We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. Here is a collection of those questions answered for you and we’ll keep adding to them over the coming months:

Are emails encrypted in Microsoft 365?

Answered July ’20.

A number of schools have asked about this in order to ensure that their emails are secure when sending personal information. The guidance from Microsoft states the following:

Outlook for Microsoft 365 – When you need to protect the privacy of an email message, encrypt it. Encrypting an email message in Outlook means it’s converted from readable plain text into scrambled cipher text. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading. Any recipient without the corresponding private key, however, sees indecipherable text. Outlook supports two encryption options:

  • S/MIME encryption – To use S/MIME encryption, the sender and recipient must have a mail application that supports the S/MIME standard. Outlook supports the S/MIME standard
  • Microsoft 365 Message Encryption (Information Rights Management) – To use Microsoft 365 Message Encryption, the sender must have Microsoft 365 Message Encryption, which is included in the Office 365 Enterprise E3 license.

So unless you know the recipient uses Microsoft 365, we recommend that you still use a secure email tool like Egress. And speak to your organisation’s IT Support if you are unsure!

Is Zoom GDPR compliant?

Answered July ’20.

Zoom certainly came under fire early in the pandemic as a lot of people were switching on to working from home and video conferencing (many for the first time). Zoom suddenly went from being quite niche to very popular and wasn’t really prepared for it. Some of the big security concerns that came up included:

  • Facebook data sharing
  • Incomplete (or lack of in some cases) end to end encryption on calls/conferences
  • Zoom-bombings – people joining Zoom meetings without an invite by either finding or guessing the meeting ID and then posting inappropriate or explicit content (clearly a safeguarding concern!)
  • Vulnerabilities that allowed malicious actors to access users’ webcams (another safeguarding concern)

Clearly these were pretty serious concerns and we recommended that schools avoided running live lessons altogether (something which was also advised by the unions) and used pre-recorded videos instead. If schools did choose to run live lessons, we recommended using software like Microsoft Teams or Google Meets which suffer from fewer issues and are GDPR compliant.

It is our understanding is that Zoom has worked hard since March to fix a number of these security issues and make the platform safer and more compliant. Here is an example of a more recent article highlighting the progress that Zoom has made in many of these areas and with advice around how to make your meetings more secure. A number of sources will also highlight how Zoom fails to comply with GDPR such as this blog post.

That being said, Zoom claims to have done work in recent months to fix a number of these issues and claims it is GDPR compliant on its website and in its documentation.  But then Zoom have claimed compliance since the GDPR was implemented in 2018.

There are schools out there using Zoom but our advice would be to avoid it. Are there alternative platforms that you can use? Or are there alternative methods that you can use to achieve the same result?

Can we retain photos of pupils as part of our school's historical record?

Answered October ’20.

You are indeed able to store the photos as an historical record. There is an exemption in the Data Protection Act (2018) which applies to “Archiving in the Public Interest” which this comes under. (Schedule 2, Part 6, Paragraph 28 of the DPA 2018)

The best way to address this is to ensure that your retention policy states that photos will be kept for the purposes of archiving in the public interest and creating an historical record. It may also be worthwhile adding that statement to your photo consents going forward so that parents/pupils are aware in advance. Technically, you don’t have to get consent for this (that’s what the exemption means) but you might want to let people know that photos will be archived in this way. You don’t have to though!

Within the exemption itself, it states that it is available only where personal data is processed in accordance with Article 89(1) of the GDPR. This is essentially stating that the processing must be subject to appropriate safeguards for individuals’ rights and freedoms – among other things, you must implement data minimisation measures. 

You must ensure the personal data you are processing is:

  • adequate – sufficient to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.

And it is important to ensure that they are kept securely as well of course, as that would also constitute an appropriate safeguard for individuals’ rights and freedoms!

Can we share data with the police if they request it?

Answered October ’20.

Essentially, the ICO has been keen to stress that data protection should not be a barrier to sharing data with the police where it is necessary. They have written a blog post clarifying this which can be found here.

The key message is that the GDPR and DPA 2018 do not prevent data sharing but it must be done appropriately. To quote:

Organisations should remain confident that when asked for personal data to assist the police whether in an emergency, or in their ongoing community policing activities, necessary, relevant and proportionate data can be disclosed in compliance with the law.

Depending on the detail in the data request, it would be worth clarifying that with them to make you able to appropriately assess whether the information you are disclosing is necessary, relevant and proportionate. This links to the following quote:

In particular it is in the DPA2018 where organisations will find the rules surrounding the processing of data for law enforcement purposes. In addition, Part 3 of the Act specifically applies to organisations defined as ‘competent authorities’ – such as police forces, criminal courts and prisons.
Requests for information made by competent authorities must be reasonable in the context of their law enforcement purpose, and the necessity for the request should be clearly explained to the organisation.

They give an example which we think is relevant:

…take the example of a social worker, who is asked to pass on case files to police containing details of young teenagers. … the social worker might feel reluctant to voluntarily disclose information to the police if the request appears excessive, or the necessity or urgency appears unjustified. So the onus is on the police to provide as much clarity as they can without prejudicing their investigation.”

We recommend:

  • confirming the authenticity of the request,
  • clarifying the request to allow you to make the judgement as to whether the information you are sharing is necessary, relevant and proportionate, and
  • recording this in full as a data decision on our portal.
How long should we retain emails as a school?

Answered November ’20.

There isn’t anything specifically in the GDPR or DPA 2018 that states how long you should or shouldn’t keep email. We recommend that schools keep them for the shortest amount of time that is practical and delete as soon as possible. It might be that some emails need to be kept for record but they could be copied to a pupil or personnel file. The rest could then be deleted. The length of time is up to the school really.

The guidance from the IRMS toolkit (Information and Records Management Toolkit for Schools Version 6.0) states the following:

How long do we keep e-mails?

E-mail is a communications tool, and e-mail applications are not designed for keeping e-mail as a record. E-mail that needs to be kept should be identified by content, for example:

  • Does it form part of a pupil record?
  • Is it part of a contract?
  • Does it relate to an employee?

The retention for keeping these e-mails will then correspond with the types of records found in the Retention Schedule for schools below. These e-mails may need to be saved into an appropriate electronic filing system or printed out and placed on paper files. Similarly, information contained within these e-mails should be recorded in the appropriate place (e.g. the MIS or behaviour management system). Once this is done the original could be deleted.

Consider implementing an electronic rule whereby e-mails in inboxes are automatically deleted after a period of time, assuming they have been filed away. This will assist greatly in reducing the amount of information potentially disclosable in the event that a subject access request is received. Consider implementing procedures for the management of inboxes of staff who have left the organisation.

Limiting the information which is retained will also mitigate the school’s liability in the event of a breach and will reduce the amount of electronic storage required.

The IRMS toolkit also makes the following point which is something that we discuss in our training:

It’s not a filing system

E-mail systems are commonly used to store information which should be stored somewhere else. E-mails and attachments should be saved into any appropriate electronic filing system or printed out and placed on paper files.

Where the text of the e-mail adds to the context or value of the attached documents it may be necessary to keep the whole e-mail. The best way to do this, and retain information which makes up the audit trail, is to save the e-mail in .msg format. Where you just want recipients to read a document, consider sending a link to the documents rather than attaching them.

Should Governors use school email accounts?

Answered November ’20.

There are a few different ways to look at this situation.

Firstly, the school is the data controller. As the data controller, the school should be retaining control over its data and that includes communication conducted by and on behalf of the school. The best way to do that is to ensure that it stays within the school’s systems – so, in the case of email, within the school’s email systems.

Secondly, as the data controller, data protection by design is the overarching priority of data law. Anything that doesn’t give the school as the controller the ability to implement controlled security designed into a system is in fact against the principle of data law… ergo if the school chooses to design their email system to ensure security of data, the clerk and governors must use the system. Using their own email does not allow for that design and is a problem. You don’t know what security etc the clerk and governors have in place on their email system so can’t guarantee the protection of any data that may end up in that system.

Thirdly, from a practical point of view, the school should always be able to audit any data that it controls including monitoring and audit of emails if necessary. If someone is working on behalf of the school and is using a personal email address instead of the school’s, the school is unable to audit or monitor that without requesting access to that person’s email account. There is always a risk that if that were the case, the school would be able to access other personal emails on that system that they shouldn’t.

Fourthly, and this links to the previous point, when the school is given a SAR, it should be able to search all of its systems for any data regarding the data subject that has put in the request. This could include emails if that has been specified in the request. Someone using a personal email for school business does not give the school easy searchable access to their emails for data in this sort of situation which puts the school at risk of not being able to disclose all of the information it holds.

Should we send out Christmas card lists to parents with names of the children in a class/group/bubble/year?

Answered December ’20.

From a pure data protection point of view, giving out the names of the children within a class or year group to all of the parents is not a good idea if they haven’t given consent. Whilst a first name on its own might not seem like a lot of data (because it isn’t), it can then be matched to the year and class of the child and someone could start to build a picture (even if it is a very blurry one at this point). And it only takes one parent to complain that they didn’t want their child’s name given out for the school to have to answer some awkward questions. Here are some alternative ideas though:

  • Add a line on the consent form regarding sharing a first name only with other members of the class/group/bubble etc for the purposes of Christmas/Birthday lists when the child joins the school or at the start of the year. Not helpful at this point for the current cohorts we realise but useful for next year onwards.
  • Ask consent at this point. This may not be practical depending on the size of the classes or the situation with the pandemic. It could be as simple as the class teacher asking parents that they are happy for their child’s name to be on the list as they pick their child up at the end of the day and ticking them off. Or, if the school is using online solutions for communication with parents, putting the question out on that or posting a poll for them to complete.
  • Finally, the other thing a lot of schools are doing now, is they are getting the parents to collate the list between them. Then it is the parents that are giving each other the children’s names and not the school at all. Some parents have done this by creating a sign up sheet to go on the outside of the class door so parents add their child’s name at pick up time (maybe not practical during Covid) and then the list is circulated by one of the parents. Others have parents that setup WhatsApp or Fb groups for the other parents in their class and they share the children’s names that way.
Should teacher names be disclosed in information contained in a SAR by a parent or pupil?

Answered December ’20.

Regarding redacting teacher names for the SAR. The overall guidance regarding the Right of Access which covers Subject Access Rights is as follows:

Right of access | ICO

The specific areas we want in this case includes the guidance on Education Data:

Education data | ICO

In this guidance, it states, for example: “Parents can only submit a SAR for information about their child if the child is not competent to act on their own behalf or has given their consent.” This then links to further guidance (How do we recognise a subject access request (SAR)? | ICO) which clarifies how to make the decision around competency.

The guidance also states “if an educational record contains personal data relating to someone other than the requester (such as a family member), you must consider the rules about third-party data before disclosing it to the requester. However, you should not normally withhold information that identifies a teacher.”

On a side note, you also shouldn’t provide information that has been “supplied in a report or given as evidence to the court in the case of proceedings” or if “certain specific statutory rules apply to those [court] proceedings that allow the withholding of the data from the individual it relates to.” And you also shouldn’t provide information if you feel that disclosure could cause serious harm (“cause serious harm to the physical or mental health of any individual”).

The final piece of guidance which is of use in this case is this:

What should we do if the request involves information about other individuals? | ICO

In here, it states the following about an education worker: “it is reasonable to disclose information about them without their consent, as long as the disclosure meets the appropriate ‘test’.”

The test being the following in the case of most of the education establishments we work with:

“For education workers, it meets the ‘education data test’ if the other individual is a teacher or other employee at a voluntary aided, foundation or foundation special school, an Academy school, an alternate provision Academy, an independent school or a non-maintained special school in England or Wales, and the information relates to, or was supplied by, the other individual in their capacity as an employee of an education authority.”

So it is unlikely that teacher names would be redacted from a SAR about a student except in exceptional circumstances.

We are concerned that data released in a SAR, and containing teacher names, could be published online. What can we do? Can we instruct the data subject not to publish online?

Answered January ’21.

We have discussed this particular issue with the ICO. They have stated:

“Data protection law gives a right to individuals to access their own data, so the school cannot put additional conditions on releasing the person’s own data. If the school is concerned about harm to third parties due to that being released then that may be grounds to withhold it.”

As a school then, you cannot tell the data subject what they can or can’t do with the data. If you are concerned about harm then you should redact teacher names. The ICO go on to say:

“The school needs to assess if it is reasonable to supply third party [i.e. teacher] data, taking into account that there is a presumption of reasonableness for teachers. They can ask the individual about their intentions with the data in order to make that assessment, and in some cases it is relevant to ask the third party for consent.”

Your options then are to speak to the data subject about their intentions and, if you feel there is a risk, redact the names further. It might be that this redaction isn’t needed on all emails as there are only some you would be concerned about being published. Will certain emails be detrimental to the teacher if they are posted with their name included? If so, redact those specifically. If you are at a point in the SAR process where the deadline is approaching and the limited time available is not enough, speak to the data subject, explain the need to delay for a short period, and then issue when ready. This would be preferable to issuing incorrectly.

How should I respond to a Right to Erasure request from a parent if a pupil has moved on to another establishment?

Answered February ’21.

There will be a number of different contexts to this but the template below can be adapted to fit them. In this example, the pupil has moved to EHE from an Academy so the Pupil File is to be transferred to the LA and the retention schedule is for an Academy. This can be adapted for different transfers and retention schedules depending on context:

“Thank you for sending through your right to erasure (right to be forgotten) request regarding your child’s personal data. We are consulting with our Data Protection Officer (DPO) with regards to the processing of this request and are conducting it as appropriate. Under the UK GDPR, we must comply with your request without undue delay and at the latest within one month of receipt of the request. We will therefore endeavour to have completed processing this request by the xxxxxx, one month from receipt of the request on the xxxxxx. This requirement is laid out by the ICO here: Right to erasure | ICO

It is important to note that in the same guidance, it identifies that the right to erasure is not absolute. Data that we process under the legal bases of Article 6(1)(c) “legal obligation” and Article 6(1)(e) “public task” are not subject to the right to erasure. Most data that we process as a school uses these legal bases and therefore we cannot erase that data until such time as those legal bases no longer apply. This is laid out in our retention schedule which follows the Information & Records Management Society (IRMS) Toolkit for Academies which can be found here: IRMS Academies Toolkit – Information and Records Management Society.

As stated in this document, data that forms part of the pupil’s Educational Record or ‘Pupil File’ will be passed on to the Local Authority who will retain it for the statutory period or until the child transfers to another school at which point the file will be transferred to that establishment. Other data that does not form part of the pupil file such as attendance registers and records relating to school trips that contain your child’s data, will be retained until the end of the statutory period at which point they will be securely disposed of.

Any data that the school no longer has a duty to retain (it is no longer necessary for the purpose for which it was originally collected/processed) or was processed under the legal basis of Article 6(1)(a) “consent” (if you are confirming that consent has been withdrawn) will be erased securely and appropriately by the deadline of the xxxxxx.

If you have any concerns or questions about how your data is being processed with regards to this request, you may contact our DPO at GDPR@schoolpro.uk or the ICO directly at Home | ICO, using their chat service Live chat | ICO, on 0303 123 1113, or by post at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.”

Can we publish historical photos from our school in a closed social media group or on our website?

Answered March ’21.

We spoke to the ICO about this as one of our schools was looking to use historical photos as part of a large anniversary celebration. The first thing the ICO said was that if photos are used in a closed group (such as a Facebook group where members have to be admitted by an administrator) it poses a low risk to individuals and therefore can be done. The legislation is not too specific around old photos, especially if they have been taken in public places where less privacy is to be expected. It is more complicated using current pupils’ photos and you will need to assess the risk and review consents if photos are published. The risk with historic photos is probably low and there is an exemption in DPA 2018 about use of data in closed groups. The ICO also said that when using photos in a closed group, “we would not expect that you would be seeking consent of those individuals in the photo.”

But what about on a public website? The ICO would not consider it to be a data breach if it is used for school purposes, the photos are taken in a public space, and it is low risk to the individuals. If you can say ‘yes’ to all of those points, you should be able to publish. If you receive objections to publishing, you should consider the request.

So taking those points onboard, it may be that not every image shared on a closed group is appropriate to go into a public, historical gallery. For example, the behaviour of the pupils in the photo may be embarrassing and therefore not ‘low risk’ or it could be a photo from a school residential in a dorm room that wouldn’t be considered a public space.

Equally, any photos that are recent and for which you may have still have photo consents, you should consider the photo consent. So, if you have consents going back 10 years, it would be appropriate to apply those same consents to photos of those children even if they left the school nearly 10 years ago (unless they have specifically said they are happy to have the photo shared).

It would also be worth having a statement on your public gallery that says that images are either from the school’s historical archive or have been shared by former pupils and staff. And that they are deemed appropriate to share as part of any specific event or historical celebration. But if anyone has a specific objection to any of the photos, to contact the school and request removal.

There is more useful information on schools and photos in this blog post published by the ICO:

Blog: Don’t get caught out when it comes to pupil photos | ICO

If a SAR request asks for emails, do we have to provide every email that an individual's name appears in?

Answered September ’21.

This is a common misconception and the answer, in short, is ‘no’! A subject access request is about data subjects exercising their right of access. The right of access does involve producing a copy of the individual’s personal data but that doesn’t mean giving them copies of their name every time it appears in your data systems for example. To explain:

You don’t have to necessarily print out or electronically provide every single email that an individual’s name has appeared in. It is only emails that are ABOUT them which isn’t necessarily the same thing. Here is the ICO’s guidance about emails – How do we find and retrieve the relevant information? | ICO

A couple of key points –

  • It can sometimes be difficult to determine whether an email contains an individual’s personal data. This depends on the contents of the email, the context of the information it contains, and what it is being used for. Ultimately it is for you as the data controller to determine whether any of the information in the email is the individual’s personal data.
  • The right of access only applies to the individual’s personal data contained in the email. This means you may need to disclose some or all of the email to comply with the SAR
  • Just because the individual receives the email, does not mean that the whole content of the email is their personal data. Again, the context of the information and what it is being used for is key to deciding this. However, their name and e-mail address is their personal data and you should disclose this information to them.

The ICO includes this example in their guidance:

So, if you search your email system and find thousands of emails with the individual’s name/email address in, you could separate out into different categories:

  • Emails that they have sent – in theory, they could simply have these as they are as they would have written them in the first place. You may decide to redact however if the information they sent in those emails is now information you don’t think they should have access to for whatever reason. Or you could just say that you have x number of emails written by them in your system and can provide if requested. They may not really be interested in these but more the emails ABOUT them.
  • Emails in which they are a recipient – if they are a recipient of 1000s of emails but aren’t actually the content of the email (i.e. the emails are sent out to all staff/pupils or to groups of staff/pupils), you wouldn’t have to hand these all over. Much like in the example above, you could simply identify the number of them and say, we hold x thousand emails with your name as the recipient but which aren’t about you. You then don’t have to go through all of those.
  • Final option are emails in which they actually are the subject of the email. These are the emails which are actually ABOUT them and should be a much smaller subset of the emails. They should be provided with copies of these with any redactions applied as appropriate.

Doing it this way should speed up the process and reduce the need to go through every email as well as the need to provide copies of every single email.

Remember, if in doubt, speak to your DPO and they can advise.

Are there any conditions under which we can legitimately extend the deadline for a Subject Access Request?

Answered November ’21.

The short answer is that yes, you can. You can extend the time to respond by a further two months giving you a total of 3 months to respond to the request. There are a number of conditions for this but the one that is most likely to be relevant for you is if the request is “complex”.

You should calculate the extension as three months from the original start date, ie the day you receive the request, fee or other requested information.

If you decide that it is necessary to extend the time limit by two months, you must let the individual know within one month of receiving their request and explain why. It is important to note that you don’t have to ask them if you can extend it, the decision is yours to make as the data controller. However, an open dialogue with the data subject about this will help the process go smoothly and hopefully keep the situation from ending in animosity or a formal complaint. It also may be appropriate to provide some of the data by the initial deadline with the more complex data to come later.

Here is further information about complex requests taken from the ICO guidance –
When can we refuse to comply with a request? | ICO

When is a request complex?
Whether a request is complex depends upon the specific circumstances of each case. What may be complex for one controller may not be for another – the size and resources of an organisation are likely to be relevant factors. Therefore, you need to take into account your specific circumstances and the particular request when determining whether the request is complex.

The following are examples of factors that may, in some circumstances, add to the complexity of a request. However, you need to be able to demonstrate why the request is complex in the particular circumstances.

  • Applying an exemption that involves large volumes of particularly sensitive information.
  • Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
  • Searching large volumes of unstructured manual records (only applicable to public authorities).

It is important to be realistic in your judgement of the request as ‘complex’. Just because a request involves a large quantity of data, that doesn’t mean it is necessarily ‘complex’ and justifies an extension. Remember, if in doubt, come and speak to us as your DPO and we can advise.

What are the common exemptions that may apply in the case of a Subject Access Request?

Answered November ’21.

When preparing data for a Subject Access Request, it is important to remember that there are a number of exemptions that could apply to the data. This list is by no means exhaustive but it includes the exemptions we think are most likely to apply to data requested of a school. Any, all, or none of these exemptions may apply to your data when requested and, if you are unsure, please speak to us as DPO:

 

  • Information about others.  There is an exemption in the DPA 2018 that says the school does not have to comply with a SAR, if doing so means disclosing information which identifies another individual, except where the other individual has consented to the disclosure, or it is reasonable to comply with the request without that individual’s consent. For example, information about witnesses to an incident would apply here.
  • Confidentiality. A duty of confidence arises where an individual discloses genuinely ‘confidential’ information (ie information that is not generally available to the public) to the school, with the expectation that it remains confidential. This tends to apply in specific situations such as during a counselling session, medical appointment or similar. The SAR guidance and DPA 2018 do provide examples but the list is not exhaustive. As data controller, you can decide if you think there is an expectation around the confidentiality of data.
  • Crime and taxation: general. Personal data processed for crime purposes is exempt from the right of access. These purposes are the prevention or detection of crime, or the apprehension or prosecution of offenders. This exemption applies only to the extent that complying with a SAR is likely to prejudice one of these crime purposes. Unlikely in the case of most education establishments but is possible.
  • Child abuse data. Child abuse data is personal data consisting of information about whether the data subject is or has been the subject of, or may be at risk of, child abuse. This includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18.
  • Education data – processed by a court. This exemption can apply to education data (personal data in an educational record) processed by a court which is relevant in this case. The exemption applies if the education data is supplied in a report or evidence given to the court in the course of proceedings; and those proceedings are subject to certain specific statutory rules that allow the education data to be withheld from the individual it relates to.
  • Education data – serious harm. This exemption applies to the extent that complying with the right of access would be likely to cause serious harm to the physical or mental health of any individual.The key phrase here is “any individual”. So if you think there is a risk of harm to “any individual” in releasing certain data, this data becomes exempt. That could be a risk to the requester themselves or anyone else mentioned (or not) in the data. Or any other individual linked to the data.
  • Confidential References. This exemption applies to personal data consisting of a reference given (or to be given) in confidence for the purposes of education, training, or employment of the data subject; the placement of the data subject as a volunteer; the appointment of the data subject to any office; or the provision by the data subject of any service. This is also applies to the “prospective” enactment of any of these options.
  • Exam scripts and exam marks. Personal data consisting of information recorded by candidates during an exam is also exempt, as well as data consisting of marks or other information processed for the purposes of determining the results of an exam or in consequence of the determination of the results of the exam. There is more detail to this within the DPA 2018 which also explains time limits for providing certain types of data relating to exams so, if exam data is included in a request, we recommend reading that (link below) or speaking to us directly.

 

So any data that falls under one of those exemptions would be redacted and not included. You should always record what exemptions you are relying on for each data and why. You should also explain to the data subject which exemptions you have applied and why. However, it may be that giving that information prejudices the use of the exemption so there are some instances where you may have to tell the data subject that you can’t tell them exactly what has been redacted, why, and under which exemption. You also have to be able to defend your decision if they challenge it and/or complain to the ICO.

Remember, our role is to help you apply the legislation correctly and we will provide you with advice and guidance as to how to do that. Please ask!

Right of access | ICO

Data Protection Act 2018 (legislation.gov.uk)

Data Protection Act 2018 (legislation.gov.uk) (Exemptions)

Do staff using Face ID to authenticate on iPads mean that the school is processing biometric data?

Answered December ’21.

If schools are processing biometric data then they should state this in their Data Protection Policy and it is also a statutory requirement set by the DfE to have a Biometric Data Policy if you are processing the biometric data of children. So could you be processing biometric data without realising it?

We spoke to the ICO about this and formulated three scenarios:

Scenario 1 – a staff member is using their own iPad and securing it with Face ID or a fingerprint. In this case, the school is not controller for this data so is not processing biometric data. This would also apply if pupils are using their own devices and using Face ID/fingerprints.

Scenario 2 – the school owns iPads and issues them to staff. Staff use Face ID or fingerprints to secure these devices. The ICO would consider the school to be the controller for this biometric data. This is despite the fact that the school does not have access to the biometric data stored in the vault on the iPad (and neither does Apple). A DPIA would be required and the biometric data section of the Data Protection Policy would need to be amended to consider that the school IS processing biometric data. A biometric policy would not be required as that is only for children’s biometric data but would be required if pupils were securing school devices with Face ID or fingerprints.

Scenario 3 – The school outsources their IT Support to another company and that company owns the devices. The school then issues them to the staff to use. As far as the ICO is concerned, there is a bit of a grey area as to who is the controller here (school or IT company) but they recommend that is contractually agreed before implementing the devices. Based on the outcome of that agreement, the school may then be considered to be processing biometric data and require the relevant paperwork.

So… are you processing biometric data?

Does our school need a European or EU Representative?

Answered January ’22.

It has now been a little over a year since Brexit and there are still a few changes to data protection legislation as a result that are being fully understood.

If you are an organisation (in your case, a school, college or other education establishment) in the UK that processes personal data of individuals within the EEA to offer them goods or services, or to monitor their behaviour, you will need to comply with the EU data protection regime alongside the UK regime. It is likely that you will need to appoint a representative in the EEA.

If your education establishment is a public authority, you don’t need to appoint a European representative and you can skip onto the next article in this newsletter.

But if your education establishment is a private organisation such as an independent school (a private school), you may well need to appoint a European representative.  Unfortunately, you aren’t exempt from this because you are performing the task of a public authority. If that applies to you, read on.

So, when might you be processing the personal data of individuals within the EEA to offer them goods or services, or to monitor their behaviour?

If you have students that come from the EU (i.e. are normally resident in an EU/EEA country) then you would be considered to be offering goods and services to them and so you would need to appoint an EU representative. This is especially true if you are targeting families in the EU/EEA by marketing the school to them, for example.

As the DPO for you, we couldn’t be your EU representative even if a part of our establishment was in the EU. Your DPO and EU representative shouldn’t be the same person or organisation. If you have an establishment within the EU (for example, you have staff working remotely who are based in the EU), you wouldn’t need an EU representative as they can do that on your behalf. If you don’t, your representative may be an individual, or a company or organisation established in the EEA, and must be able to represent you regarding your obligations under the EU GDPR (e.g. a law firm, consultancy or private company). In practice the easiest way to appoint a representative may be under a simple service contract.

Please see the ICO guidance on European representatives: European representatives | ICO and speak to us directly if you feel this might apply to you and you need further support.

Do staff working remotely abroad require international transfers of data and relevant safeguards being implemented?

Answered November ’21

The full question asked here was as follows – If we have a member of staff who is having to quarantine for a couple of weeks in another country (one outside the EU/EEA and that doesn’t have an adequacy decision), what are the GDPR implications if they are going to work remotely from that country during their quarantine? Does this constitute an international transfer?

In this case, the member of staff was having to stay overseas due to Covid restrictions and therefore work remotely until they could return to the UK. This could also apply if you had staff working remotely from countries outside the UK and that don’t have adequacy agreements in place. The ICO provided the following advice:

This wouldn’t class as an international transfer, because the receiver of the personal data wouldn’t be legally distinct from the sender, i.e. the person accessing the data is a member of staff rather than a separate entity. Accessing data in a third country would class as a transfer if the scenario did involve two separate legal persons. [However, in this instance,] you don’t need to consider it as an international transfer (implement an appropriate safeguard etc.) but you do need to apply appropriate security measures.

So appropriate technical/organisational security measures would need to be applied when accessing the data from abroad, such as not using public WiFi where possible, but there isn’t the need to identify appropriate safeguards for international transfers.
We've been asked for CCTV footage by a member of the public of an incident in our car park. They want it for insurance purposes. Should we share this footage?

Answered May ’22.

The Surveillance Camera Code of Practice states the following:

7.2 There may be other limited occasions when disclosure of images to another third party, such as a person whose property has been damaged, may be appropriate. Such requests for images or information should be approached with care and in accordance with the data protection legislation, as a wide disclosure may be an unfair intrusion into the privacy of the individuals concerned.

7.3 A system operator should have clear policies and guidelines in place to deal with any requests that are received. In particular:

  • Arrangements should be in place to restrict disclosure of images in a way consistent with the purpose for establishing the system.
  • Where images are disclosed, consideration should be given to whether images that may identify individuals need to be obscured to prevent unwarranted identification.
  • Those that may handle requests for disclosure should have clear guidance on the circumstances in which disclosure is appropriate.
  • The method of disclosing images should be secure to ensure they are only seen by the intended recipient.
  • Appropriate records should be maintained.

7.4 Judgements about disclosure should be made by a system operator. They have discretion to refuse any request for information unless there is an overriding legal obligation such as a court order or information access rights. Once they have disclosed an image to another body, such as the police, then the recipient becomes responsible for their copy of that image.

We’ve highlighted some of the key points in bold. It is down to the school to decide if it is appropriate and you will need to demonstrate you have guidance on this (which should be in your CCTV Policy) and a way of recording requests. We have a CCTV Request Log template in Global Documents on the portal that could be used for this, or it could be logged as a Data Decision.

Other legislation to consider is the UK GDPR and DPA 2018. This is technically a SAR although you are disclosing a third party’s data. This guidance is the most relevant – What should we do if the request involves information about other individuals? | ICO. The guidance states that you can release data about a third party without their consent if you feel it is reasonable to comply with the request without that individual’s consent. Step Three of the guidance on ‘information about others’ shows the considerations that the school should take about releasing this information. As long as you are making the considerations as seen in the guidance, taking into consideration that context, then you will not go too far wrong.

You could also consider limiting the amount of information too – perhaps if you are able to extract and release stills of the footage rather than the footage itself, or even just the details of the car/driver – this may assist with this decision.

We spoke to the ICO about this specific situation and they said:

These decisions can be tricky to make, but with the use of the guidance and your knowledge of the context of the situation, you should be able to justify either holding the information back, or releasing it. In either case you will be balancing up the information rights of all parties involved.

So, in summary, the key actions will be:

  • Ensure that the CCTV Policy is in place and contains the correct information (as well as ensuring there was appropriate signage at/near the location)

  • Decide based on the above whether it is appropriate to release the data
  • Record that decision making process
  • Record that the data has been shared (appropriately securely).
How can we reduce the risk of staff sending out 'blank forms' to recipients with another data subject's data in them?
Answered July ’22.
 
Unfortunately, this is a fairly common problem that we come across. There are a multitude of forms that schools will send out from new starter forms for staff to travel allowance forms or referral forms. The issue comes where an individual is sent a supposedly blank form and it turns out on receipt that it is filled in (or partially filled in) with another data subject’s data. And depending on the nature of the form, this can be very sensitive data in some instances!
 
The problem often comes from ‘master templates’ being over-written by mistake or saved over with a completed document. So, how can we reduce this risk. There are a number of different options that could be used if this type of breach becomes an issue for you:
 
  • Train staff to copy master documents prior to filling them in (rather than filling in the master document and then using ‘Save As’) so the original master is not completed and potentially saved over by mistake.
  • Make the master document a ‘template document’ so that it can’t be saved over but has to be saved as a separate file.
  • Make the master document a ‘read-only document’ so that it also can’t be saved over but has to be saved as a separate file.
  • Keep master documents in a separate folder to completed documents. Combine this practice with the first bullet point so the document has to be copied into the ‘completed document’ location prior to filling in.
Are OneNote files subject to SAR / FOI requests if they are being used as an individual's notebook or jotter?

Answered January ’23

Depending on the data being recorded in the OneNote files, yes, these would be subject to a SAR or FOI request. With some caveats of course! 

You could probably argue that these files would sit in the same territory as physical notebooks or jotters which are classed as ‘unstructured manual records’ – as they are simply digital versions of the same thing. ‘Unstructured manual records’ are basically “non-automated information which is not, or you do not intend to be, part of a ‘filing system’.”

Are there any special cases? | ICO

Essentially, you may have to search these notes if a request comes in. Having them in OneNote makes them a lot easier to search than if they are in actual notebooks or random unfiled sheets of paper. However, as the guidance states, you do not have to provide this data if:

• “the request does not contain a description of the unstructured data; or
• …[you] estimate that the cost of complying with the request would exceed the appropriate maximum.”

The appropriate maximum for a school (or trust) would be £450 – mostly based on staff time to search through the records, retrieve the information, redact and collate.

The first bullet point mentions those that requests that don’t contain a description of the unstructured data – it is important to note that some requests do specify notes or similar records, so it is worth bearing that in mind when reading a request. This is done to ensure that these sorts of data are included in the request.

The guidance also makes it clear that for an FOI Public Authority (which state schools and MATs are) the records don’t have to be provided if they are about the following:

• Appointments;
• Removals;
• Pay;
• Discipline;
• Superannuation; or
• Other personal matters in service to the school.

That would mostly relate to notes about staff / HR / personnel rather than those about students of course.

Can we give staff access to the systems before they start at the school so that they can prepare/plan for the start of the academic year?

Answered August ’23.

A good question and one that we do get quite a lot. Ultimately, it will come down to the school’s own policies and procedures. And we would also recommend that the school liaises with HR and IT Support as well.

Many schools will allow some form of access and give email accounts from a point after staff have signed contracts – so not from the start date of the contract necessarily but from the point at which they have signed the contract.

Once an employee has signed their contract, there are likely to be some legal obligations in place, even if their official start date has not yet arrived. These obligations could include confidentiality clauses, for instance. However, these obligations and the timeline they cover can vary greatly, and we would expect that they should be explicitly stated in the contract. Again, this is why we would recommend checking with HR.

Do we have to provide original (or copies of original) documents to a data subject as part of a subject access request or could we summarise data in a new document for the request?

Answered October ’23.

The short answer is that no, you do not have to provide original (or even direct copies of original) documents as part of a subject access request.

Under the UK GDPR, an individual is entitled to their personal data only. That doesn’t necessarily include all documents that their name or staff/student code appear on (many will not be their personal data) and it is also not the case that the school has to produce original documents that contain their personal data. The ICO’s guidance states “The right of access enables individuals to obtain their personal data rather than giving them a right to see copies of documents containing their personal data” – How should we supply information to the requester? | ICO

This does mean that, where appropriate, you could retrieve data from a system and copy it into a summary document in order to provide it to the data subject. That said, it is often still appropriate to give copies of original documents (with relevant redactions applied) to a data subject, but it isn’t essential.

Can we send home flyers for third-party organisations either by email or post?

Answer revised and updated February ’24.

Postal Leaflets in School Bags:

The process for sending postal leaflets via school bags is not subject to the privacy and electronic communications regulations (PECR) which means consent is not required. The school can rely on a Legitimate Interests lawful basis and perform a Legitimate Interests Assessment (LIA) for the overall practice of sending out these mailings. It is crucial that parents are informed about this process and have the clear option to opt-out. The school needs to ensure that parents are aware of their rights and the school’s processing activities through clear communication, such as a statement in a parent newsletter. This approach negates the need for separate LIAs for each third-party organisation’s materials being sent out.

In order to notify parents about this processing, the school could add the following into a parent newsletter (or similar) – words to the effect of 

“we will occasionally send home flyers from trusted third parties such as the local authority in pupil bags. This is to make you aware of events, activities, services and products that we think may be of interest to you or your family. Please let us know if you object to this and we will ensure that you don’t receive this information.”

Electronic Communication (Email):

There are two distinct categories regarding electronic communication:

  1. Direct Marketing Messages:
    These include communications where a paid service is being offered, or there is fundraising or similar activities involved. Examples include services like school photography or extracurricular activities run by external companies that require payment. These types of messages require prior opt-in consent from the recipients, and it must be straightforward for them to withdraw consent at any time. It is important to ensure that this consent is specific, informed, and unambiguous. The school should not use opt-out forms for these types of communications; instead, an explicit opt-in mechanism should be in place.

  2. Promotional Messages Not Classified as Direct Marketing:
    This category includes communications that can be considered part of the school’s or trust’s legal function as a public body and do not have a paid-for element. Examples might include free educational opportunities from the local library or informational leaflets from the NHS. These messages do not require prior consent but fall under the ‘public task’ legal basis. While upfront consent is not needed, parents should still be informed about these communications and have the ability to object to receiving them, akin to the opt-out process in legitimate interests. Similar notification to that quoted above for the school bag method could be used to ensure transparency.


In Summary:

For non-commercial promotional messages sent by electronic media, and leaflets (commercial or otherwise) in school bags, consent is not required upfront, but there should be an option for parents to opt-out or object. Schools must inform individuals about this processing beforehand, maintaining transparency and adhering to data protection principles.

For commercial promotional messages sent by electronic media, including paid-for services or fundraising, schools must obtain clear, opt-in consent from parents before sending these communications.

By distinguishing between these types of communications and applying the correct legal basis for each, schools can ensure compliance with data protection regulations while keeping parents informed about relevant services and opportunities.

As well as the answers to those questions, here are links to our other advice and guidance pages that we feature in our blog:

 

​Please contact us if you do have further questions at DPO@schoolpro.uk.

Please continue to ask if there is anything further that we can do to support you at this time.

Stay safe and healthy,

The SchoolPro TLC Team

 

SchoolPro TLC Ltd (2023)

SchoolPro TLC guidance does not constitute legal advice.

SchoolPro TLC is not responsible for the content of external websites.