We have a bumper issue this month with a lot to get through so we thought it best to get straight to business!

The main update this month is regarding the ICO’s new Accountability Framework and our plans for an auditable action plan document based on this. There is also:

  • a reminder to ensure that you are correctly processing NHS Test and Trace data and being fully transparent with all stakeholders about that;
  • an update from the National Cyber Security Council on minimising cyber threats in education;
  • a review of our guidance on dealing with Freedom of Information requests,
  • a last chance to book onto our remote learning online discussion forum tomorrow; and
  • a selection of previously asked questions about retaining photos for historical record, and sharing information with the police.

If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools are accepting visitors, please get in touch via GDPR@schoolpro.uk.

Stay safe and healthy!

New Accountability Framework from the ICO

The ICO has recently released a new accountability framework designed to help organisations assess their accountability. This is a key element of data protection work and shows that data protection is not a one-off activity but an ongoing process for organisations. The accountability framework focuses on 10 key areas:

  1. Leadership and oversight
  2. Policies and procedures
  3. Training and awareness
  4. Individuals’ rights
  5. Transparency
  6. Records of processing and lawful basis
  7. Contracts and data sharing
  8. Risks and data protection impact assessments (DPIAs)
  9. Records management and security
  10. Breach response and monitoring

The ICO suggests that the framework could be used for a number of things such as:

  • creating a comprehensive privacy management programme;
  • checking your existing practices against the ICO’s expectations;
  • considering whether you could improve existing practices, perhaps in specific areas;
  • understanding ways to demonstrate compliance;
  • recording, tracking and reporting on progress; or
  • increasing senior management engagement and privacy awareness across your organisation.

We are in the process of using this new framework to create an auditable Data Protection Toolkit or Action Plan for schools. This document will contain key actions, success criteria and other features that will be very similar to a School Development Plan but for Data Protection. A Data Protection Development Plan or DPDP!

NHS Test & Trace – Minimising Privacy Concerns

The NHS Test and Trace system has not been without controversy including the newly launched app. We will reiterate again that you MUST have something in place that gives your pupils, parents, staff, governors, visitors and any other school stakeholders transparency about what data you will collect or use for this system, how it will be used, who it will be shared with, and the legal basis for this sharing. Our NHS Test and Trace addendum is designed to do just that so please ensure that you are using it within your organisation.

The ICO has also reiterated the importance of getting it right with this data and “protecting customer and visitor details”. Their guidance can be found here and can be summarised by the following 5 points:

  1. Ask for only what’s needed – only ask for what is requested in the government guidance such as name, contact details and time of arrival.
  2. Be transparent with customers – be very clear with people as to what you are collecting, why, and what you’ll do with it. If you are going to use existing data such as data for pupils or staff, you should make it clear that this data may also now be used for contact tracing. Our NHS Test and Trace Privacy Notice addendum covers this.
  3. Carefully store the data – whether you are keeping the data on paper or electronically, it must be kept secure. Our Health and Medical Data DPIA covers this.
  4. Don’t use it for other purposes – if it is data collected purely for Test and Trace, you cannot use it for any other purpose.
  5. Erase it in line with government guidance – do not keep the data for any longer than guidelines specify and ensure it is disposed of securely.

Cyber Threats – Minimising Your Risk

The National Cyber Security Council (NCSC) has issued an alert to the academic sector following a spate of online attacks against UK schools, colleges and universities. This has been supported by a guidance document that gives practical cyber security tips for everyone working in education. The document can be downloaded by clicking on the image below:

The NCSC explains that schools are vulnerable to cyber attacks because:

  • many cyber incidents are untargeted;
  • schools hold plenty of sensitive information; and
  • cyber criminals want to make money.

The document goes on to highlight ways in which schools can best protect themselves from these attacks such as:

  • using powerful passwords;
  • staying alert for phishing attacks;
  • managing the use of USBs or pen drives (either by banning them completely or having strict protocols in place for their use);
  • staying secure when working from home;
  • keeping devices and software updated;
  • locking your devices when unattended;
  • only downloading official versions of apps from trusted sources; and
  • not sharing accounts with other people.

Dealing with Freedom of Information Requests

Back in February we wrote about dealing with Freedom of Information requests. There are a few doing the rounds at the moment so we thought that we would repeat some of the information again here:

Ideally, you should have a Freedom of Information Policy for your school – there is a template for this on the portal – and this contains a lot of information about how you will respond to requests, what exemptions may apply and when you may charge a fee, among other things.

As public bodies, state schools are obliged, under the Freedom of Information (FOI) Act 2000, to publish certain information about their activities and produce information requested by members of the public. The principles of the FOI Act are:

  • that everybody has a right to access official information;
  • disclosure of information should be the default;
  • requesters do not have to give a reason for wanting the information;
  • all requests should be treated equally;
  • information should only be disclosed if it is information that would be given to anyone (or the world at large).

The FOI Act covers recorded information that is held by the school including printed documents, computer files, letters, emails, photographs, and sound or video recordings. This means that schools do not need to provide information they do not collect and hold as part of their regular routines. So, if the information is just in someone’s head and is not recorded, this is not subject to a Freedom of Information Request. As the guidance on the ICO website states, “You do not have to create new information or find the answer to a question from staff who may happen to know it.”

This is just the first part of our guidance – the rest can be found in a previous blog post here or can be downloaded as a pdf from the portal or from this link.

If you have any questions about this, please contact us and we can help!

Previously Asked Questions

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We are looking at how we can create a FAQs section either on the website or in the portal for these. In the meantime, here are a couple of the questions we’ve been asked recently and the answers we have provided. We will publish more in future newsletters:

Can we retain photos of pupils as part of our school's historical record?

You are indeed able to store the photos as an historical record. There is an exemption in the Data Protection Act (2018) which applies to “Archiving in the Public Interest” which this comes under. (Schedule 2, Part 6, Paragraph 28 of the DPA 2018)

The best way to address this is to ensure that your retention policy states that photos will be kept for the purposes of archiving in the public interest and creating an historical record. It may also be worthwhile adding that statement to your photo consents going forward so that parents/pupils are aware in advance. Technically, you don’t have to get consent for this (that’s what the exemption means) but you might want to let people know that photos will be archived in this way. You don’t have to though!

Within the exemption itself, it states that it is available only where personal data is processed in accordance with Article 89(1) of the GDPR. This is essentially stating that the processing must be subject to appropriate safeguards for individuals’ rights and freedoms – among other things, you must implement data minimisation measures. 

You must ensure the personal data you are processing is:

  • adequate – sufficient to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.

And it is important to ensure that they are kept securely as well of course, as that would also constitute an appropriate safeguard for individuals’ rights and freedoms!

Can we share data with the police if they request it?

Essentially, the ICO has been keen to stress that data protection should not be a barrier to sharing data with the police where it is necessary. They have written a blog post clarifying this which can be found here.

The key message is that the GDPR and DPA 2018 do not prevent data sharing but it must be done appropriately. To quote:

Organisations should remain confident that when asked for personal data to assist the police whether in an emergency, or in their ongoing community policing activities, necessary, relevant and proportionate data can be disclosed in compliance with the law.

Depending on the detail in the data request, it would be worth clarifying that with them to make you able to appropriately assess whether the information you are disclosing is necessary, relevant and proportionate. This links to the following quote:

In particular it is in the DPA2018 where organisations will find the rules surrounding the processing of data for law enforcement purposes. In addition, Part 3 of the Act specifically applies to organisations defined as ‘competent authorities’ – such as police forces, criminal courts and prisons.
Requests for information made by competent authorities must be reasonable in the context of their law enforcement purpose, and the necessity for the request should be clearly explained to the organisation.

They give an example which we think is relevant:

…take the example of a social worker, who is asked to pass on case files to police containing details of young teenagers. … the social worker might feel reluctant to voluntarily disclose information to the police if the request appears excessive, or the necessity or urgency appears unjustified. So the onus is on the police to provide as much clarity as they can without prejudicing their investigation.”

We recommend:

  • confirming the authenticity of the request,
  • clarifying the request to allow you to make the judgement as to whether the information you are sharing is necessary, relevant and proportionate, and
  • recording this in full as a data decision on our portal.
Data Protection in the News

Apps for children must offer privacy by default – BBC

Nearly 500,000 Scots removed from police database – BBC

Free VPNs are a privacy nightmare. You shouldn’t download them – Wired

Private data gone public: Razer leaks 100,000+ gamers’ personal info – ArsTechnica

Zhenhua Data leak: personal details of millions around world gathered by China tech company – The Guardian

Phishers are targeting employees with fake GDPR compliance reminders – Help Net Security

Data breach following cyber attack prompts legal action against University of Surrey – Surrey Live

Cybersecurity lessons learned from data breaches and brand trust matters – Help Net Security

Covid: Worker fired for misusing test-and-trace details – BBC

Pension scheme cold caller fined £130,000 by UK data watchdog – The Register

GCHQ agency ‘strongly urges’ Brit universities, colleges to protect themselves after spike in ransomware infections – The Register

UK Parliament’s human rights committee pushes for better protections of coronavirus contact-tracing data in law – The Register

​Please contact us if you do have further questions at GDPR@schoolpro.uk.


SchoolPro TLC Ltd (2020)
SchoolPro TLC is not responsible for the content of external websites.