We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. Here is a collection of those questions answered for you and we’ll keep adding to them over the coming months:
Are emails encrypted in Microsoft 365?
Answered July ’20.
A number of schools have asked about this in order to ensure that their emails are secure when sending personal information. The guidance from Microsoft states the following:
Outlook for Microsoft 365 – When you need to protect the privacy of an email message, encrypt it. Encrypting an email message in Outlook means it’s converted from readable plain text into scrambled cipher text. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading. Any recipient without the corresponding private key, however, sees indecipherable text. Outlook supports two encryption options:
- S/MIME encryption – To use S/MIME encryption, the sender and recipient must have a mail application that supports the S/MIME standard. Outlook supports the S/MIME standard
- Microsoft 365 Message Encryption (Information Rights Management) – To use Microsoft 365 Message Encryption, the sender must have Microsoft 365 Message Encryption, which is included in the Office 365 Enterprise E3 license.
So unless you know the recipient uses Microsoft 365, we recommend that you still use a secure email tool like Egress. And speak to your organisation’s IT Support if you are unsure!
Is Zoom GDPR compliant?
Answered July ’20.
Zoom certainly came under fire early in the pandemic as a lot of people were switching on to working from home and video conferencing (many for the first time). Zoom suddenly went from being quite niche to very popular and wasn’t really prepared for it. Some of the big security concerns that came up included:
- Facebook data sharing
- Incomplete (or lack of in some cases) end to end encryption on calls/conferences
- Zoom-bombings – people joining Zoom meetings without an invite by either finding or guessing the meeting ID and then posting inappropriate or explicit content (clearly a safeguarding concern!)
- Vulnerabilities that allowed malicious actors to access users’ webcams (another safeguarding concern)
Clearly these were pretty serious concerns and we recommended that schools avoided running live lessons altogether (something which was also advised by the unions) and used pre-recorded videos instead. If schools did choose to run live lessons, we recommended using software like Microsoft Teams or Google Meets which suffer from fewer issues and are GDPR compliant.
It is our understanding is that Zoom has worked hard since March to fix a number of these security issues and make the platform safer and more compliant. Here is an example of a more recent article highlighting the progress that Zoom has made in many of these areas and with advice around how to make your meetings more secure. A number of sources will also highlight how Zoom fails to comply with GDPR such as this blog post.
That being said, Zoom claims to have done work in recent months to fix a number of these issues and claims it is GDPR compliant on its website and in its documentation. But then Zoom have claimed compliance since the GDPR was implemented in 2018.
There are schools out there using Zoom but our advice would be to avoid it. Are there alternative platforms that you can use? Or are there alternative methods that you can use to achieve the same result?
Can we retain photos of pupils as part of our school's historical record?
Answered October ’20.
You are indeed able to store the photos as an historical record. There is an exemption in the Data Protection Act (2018) which applies to “Archiving in the Public Interest” which this comes under. (Schedule 2, Part 6, Paragraph 28 of the DPA 2018)
The best way to address this is to ensure that your retention policy states that photos will be kept for the purposes of archiving in the public interest and creating an historical record. It may also be worthwhile adding that statement to your photo consents going forward so that parents/pupils are aware in advance. Technically, you don’t have to get consent for this (that’s what the exemption means) but you might want to let people know that photos will be archived in this way. You don’t have to though!
Within the exemption itself, it states that it is available only where personal data is processed in accordance with Article 89(1) of the GDPR. This is essentially stating that the processing must be subject to appropriate safeguards for individuals’ rights and freedoms – among other things, you must implement data minimisation measures.
You must ensure the personal data you are processing is:
- adequate – sufficient to properly fulfil your stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – you do not hold more than you need for that purpose.
And it is important to ensure that they are kept securely as well of course, as that would also constitute an appropriate safeguard for individuals’ rights and freedoms!
Can we share data with the police if they request it?
Answered October ’20.
Essentially, the ICO has been keen to stress that data protection should not be a barrier to sharing data with the police where it is necessary. They have written a blog post clarifying this which can be found here.
The key message is that the GDPR and DPA 2018 do not prevent data sharing but it must be done appropriately. To quote:
“Organisations should remain confident that when asked for personal data to assist the police whether in an emergency, or in their ongoing community policing activities, necessary, relevant and proportionate data can be disclosed in compliance with the law.”
Depending on the detail in the data request, it would be worth clarifying that with them to make you able to appropriately assess whether the information you are disclosing is necessary, relevant and proportionate. This links to the following quote:
“In particular it is in the DPA2018 where organisations will find the rules surrounding the processing of data for law enforcement purposes. In addition, Part 3 of the Act specifically applies to organisations defined as ‘competent authorities’ – such as police forces, criminal courts and prisons.
Requests for information made by competent authorities must be reasonable in the context of their law enforcement purpose, and the necessity for the request should be clearly explained to the organisation.”
They give an example which we think is relevant:
“…take the example of a social worker, who is asked to pass on case files to police containing details of young teenagers. … the social worker might feel reluctant to voluntarily disclose information to the police if the request appears excessive, or the necessity or urgency appears unjustified. So the onus is on the police to provide as much clarity as they can without prejudicing their investigation.”
- confirming the authenticity of the request,
- clarifying the request to allow you to make the judgement as to whether the information you are sharing is necessary, relevant and proportionate, and
- recording this in full as a data decision on our portal.
How long should we retain emails as a school?
Answered November ’20.
There isn’t anything specifically in the GDPR or DPA 2018 that states how long you should or shouldn’t keep email. We recommend that schools keep them for the shortest amount of time that is practical and delete as soon as possible. It might be that some emails need to be kept for record but they could be copied to a pupil or personnel file. The rest could then be deleted. The length of time is up to the school really.
The guidance from the IRMS toolkit (Information and Records Management Toolkit for Schools Version 6.0) states the following:
How long do we keep e-mails?
E-mail is a communications tool, and e-mail applications are not designed for keeping e-mail as a record. E-mail that needs to be kept should be identified by content, for example:
- Does it form part of a pupil record?
- Is it part of a contract?
- Does it relate to an employee?
The retention for keeping these e-mails will then correspond with the types of records found in the Retention Schedule for schools below. These e-mails may need to be saved into an appropriate electronic filing system or printed out and placed on paper files. Similarly, information contained within these e-mails should be recorded in the appropriate place (e.g. the MIS or behaviour management system). Once this is done the original could be deleted.
Consider implementing an electronic rule whereby e-mails in inboxes are automatically deleted after a period of time, assuming they have been filed away. This will assist greatly in reducing the amount of information potentially disclosable in the event that a subject access request is received. Consider implementing procedures for the management of inboxes of staff who have left the organisation.
Limiting the information which is retained will also mitigate the school’s liability in the event of a breach and will reduce the amount of electronic storage required.
The IRMS toolkit also makes the following point which is something that we discuss in our training:
It’s not a filing system
E-mail systems are commonly used to store information which should be stored somewhere else. E-mails and attachments should be saved into any appropriate electronic filing system or printed out and placed on paper files.
Where the text of the e-mail adds to the context or value of the attached documents it may be necessary to keep the whole e-mail. The best way to do this, and retain information which makes up the audit trail, is to save the e-mail in .msg format. Where you just want recipients to read a document, consider sending a link to the documents rather than attaching them.
Should Governors use school email accounts?
Answered November ’20.
There are a few different ways to look at this situation.
Firstly, the school is the data controller. As the data controller, the school should be retaining control over its data and that includes communication conducted by and on behalf of the school. The best way to do that is to ensure that it stays within the school’s systems – so, in the case of email, within the school’s email systems.
Secondly, as the data controller, data protection by design is the overarching priority of data law. Anything that doesn’t give the school as the controller the ability to implement controlled security designed into a system is in fact against the principle of data law… ergo if the school chooses to design their email system to ensure security of data, the clerk and governors must use the system. Using their own email does not allow for that design and is a problem. You don’t know what security etc the clerk and governors have in place on their email system so can’t guarantee the protection of any data that may end up in that system.
Thirdly, from a practical point of view, the school should always be able to audit any data that it controls including monitoring and audit of emails if necessary. If someone is working on behalf of the school and is using a personal email address instead of the school’s, the school is unable to audit or monitor that without requesting access to that person’s email account. There is always a risk that if that were the case, the school would be able to access other personal emails on that system that they shouldn’t.
Fourthly, and this links to the previous point, when the school is given a SAR, it should be able to search all of its systems for any data regarding the data subject that has put in the request. This could include emails if that has been specified in the request. Someone using a personal email for school business does not give the school easy searchable access to their emails for data in this sort of situation which puts the school at risk of not being able to disclose all of the information it holds.
Should we send out Christmas card lists to parents with names of the children in a class/group/bubble/year?
Answered December ’20.
From a pure data protection point of view, giving out the names of the children within a class or year group to all of the parents is not a good idea if they haven’t given consent. Whilst a first name on its own might not seem like a lot of data (because it isn’t), it can then be matched to the year and class of the child and someone could start to build a picture (even if it is a very blurry one at this point). And it only takes one parent to complain that they didn’t want their child’s name given out for the school to have to answer some awkward questions. Here are some alternative ideas though:
- Add a line on the consent form regarding sharing a first name only with other members of the class/group/bubble etc for the purposes of Christmas/Birthday lists when the child joins the school or at the start of the year. Not helpful at this point for the current cohorts we realise but useful for next year onwards.
- Ask consent at this point. This may not be practical depending on the size of the classes or the situation with the pandemic. It could be as simple as the class teacher asking parents that they are happy for their child’s name to be on the list as they pick their child up at the end of the day and ticking them off. Or, if the school is using online solutions for communication with parents, putting the question out on that or posting a poll for them to complete.
- Finally, the other thing a lot of schools are doing now, is they are getting the parents to collate the list between them. Then it is the parents that are giving each other the children’s names and not the school at all. Some parents have done this by creating a sign up sheet to go on the outside of the class door so parents add their child’s name at pick up time (maybe not practical during Covid) and then the list is circulated by one of the parents. Others have parents that setup WhatsApp or Fb groups for the other parents in their class and they share the children’s names that way.
Should teacher names be disclosed in information contained in a SAR by a parent or pupil?
Answered December ’20.
Regarding redacting teacher names for the SAR. The overall guidance regarding the Right of Access which covers Subject Access Rights is as follows:
The specific areas we want in this case includes the guidance on Education Data:
In this guidance, it states, for example: “Parents can only submit a SAR for information about their child if the child is not competent to act on their own behalf or has given their consent.” This then links to further guidance (How do we recognise a subject access request (SAR)? | ICO) which clarifies how to make the decision around competency.
The guidance also states “if an educational record contains personal data relating to someone other than the requester (such as a family member), you must consider the rules about third-party data before disclosing it to the requester. However, you should not normally withhold information that identifies a teacher.”
On a side note, you also shouldn’t provide information that has been “supplied in a report or given as evidence to the court in the case of proceedings” or if “certain specific statutory rules apply to those [court] proceedings that allow the withholding of the data from the individual it relates to.” And you also shouldn’t provide information if you feel that disclosure could cause serious harm (“cause serious harm to the physical or mental health of any individual”).
The final piece of guidance which is of use in this case is this:
In here, it states the following about an education worker: “it is reasonable to disclose information about them without their consent, as long as the disclosure meets the appropriate ‘test’.”
The test being the following in the case of most of the education establishments we work with:
“For education workers, it meets the ‘education data test’ if the other individual is a teacher or other employee at a voluntary aided, foundation or foundation special school, an Academy school, an alternate provision Academy, an independent school or a non-maintained special school in England or Wales, and the information relates to, or was supplied by, the other individual in their capacity as an employee of an education authority.”
So it is unlikely that teacher names would be redacted from a SAR about a student except in exceptional circumstances.
We are concerned that data released in a SAR, and containing teacher names, could be published online. What can we do? Can we instruct the data subject not to publish online?
Answered January ’21.
We have discussed this particular issue with the ICO. They have stated:
“Data protection law gives a right to individuals to access their own data, so the school cannot put additional conditions on releasing the person’s own data. If the school is concerned about harm to third parties due to that being released then that may be grounds to withhold it.”
As a school then, you cannot tell the data subject what they can or can’t do with the data. If you are concerned about harm then you should redact teacher names. The ICO go on to say:
“The school needs to assess if it is reasonable to supply third party [i.e. teacher] data, taking into account that there is a presumption of reasonableness for teachers. They can ask the individual about their intentions with the data in order to make that assessment, and in some cases it is relevant to ask the third party for consent.”
Your options then are to speak to the data subject about their intentions and, if you feel there is a risk, redact the names further. It might be that this redaction isn’t needed on all emails as there are only some you would be concerned about being published. Will certain emails be detrimental to the teacher if they are posted with their name included? If so, redact those specifically. If you are at a point in the SAR process where the deadline is approaching and the limited time available is not enough, speak to the data subject, explain the need to delay for a short period, and then issue when ready. This would be preferable to issuing incorrectly.
How should I respond to a Right to Erasure request from a parent if a pupil has moved on to another establishment?
There will be a number of different contexts to this but the template below can be adapted to fit them. In this example, the pupil has moved to EHE from an Academy so the Pupil File is to be transferred to the LA and the retention schedule is for an Academy. This can be adapted for different transfers and retention schedules depending on context:
“Thank you for sending through your right to erasure (right to be forgotten) request regarding your child’s personal data. We are consulting with our Data Protection Officer (DPO) with regards to the processing of this request and are conducting it as appropriate. Under the UK GDPR, we must comply with your request without undue delay and at the latest within one month of receipt of the request. We will therefore endeavour to have completed processing this request by the xxxxxx, one month from receipt of the request on the xxxxxx. This requirement is laid out by the ICO here: Right to erasure | ICO
It is important to note that in the same guidance, it identifies that the right to erasure is not absolute. Data that we process under the legal bases of Article 6(1)(c) “legal obligation” and Article 6(1)(e) “public task” are not subject to the right to erasure. Most data that we process as a school uses these legal bases and therefore we cannot erase that data until such time as those legal bases no longer apply. This is laid out in our retention schedule which follows the Information & Records Management Society (IRMS) Toolkit for Academies which can be found here: IRMS Academies Toolkit – Information and Records Management Society.
As stated in this document, data that forms part of the pupil’s Educational Record or ‘Pupil File’ will be passed on to the Local Authority who will retain it for the statutory period or until the child transfers to another school at which point the file will be transferred to that establishment. Other data that does not form part of the pupil file such as attendance registers and records relating to school trips that contain your child’s data, will be retained until the end of the statutory period at which point they will be securely disposed of.
Any data that the school no longer has a duty to retain (it is no longer necessary for the purpose for which it was originally collected/processed) or was processed under the legal basis of Article 6(1)(a) “consent” (if you are confirming that consent has been withdrawn) will be erased securely and appropriately by the deadline of the xxxxxx.
If you have any concerns or questions about how your data is being processed with regards to this request, you may contact our DPO at GDPR@schoolpro.uk or the ICO directly at Home | ICO, using their chat service Live chat | ICO, on 0303 123 1113, or by post at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.”
Please contact us if you do have further questions at GDPR@schoolpro.uk.
Please continue to ask if there is anything further that we can do to support you at this time.
Stay safe and healthy,
Ian, Rich and Ben
SchoolPro TLC Ltd (2021)
SchoolPro TLC is not responsible for the content of external websites.