anything that doesnβt give the school as the controller the ability to implement controlled security designed into a system is in fact against the principle of data lawβ¦ ergo if the school chooses to design their email system to ensure security of data, the clerk and governors must use the system. Using their own email does not allow for that design and is a problem. You donβt know what security etc the clerk and governors have in place on their email system so canβt guarantee the protection of any data that may end up in that system.
Thirdly, from a practical point of view, the school should always be able to audit any data that it controls including monitoring and audit of emails if necessary. If someone is working on behalf of the school and is using a personal email address instead of the schoolβs, the school is unable to audit or monitor that without requesting access to that personβs email account. There is always a risk that if that were the case, the school would be able to access other personal emails on that system that they shouldnβt.
Fourthly, and this links to the previous point, when the school is given a SAR, it should be able to search all of its systems for any data regarding the data subject that has put in the request. This could include emails if that has been specified in the request. Someone using a personal email for school business does not give the school easy searchable access to their emails for data in this sort of situation which puts the school at risk of not being able to disclose all of the information it holds.
Should we send out Christmas card lists to parents with names of the children in a class/group/bubble/year?
Answered December β20.
From a pure data protection point of view, giving out the names of the children within a class or year group to all of the parents is not a good idea if they havenβt given consent. Whilst a first name on its own might not seem like a lot of data (because it isnβt), it can then be matched to the year and class of the child and someone could start to build a picture (even if it is a very blurry one at this point). And it only takes one parent to complain that they didnβt want their childβs name given out for the school to have to answer some awkward questions. Here are some alternative ideas though:
- Add a line on the consent form regarding sharing a first name only with other members of the class/group/bubble etc for the purposes of Christmas/Birthday lists when the child joins the school or at the start of the year. Not helpful at this point for the current cohorts weΒ realise but useful for next year onwards.
- Ask consent at this point. This may not be practical depending on the size of the classes or the situation with the pandemic. It could be as simple as the class teacher asking parents that they are happy for their childβs name to be on the list as they pick their child up at the end of the day and ticking them off. Or, if the school isΒ using online solutions for communication with parents, putting the question out on that or posting a poll for them to complete.
- Finally, the other thing a lot of schools are doing now, is they are getting the parents to collate the list between them. Then it is the parents that are giving each other the childrenβs names and not the school at all. Some parents have done this by creating a sign up sheet to go on the outside of the class door so parents add their childβs name at pick up time (maybe not practical during Covid) and then the list is circulated by one of the parents. Others have parents that setup WhatsApp or Fb groups for the other parents in their class and they share the childrenβs names that way.
Should teacher names be disclosed in information contained in a SAR by a parent or pupil?
Answered December β20.
Regarding redacting teacher names for the SAR. The overall guidance regarding the Right of Access which covers Subject Access Rights is as follows:
The specific areas we want in this case includes the guidance on Education Data:
In this guidance, it states, for example: βParents can only submit a SAR for information about their child if the child is not competent to act on their own behalf or has given their consent.β This then links to further guidance (How do we recognise a subject access request (SAR)? | ICO) which clarifies how to make the decision around competency.
The guidance also states βif an educational record contains personal data relating to someone other than the requester (such as a family member), you must consider the rules about third-party data before disclosing it to the requester. However,Β you should not normally withhold information that identifies a teacher.β
On a side note, you also shouldnβt provide information that has been βsupplied in a report or given as evidence to the court in the case of proceedingsβ or if βcertain specific statutory rules apply to those [court] proceedings that allow the withholding of the data from the individual it relates to.β And you also shouldnβt provide information if you feel that disclosure could cause serious harm (βcause serious harm to the physical or mental health of any individualβ).
The final piece of guidance which is of use in this case is this:
What should we do if the request involves information about other individuals? | ICO
In here, it states the following about an education worker: βit is reasonable to disclose information about them without their consent, as long as the disclosure meets the appropriate βtestβ.β
The test being the following in the case of most of the education establishments we work with:
βFor education workers, it meets the βeducation data testβ if the other individual is a teacher or other employee at a voluntary aided, foundation or foundation special school, an Academy school, an alternate provision Academy, an independent school or a non-maintained special school in England or Wales, and the information relates to, or was supplied by, the other individual in their capacity as an employee of an education authority.β
So it is unlikely that teacher names would be redacted from a SAR about a student except in exceptional circumstances.
We are concerned that data released in a SAR, and containing teacher names, could be published online. What can we do? Can we instruct the data subject not to publish online?
Answered January β21.
We have discussed this particular issue with the ICO. They have stated:
βData protection law gives a right to individuals to access their own data, so the schoolΒ cannot put additional conditions on releasing the personβs own data. If the school is concerned about harm to third parties due to that being released then that may be grounds to withhold it.β
As a school then, you cannot tell the data subject what they can or canβt do with the data. If you are concerned about harm then you should redact teacher names. The ICO go on to say:
βThe school needs to assess if it is reasonable to supply third party [i.e. teacher] data, taking into account thatΒ there is a presumption of reasonableness for teachers. They can ask the individual about their intentions with the data in order to make that assessment, and in some cases it is relevant to ask the third party for consent.β
Your options then are to speak to the data subject about their intentions and, if you feel there is a risk, redact the names further. It might be that this redaction isnβt needed on all emails as there are only some you would be concerned about being published. Will certain emails be detrimental to the teacher if they are posted with their name included? If so, redact those specifically. If you are at a point in the SAR process where the deadline is approaching and the limited time available is not enough, speak to the data subject, explain the need to delay for a short period, and then issue when ready. This would be preferable to issuing incorrectly.
How should I respond to a Right to Erasure request from a parent if a pupil has moved on to another establishment?
Answered February β21.
There will be a number of different contexts to this but the template below can be adapted to fit them. In this example, the pupil has moved to EHE from an Academy so the Pupil File is to be transferred to the LA and the retention schedule is for an Academy. This can be adapted for different transfers and retention schedules depending on context:
βThank you for sending through your right to erasure (right to be forgotten) request regarding your childβs personal data. We are consulting with our Data Protection Officer (DPO) with regards to the processing of this request and are conducting it as appropriate. Under the UK GDPR, we must comply with your request without undue delay and at the latest within one month of receipt of the request. We will therefore endeavour to have completed processing this request by the xxxxxx, one month from receipt of the request on the xxxxxx. This requirement is laid out by the ICO here:Β Right to erasure | ICO
It is important to note that in the same guidance, it identifies that the right to erasure is not absolute. Data that we process under the legal bases of Article 6(1)(c) βlegal obligationβ and Article 6(1)(e) βpublic taskβ are not subject to the right to erasure. Most data that we process as a school uses these legal bases and therefore we cannot erase that data until such time as those legal bases no longer apply. This is laid out in our retention schedule which follows the Information & Records Management Society (IRMS) Toolkit for Academies which can be found here:Β IRMS Academies Toolkit β Information and Records Management Society.
As stated in this document, data that forms part of the pupilβs Educational Record or βPupil Fileβ will be passed on to the Local Authority who will retain it for the statutory period or until the child transfers to another school at which point the file will be transferred to that establishment. Other data that does not form part of the pupil file such as attendance registers and records relating to school trips that contain your childβs data, will be retained until the end of the statutory period at which point they will be securely disposed of.
Any data that the school no longer has a duty to retain (it is no longer necessary for the purpose for which it was originally collected/processed) or was processed under the legal basis of Article 6(1)(a) βconsentβ (if you are confirming that consent has been withdrawn) will be erased securely and appropriately by the deadline of the xxxxxx.
If you have any concerns or questions about how your data is being processed with regards to this request, you may contact our DPO atΒ GDPR@schoolpro.ukΒ or the ICO directly atΒ Home | ICO, using their chat serviceΒ Live chat | ICO, on 0303 123 1113, or by post at Information Commissionerβs Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.β
Can we publish historical photos from our school in a closed social media group or on our website?
Answered March β21.
We spoke to the ICO about this as one of our schools was looking to use historical photos as part of a large anniversary celebration. The first thing the ICO said was that if photos are used in aΒ closed group (such as a Facebook group where members have to be admitted by an administrator) it poses aΒ low risk to individuals andΒ therefore can be done. The legislationΒ is not too specific around old photos, especially if they have been taken in public places where lessΒ privacy is to be expected. It is more complicated using current pupilsβ photos and you will need to assess the risk and review consents if photos are published. The risk with historic photos is probably low and there is an exemption in DPA 2018 about use of data in closed groups. The ICO also said that when using photos in a closed group, βwe would not expect that you would be seeking consent of those individuals in the photo.β
But what about on a public website? The ICO would not consider it to be a data breach if it is used for school purposes, the photos are taken in a public space, and it is low risk to the individuals. If you can say βyesβ to all of those points, you should be able to publish. If you receive objections to publishing, you should consider the request.
So taking those points onboard,Β it may be that not every image shared on a closedΒ group is appropriate to go into a public, historical gallery. For example, the behaviour of the pupils in the photo may be embarrassing and therefore not βlow riskβ or it could be a photo from a school residential in a dorm room that wouldnβt be considered a public space.
Equally, any photos that are recent and for which you may have still have photo consents, you should consider the photo consent. So, if you have consents going back 10 years, it would be appropriate to apply those same consents to photos of those children even if they left the school nearly 10 years ago (unless they have specifically said they are happy to have the photo shared).
It would also be worth having a statement on your publicΒ gallery that says that images are either from the schoolβs historical archive or have been shared by former pupils and staff. And that they are deemed appropriate to share as part of any specific event or historical celebration. But if anyone has a specific objection to any of the photos, to contact the school and request removal.
There is more useful information on schools and photos in this blog post published by the ICO:
Blog: Donβt get caught out when it comes to pupil photos | ICO
If a SAR request asks for emails, do we have to provide every email that an individual's name appears in?
Answered September β21.
This is a common misconception and the answer, in short, is βnoβ! A subject access request is about data subjects exercising their right of access. The right of access does involve producing a copy of the individualβs personal data but that doesnβt mean giving them copies of their name every time it appears in your data systems for example.Β To explain:
You donβt have to necessarily print out or electronically provide every single email that anΒ individualβs name has appeared in. It is only emails that are ABOUT them which isnβt necessarily the same thing. Here is the ICOβs guidance about emails βΒ How do we find and retrieve the relevant information? | ICO
A couple of key points β
- It can sometimes be difficult to determine whether an email contains an individualβs personal data. This depends on the contents of the email, the context of the information it contains, and what it is being used for. Ultimately it is for you as the data controllerΒ to determine whether any of the information in the email is the individualβs personal data.
- The right of access only applies to the individualβs personal data contained in the email. This means you may need to disclose some or all of the email to comply with the SAR
- Just because the individual receives the email, does not mean that the whole content of the email is their personal data. Again, the context of the information and what it is being used for is key to deciding this. However, their name and e-mail address is their personal data and you should disclose this information to them.
The ICO includes this example in their guidance:
So, if you search your email system and find thousands of emails with the individualβs name/email address in, you could separate out into different categories:
- Emails that they have sent β in theory, they could simply have these as they are as they would have written them in the first place. You may decide to redact however if the information they sent in those emailsΒ is now information you donβt think they shouldΒ have access to for whatever reason. Or you could just say that you have x number of emails written by them in your system and can provide if requested. They may not really be interested in these but more the emails ABOUTΒ them.
- Emails in which they areΒ a recipient β if they are a recipient of 1000s of emails but arenβt actually the content of the email (i.e. the emails are sent out to all staff/pupils or to groups of staff/pupils), you wouldnβt have to hand these all over. Much like in the example above, you could simply identify the number of them and say, we hold x thousand emails with your name as the recipient but which arenβt about you. You then donβt have to go through all of those.
- Final option are emails in which they actually areΒ the subject of the email. These are the emails which are actually ABOUT them and should be a much smaller subset of the emails. They should be provided with copies ofΒ these with any redactions applied as appropriate.
Doing it this way should speed up the process and reduce the need to go through every email as well as the need to provide copies of every single email.
Remember, if in doubt, speak to your DPO and they can advise.
Are there any conditions under which we can legitimately extend the deadline for a Subject Access Request?
Answered November β21.
The short answer is that yes, you can. You can extend the time to respond by a further two months giving you a total of 3 months to respond to the request. There are a number of conditions for this but the one that is most likely to be relevant for you is if the request is βcomplexβ.
You should calculate the extension as three months from the original start date, ie the day you receive the request, fee or other requested information.
If you decide that it is necessary to extend the time limit by two months,Β you must let the individual know within one month of receiving their request and explain why. It is important to note that you donβt have to ask them if you can extend it, the decision is yours to make as the data controller. However, an open dialogue with the data subject about this will help the process go smoothly and hopefully keep the situation from ending in animosity or a formal complaint. It also may be appropriate to provide some of the data by the initial deadline with the more complex data to come later.
Here is further information about complex requests taken from the ICO guidance β
When can we refuse to comply with a request? | ICO
When is a request complex?
Whether a request is complex depends upon the specific circumstances of each case. What may be complex for one controller may not be for another β the size and resources of an organisation are likely to be relevant factors. Therefore, you need to take into account your specific circumstances and the particular request when determining whether the request is complex.
The following are examples of factors that may, in some circumstances, add to the complexity of a request. However, you need to be able to demonstrate why the request is complex in the particular circumstances.
- Applying an exemption that involves large volumes of particularly sensitive information.
- Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
- Searching large volumes of unstructured manual records (only applicable to public authorities).
It is important to be realistic in your judgement of the request as βcomplexβ. Just because a request involves a large quantity of data, that doesnβt mean it is necessarily βcomplexβ and justifies an extension. Remember, if in doubt, come and speak to us as your DPO and we can advise.
What are the common exemptions that may apply in the case of a Subject Access Request?
Answered November β21.
When preparing data for a Subject Access Request, it is important to remember that there are a number of exemptions that could apply to the data. This list is by no means exhaustive but it includes the exemptions we think are most likely to apply to data requested of a school. Any, all, or none of these exemptions may apply to your data when requested and, if you are unsure, please speak to us as DPO:
Β
- Information about others.Β There is an exemption in the DPA 2018 that says the school does not have to comply with a SAR, if doing so means disclosing information which identifies another individual, except where the other individual has consented to the disclosure, or it is reasonable to comply with the request without that individualβs consent. For example, information about witnesses to an incident would apply here.
- Confidentiality. A duty of confidence arises where an individual discloses genuinely βconfidentialβ information (ie information that is not generally available to the public) to the school, with the expectation that it remains confidential. This tends to apply in specific situations such as during a counselling session, medical appointment or similar. The SAR guidance and DPA 2018 do provide examples but the list is not exhaustive. As data controller, you can decide if you think there is an expectation around the confidentiality of data.
- Crime and taxation: general.Β Personal data processed for crime purposes is exempt from the right of access. These purposes are the prevention or detection of crime, or the apprehension or prosecution of offenders. This exemption applies only to the extent that complying with a SAR is likely to prejudice one of these crime purposes. Unlikely in the case of most education establishments but is possible.
- Child abuse data.Β Child abuse data is personal data consisting of information about whether the data subject is or has been the subject of, or may be at risk of, child abuse. This includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18.
- Education data β processed by a court.Β This exemption can apply to education data (personal data in an educational record) processed by a court which is relevant in this case. The exemption applies if the education data is supplied in a report or evidence given to the court in the course of proceedings; and those proceedings are subject to certain specific statutory rules that allow the education data to be withheld from the individual it relates to.
- Education data β serious harm.Β This exemption applies to the extent that complying with the right of access would be likely to cause serious harm to the physical or mental health of any individual.The key phrase here is βany individualβ. So if you think there is a risk of harm to βany individualβ in releasing certain data, this data becomes exempt. That could be a risk to the requester themselves or anyone else mentioned (or not) in the data. Or any other individual linked to the data.
- Confidential References.Β This exemption applies to personal data consisting of a reference given (or to be given) in confidence for the purposes of education, training, or employment of the data subject; the placement of the data subject as a volunteer; the appointment of the data subject to any office; or the provision by the data subject of any service. This is also applies to the βprospectiveβ enactment of any of these options.
- Exam scripts and exam marks.Β Personal data consisting of information recorded by candidates during an exam is also exempt, as well as data consisting of marks or other information processed for the purposes of determining the results of an exam or in consequence of the determination of the results of the exam. There is more detail to this within the DPA 2018 which also explains time limits for providing certain types of data relating to exams so, if exam data is included in a request, we recommend reading that (link below) or speaking to us directly.
Β
So any data that falls under one of those exemptions would be redacted and not included. You should always record what exemptions you are relying on for each data and why. You should also explain to the data subject which exemptions you have applied and why. However, it may be that giving that information prejudices the use of the exemption so there are some instances where you may have to tell the data subject that you canβt tell them exactly what has been redacted, why, and under which exemption. You also have to be able to defend your decision if they challenge it and/or complain to the ICO.
Remember, our role is to help you apply the legislation correctly and we will provide you with advice and guidance as to how to do that. Please ask!
Do staff using Face ID to authenticate on iPads mean that the school is processing biometric data?
Answered December β21.
If schools are processing biometric data then they should state this in their Data Protection Policy and it is also a statutory requirement set by the DfE to have a Biometric Data Policy if you are processing theΒ biometric data of children. So could you be processing biometric data without realising it?
We spoke to the ICO about this and formulated three scenarios:
Scenario 1Β β a staff member is using their own iPad and securing it with Face ID or a fingerprint. In this case, the school is not controller for this data so isΒ not processing biometric data. This would also apply if pupils are using their own devices and using Face ID/fingerprints.
Scenario 2Β β the school owns iPads and issues them to staff. Staff use Face ID or fingerprints to secure these devices. The ICO would considerΒ the school to be the controller for this biometric data. This is despite the fact that the school does not have access to the biometric data stored in the vault on the iPad (and neither does Apple). A DPIA would be required and the biometric data section of the Data Protection Policy would need to be amended to consider thatΒ the school IS processing biometric data. A biometric policy would not be required as that is only for childrenβs biometric data but would be required if pupils were securing school devices with Face ID or fingerprints.
Scenario 3Β β The school outsources their IT Support to another company and that company owns the devices. The school then issues them to the staff to use. As far as the ICO is concerned, there is aΒ bit of a grey area as to who is the controller here (school or IT company) but theyΒ recommend that is contractuallyΒ agreed before implementing the devices. Based on the outcome of that agreement, theΒ school may then be considered to be processing biometric dataΒ and require the relevant paperwork.
So⦠are you processing biometric data?
Does our school need a European or EU Representative?
Answered January β22.
It has now been a little over a year since Brexit and there are still a few changes to data protection legislation as a result that are being fully understood.
If you are an organisation (in your case, a school, college or other education establishment) in the UK that processes personal data of individuals within the EEA to offer them goods or services, or to monitor their behaviour, you will need to comply with the EU data protection regime alongside the UK regime. It is likely that you will need to appoint a representative in the EEA.
If your education establishment is aΒ public authority,Β youΒ donβt need to appoint a European representativeΒ and you can skip onto the next article in this newsletter.
But if your education establishment is a private organisation such as anΒ independent school (a private school),Β you may well need to appoint a EuropeanΒ representative.Β Unfortunately, you arenβtΒ exempt from this because youΒ are performing the task of a public authority. If that applies to you, read on.
So, when might you be processing the personal data of individuals within the EEA to offer them goods or services, or to monitor their behaviour?
If you haveΒ studentsΒ that come from the EU (i.e. are normally resident in an EU/EEA country) then you would be considered to be offering goods and services to them and so you would need to appoint an EU representative. This is especially true if you are targeting families in the EU/EEA by marketing the school to them, for example.
As the DPO for you, we couldnβt be yourΒ EU representative even if a part of our establishment was in the EU. Your DPO and EU representative shouldnβt be the same person or organisation. If you have an establishment within the EU (for example, you have staff working remotely who are based in the EU), you wouldnβt need an EU representative as they can do that on your behalf. If you donβt, your representative may be an individual, or a company or organisation established in the EEA, and must be able to represent you regarding your obligations under the EU GDPR (e.g. a law firm, consultancy or private company). In practice the easiest way to appoint a representative may be under a simple service contract.
Please see the ICOΒ guidance on European representatives:Β European representatives | ICOΒ and speak to us directly if you feel this might apply to you and you need further support.
Do staff working remotely abroad require international transfers of data and relevant safeguards being implemented?
Do staff working remotely abroad require international transfers of data and relevant safeguards being implemented?
Answered November β21
The full question asked here was as follows β If we have a member of staff who is having to quarantine for a couple of weeks in another country (one outside the EU/EEA and that doesnβt have an adequacy decision), what are the GDPR implications if they are going to work remotely from that country during their quarantine? Does this constitute an international transfer?
In this case, the member of staff was having to stay overseas due to Covid restrictions and therefore work remotely until they could return to the UK. This could also apply if you had staff working remotely from countries outside the UK and that donβt have adequacy agreements in place. The ICO provided the following advice:
This wouldnβt class as an international transfer, because the receiver of the personal data wouldnβt be legally distinct from the sender, i.e. the person accessing the data is a member of staff rather than a separate entity. Accessing data in a third country would class as a transfer if the scenario did involve two separate legal persons. [However, in this instance,] you donβt need to consider it as an international transfer (implement an appropriate safeguard etc.) but you do need to apply appropriate security measures.
We've been asked for CCTV footage by a member of the public of an incident in our car park. They want it for insurance purposes. Should we share this footage?
Answered May β22.
TheΒ Surveillance Camera Code of PracticeΒ states the following:
7.2 There may be other limited occasions when disclosure of images to another third party, such as a person whose property has been damaged, may be appropriate. Such requests for images or information should be approached with care and in accordance with the data protection legislation, as a wide disclosure may be an unfair intrusion into the privacy of the individuals concerned.
7.3Β A system operator should have clear policies and guidelines in placeΒ to deal with any requests that are received. In particular:
- Arrangements should be in place to restrict disclosure of images in a way consistent with the purpose for establishing the system.
- Where images are disclosed, consideration should be given to whether images that may identify individuals need to be obscured to prevent unwarranted identification.
- Those that may handle requests for disclosureΒ should have clear guidance on the circumstances in which disclosure is appropriate.
- The method of disclosing images should be secure to ensure they are only seen by the intended recipient.
- Appropriate records should be maintained.
7.4Β Judgements about disclosure should be made by a system operator. They have discretion to refuse any request for information unless there is an overriding legal obligation such as a court order or information access rights. Once they have disclosed an image to another body, such as the police, then the recipient becomes responsible for their copy of that image.
Weβve highlighted some of the key points inΒ bold. It is down to the school to decide if it is appropriate and you will need to demonstrate you have guidance on this (which should be in your CCTV Policy) and a way of recording requests. We have a CCTV Request Log template in Global Documents on the portal that could be used for this, or it could be logged as a Data Decision.
Other legislation to consider is the UK GDPR and DPA 2018. This is technically a SAR although you are disclosing a third partyβs data. This guidance is the most relevant βΒ What should we do if the request involves information about other individuals? | ICO. The guidance states that you can release data about a third party without their consent if you feel it is reasonable to comply with the request without that individualβs consent. Step Three of the guidance on βinformation about othersβ shows the considerations that the school should take about releasing this information. As long as you are making the considerations as seen in the guidance, taking into consideration that context, then you will not go too far wrong.
You could also consider limiting the amount of information too β perhaps if you are able to extract and release stills of the footage rather than the footage itself, or even just the details of the car/driver β this may assist with this decision.
We spoke to the ICO about this specific situation and they said:
These decisions can be tricky to make, but with the use of the guidance and your knowledge of the context of the situation, you should be able to justify either holding the information back, or releasing it. In either case you will be balancing up the information rights of all parties involved.
So, in summary, the key actions will be:
- Ensure that the CCTV Policy is in place and contains the correct information (as well as ensuring there was appropriate signage at/near the location)
Β
- Decide based on the above whether it is appropriate to release the data
- Record that decision making process
- Record that the data has been shared (appropriately securely).
How can we reduce the risk of staff sending out 'blank forms' to recipients with another data subject's data in them?
- Train staff to copy master documents prior to filling them in (rather than filling in the master document and then using βSave Asβ) so the original master is not completed and potentially saved over by mistake.
- Make the master document a βtemplate documentβ so that it canβt be saved over but has to be saved as a separate file.
- Make the master document a βread-only documentβ so that it also canβt be saved over but has to be saved as a separate file.
- Keep master documents in a separate folder to completed documents. Combine this practice with the first bullet point so the document has to be copied into the βcompleted documentβ location prior to filling in.
Are OneNote files subject to SAR / FOI requests if they are being used as an individual's notebook or jotter?
Answered January β23
Depending on the data being recorded in the OneNote files, yes, these would be subject to a SAR or FOI request. With some caveats of course!Β
You could probably argue that these files would sit in the same territory as physical notebooks or jotters which are classed as βunstructured manual recordsβ β as they are simply digital versions of the same thing. βUnstructured manual recordsβ are basically βnon-automated information which is not, or you do not intend to be, part of a βfiling systemβ.β
Are there any special cases? | ICO
Essentially, you may have to search these notes if a request comes in. Having them in OneNote makes them a lot easier to search than if they are in actual notebooks or random unfiled sheets of paper. However, as the guidance states, you do not have to provide this data if:
β’ βthe request does not contain a description of the unstructured data; or
β’ β¦[you] estimate that the cost of complying with the request would exceed the appropriate maximum.β
The appropriate maximum for a school (or trust) would be Β£450 β mostly based on staff time to search through the records, retrieve the information, redact and collate.
The first bullet point mentions those that requests that donβt contain a description of the unstructured data β it is important to note that some requests do specify notes or similar records, so it is worth bearing that in mind when reading a request. This is done to ensure that these sorts of data are included in the request.
The guidance also makes it clear that for an FOI Public Authority (which state schools and MATs are) the records donβt have to be provided if they are about the following:
β’ Appointments;
β’ Removals;
β’ Pay;
β’ Discipline;
β’ Superannuation; or
β’ Other personal matters in service to the school.
That would mostly relate to notes about staff / HR / personnel rather than those about students of course.
Can we give staff access to the systems before they start at the school so that they can prepare/plan for the start of the academic year?
Answered August β23.
A good question and one that we do get quite a lot. Ultimately, it will come down to the schoolβs own policies and procedures. And we would also recommend that the school liaises with HR and IT Support as well.
Many schools will allow some form of access and give email accounts from a point after staff have signed contracts β so not from the start date of the contract necessarily but from the point at which they have signed the contract.
Once an employee has signed their contract, there are likely to be some legal obligations in place, even if their official start date has not yet arrived. These obligations could include confidentiality clauses, for instance. However, these obligations and the timeline they cover can vary greatly, and we would expect that they should be explicitly stated in the contract. Again, this is why we would recommend checking with HR.
Do we have to provide original (or copies of original) documents to a data subject as part of a subject access request or could we summarise data in a new document for the request?
Answered October β23.
The short answer is that no, you do notΒ haveΒ to provide original (or even direct copies of original) documents as part of a subject access request.
Under the UK GDPR, an individual is entitled to their personal data only. That doesnβt necessarily include all documents that their name or staff/student code appear on (many will not be their personal data) and it is also not the case that the school has to produce original documents that contain their personal data. The ICOβs guidance states βThe right of access enables individuals to obtain their personal data rather than giving them a right to see copies of documents containing their personal dataβ βΒ How should we supply information to the requester? | ICO
This does mean that, where appropriate, you could retrieve data from a system and copy it into a summary document in order to provide it to the data subject. That said, it is often still appropriate to give copies of original documents (with relevant redactions applied) to a data subject, but it isnβt essential.
Can we send home flyers for third-party organisations either by email or post?
Answer revised and updated February β24.
Postal Leaflets in School Bags:
The process for sending postal leaflets via school bags is not subject to the privacy and electronic communications regulations (PECR) which means consent is not required. The school can rely on a Legitimate Interests lawful basis and perform a Legitimate Interests Assessment (LIA) for the overall practice of sending out these mailings. It is crucial that parents are informed about this process and have the clear option to opt-out. The school needs to ensure that parents are aware of their rights and the schoolβs processing activities through clear communication, such as a statement in a parent newsletter. This approach negates the need for separate LIAs for each third-party organisationβs materials being sent out.
In order to notify parents about this processing, the school could add the following into a parent newsletter (or similar) β words to the effect ofΒ
βwe will occasionally send home flyers from trusted third parties such as the local authority in pupil bags. This is to make you aware of events, activities, services and products that we think may be of interest to you or your family. Please let us know if you object to this and we will ensure that you donβt receive this information.β
Electronic Communication (Email):
There are two distinct categories regarding electronic communication:
Direct Marketing Messages:
These include communications where a paid service is being offered, or there is fundraising or similar activities involved. Examples include services like school photography or extracurricular activities run by external companies that require payment. These types of messages require prior opt-in consent from the recipients, and it must be straightforward for them to withdraw consent at any time. It is important to ensure that this consent is specific, informed, and unambiguous. The school should not use opt-out forms for these types of communications; instead, an explicit opt-in mechanism should be in place.Promotional Messages Not Classified as Direct Marketing:
This category includes communications that can be considered part of the schoolβs or trustβsΒ legal function as a public bodyΒ and do not have a paid-for element. Examples might include free educational opportunities from the local library or informational leaflets from the NHS. These messages do not require prior consent but fall under the βpublic taskβ legal basis. While upfront consent is not needed, parents should still be informed about these communications and have the ability to object to receiving them, akin to the opt-out process in legitimate interests. Similar notification to that quoted above for the school bag method could be used to ensure transparency.
In Summary:
For non-commercial promotional messages sent by electronic media, and leaflets (commercial or otherwise) in school bags, consent is not required upfront, but there should be an option for parents to opt-out or object. Schools must inform individuals about this processing beforehand, maintaining transparency and adhering to data protection principles.
For commercial promotional messages sent by electronic media, including paid-for services or fundraising, schools must obtain clear, opt-in consent from parents before sending these communications.
By distinguishing between these types of communications and applying the correct legal basis for each, schools can ensure compliance with data protection regulations while keeping parents informed about relevant services and opportunities.
As well as the answers to those questions, here are links to our other advice and guidance pages that we feature in our blog:
π Guidance on Handling Freedom of Information Requests
In our updated guide, we delve into the nuances of handling Freedom of Information (FOI) requests. We cover the latest on what constitutes a valid FOI request, emphasise the importance of cybersecurity when responding to requests, and also share best practice for schools to manage FOI requests effectively, ensuring compliance while safeguarding data. Read now!
ICO Response to the DPDI (No 2) Bill β December β23
The Information Commissioner's Office (ICO) issued a further response to the Data Protection and Digital Information (No 2) Bill which was reintroduced on 8 March 2023 and has now been through the House of Commons Committee Stage. We have created a summary of the key points. Read now!
π‘οΈ Reducing Your Risk: Practical Advice on Cyber Threats and Responding to Cyber Incidents #CyberMonth2023
Practical advice on cyber threats and responding to cyber incidents from SchoolPro TLC. Spend a few minutes looking at the possible consequences of a cyber attack, how to respond if you have been affected, and some strategies for minimising the risk. Read here!
π’ Important Guidance on Handling FOI Requests from Suspended Accounts on "WhatDoTheyKnow"
Learn how to handle Freedom of Information (FOI) requests from suspended accounts on 'WhatDoTheyKnow.' Understand the legal grounds for refusal and get a template response for schools and Trusts. Stay compliant and informed with our latest guidance. Read here!
π§ Protecting Data: Double-Check Recipient Emails
In our digital age, email remains a primary means of communication. However, with the convenience of email comes the responsibility to ensure that sensitive information is shared securely and confidentially. Read our guidance on protecting data when communicating by email here!
π Do I Need to Give References in a Subject Access Request?
π Did you know that confidential references are exempt from subject access requests under the Data Protection Act 2018? To maintain privacy and trust, make sure to clearly state that all references will be treated as confidential. For example, modify your request to say, "Please provide details of two referees. All references will be treated as confidential." Read more here!
π± WhatsApp in Schools: A Guide to Safe and Compliant Use
In an era of digital communication, schools must prioritize data protection. Drawing lessons from the recent ICO reprimand to NHS Lanarkshire for their unauthorised use of WhatsApp, this article delves into the significance of establishing clear communication protocols. Discover the potential pitfalls of popular messaging apps and understand the essential steps schools should take to safeguard sensitive data and maintain trust within their communities. Read more here!
π Lessons from a Data Breach: π Guidance for Schools, Colleges & MATs
SchoolPro TLC explore key lessons from a recent ICO reprimand following a data breach in a UK primary school. Understand how to enhance your school's data protection strategies with our actionable checklist, ensuring robust security for sensitive information and compliance with UK GDPR. Read now!
β οΈ Taking Subject Access Requests Seriously
SchoolPro TLC outline of the Information Commissioner's Office's (ICO's) recent blog post on handling Subject Access Requests (SARs) for UK schools, colleges and MATs. Learn about the importance of timely responses, the risk of non-compliance, and how this affects schools. Stay informed about data protection responsibilities, common misunderstandings around SARs, and the implications of failing to comply, based on the latest report and enforcement actions by the ICO. Read now!
ICO Response to the DPDI (No 2) Bill β May β23
The Information Commissioner's Office (ICO) issued a response to the Data Protection and Digital Information (No 2) Bill which was reintroduced on 8 March 2023. We have created a summary of the key points. Read now!
π£ Strikes, Union Membership & Data Protection
Wednesday 1st February saw the first teachers' strike in many years. With future dates for strike action to take place already published, we wanted to provide you with clarity over a data protection question which has cropped up regards to the union membership of striking staff and the way schools communicate closures and partial closures for strike days. Read now!
KCSIE '22 - Guidance for Online Checks of Job Applicants
SchoolPro TLC's data protection guidance regarding the requirement to perform online checks on shortlisted job applicants as per Keeping Children Safe in Education 2022. Read now!
Subject Access Requests - Our Guidance for Schools, Colleges & Trusts
Subject access request guidance for schools, colleges and MATs. Frequently asked data protection questions about SARs answered here. Read on...
Christmas Shows & Nativities - Remote Events Code of Conduct and Consents
Code of conduct and consents for remote events including Christmas shows and nativities. Read our guidance and download resources here!
Keeping Your DPO Involved
In order to maintain ongoing compliance with Data Protection legislation, it is important that your Data Protection Officer (DPO) is fully aware of and involved in any changes within your school, college or Trust that could impact the data protection function of the organisation. Read on as we explain one example of where this is really important.
Data Protection Impact Assessments - What are they and why are they important?
What are Data protection Assessments and why are they important. A DPIA is a process to help you identify and minimise the data protection | See more
Data Protection Impact Assessments - What are they and why are they important?
Dealing with freedom of information requests in school If you are dealing with freedom of information requests in school read our blog for more information on subject access requests and school responsibilities
If you have any other questions about this or any other data protection topic, please contact us atΒ DPO@schoolpro.uk.
Stay safe and healthy,
The SchoolPro TLC Team
SchoolPro TLC Ltd (2024)
SchoolPro TLC guidance does not constitute legal advice.
SchoolPro TLC is not responsible for the content of external websites.