The weather has been increasingly summery and with Euro 2020 just around the corner, it is time to… Wait! That was going to be the introduction to this month’s newsletter when I initially planned out the year back in September. But plans have had to change quite a bit since then. Of course, the plan for our monthly newsletter is pretty inconsequential compared to the rapid changes in planning that organisations have been conducting around the world over the past few months, including education establishments here in the UK. And, as a consequence of this rapid planning and the ever-changing circumstances surrounding them, decision-making has had to be done far faster than normal. It is important to ensure that data protection is still considered and the rapid implementation of new systems and projects have rigorous processes to back them up.
Consequently, this month’s newsletter is going to focus on data decisions and data protection impact assessments – when and how you should use them, and what we can do to support you. We also have more advice from the ICO about staying safe and compliant during the pandemic, updated ICO advice on exemptions for exam script information from Subject Access Requests, a limited update about data sharing and the new test and trace system, and info about some new resources for you in Global Documents.
If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools are accepting visitors, please get in touch via GDPR@schoolpro.uk.
Stay safe and healthy!
Data Decisions & Data Protection Impact Assessments
Over the last few months, school settings have found themselves in unchartered territories: trying to source innovative ways of home schooling their pupils, conducting virtual staff and governor meetings, alongside facilitating interview processes in order to ensure they are fully resourced ready for the upcoming new academic year. This on top of staying open for keyworker and vulnerable children and, more recently, implementing the procedures needed for wider reopening. At SchoolPro TLC, we would like to say thank you for all of your hard work and a huge well done for keeping on going through the haze.
With all of this in mind, many of you may have taken on new subscriptions, used online platforms that you didn’t previously, or taken advantage of the ‘free’ resources that have made available to you by a number of providers. If this is the case, we need to remind you of the need to keep everyone’s personal information safe whilst doing so. Therefore, we felt it wise to remind you of the need to undertake Data Protection Impact Assessments (DPIAs) where necessary.
What is a DPIA?
A DPIA is a process to help you identify and minimise the data protection risks of a new project. It is, in essence, a risk assessment for your data processing activities.
Conducting a DPIA is a legal requirement for certain projects, as set out in the ICO’s guidance. Even when a DPIA is not mandatory, it’s often prudent to consider the privacy impacts of any new processing. Looking at a project through the ‘privacy lens’ at an early stage can act as a ‘warning light’, highlighting potential privacy risks before they materialise, and whilst measures can be put in place to reduce the risks.
Conducting a DPIA and documenting the outcomes is an important method of demonstrating that privacy is being taken seriously – it is evidence of an organisation’s commitment to accountability – a core principle and requirement under GDPR and the Data Protection Act 2018.
What is a Data Decision?
A “data decision” is used to record decision-making around processing activities where the risk is low or for one-off activities such as one-off data sharing. It maybe that a processing activity only requires a data decision to be completed due to its nature but it may also be that it becomes the starting point for a more in depth DPIA if it becomes apparent that the activity requires it.
If you are unsure as to whether you need to be completing a Data Decision or a DPIA, speak to us as your DPO and we can advise appropriately.
For more information on Data Decisions and DPIAs, including how to start completing them, please see our dedicated blog post which goes into more detail on the subject – https://schoolpro.uk/schoolpro-tlc-blog/data-protection-impact-assessments-what-are-they-and-why-are-they-important – or speak us to discuss further.
Latest Advice from the ICO
Back in April, we shared advice that the ICO had released with reference to organisations and their data processing during the coronavirus pandemic. The ICO has since updated its advice so we wanted to share the latest, most pertinent, points from that update. You’ll notice that they’ve also highlighted the importance of DPIAs:
How should I tell people about how we’re processing personal data during the pandemic?
Where possible, organisations should have clear and accessible privacy information in place before processing begins. However, we recognise that in this exceptional period, this may not always be possible.
Organisations should ensure that privacy notices are in place and updated as soon as reasonably practical. More details of what they should include can be found on our website, where there is also a simplified version that may be helpful to organisations.
The sort of information that they ought to include might be (but isn’t limited to):
- An organisation’s name and contact details (email and telephone number),
- The data held and the reasons why,
- Where this data was obtained,
- The length of time it will be retained for, and
- How people can request it be erased.
Where possible, organisations should make this information as accessible as possible, consider the different circumstances and factors that will impact upon this, and communicate accordingly.
I’m worried we’re more open to a personal data breach because of adaptations we’ve made during the pandemic. What should I do?
Many organisations have had to adapt to the evolving pandemic at speed, for example, arranging working from home quickly and using new IT solutions, which in turn may have led to policies procedures not being strictly followed.
We have seen several breaches involving human error such as using CC instead of BCC on emails and sending personal data to incorrect recipients so it may be worth reminding your staff to check before sending emails.
Our Working from Home guidance can help your organisation remain compliant with data protection laws.
How can I show that our approach to processing during the pandemic is compliant with data protection law?
To show that your processing of data is compliant, you will need to use the accountability principle. It makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance such as additional recording keeping requirements when processing sensitive data. One way of demonstrating accountability is through a data protection impact assessment (DPIA).
If your organisation is going to process health information, then you should conduct a DPIA focussing on the new areas of risk.
This DPIA should set out:
- the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective.
DPIAs are designed to be flexible, as appropriate to the context. We have a template organisations can use to help them focus on the minimum requirements. One important point is that the initial DPIA should be regularly reviewed and updated. This is especially important in a fast-moving crisis situation, as new risks and benefits emerge.
Update on exam script exemption and access to teacher assessments during the coronavirus pandemic
Due to the coronavirus pandemic pupils will not be sitting exams this year. Instead, teachers will be conducting and submitting pupil assessments, which will be used to award grades. The ICO has received a number of queries about whether the exam scripts exemption will still apply in these unusual circumstances.
The answer is yes, the exam scripts exemption will still apply to the information used to award students’ grades.
This allows for longer response times for requests for access to pupil assessment information if they are received before the official results are announced. The timeframe for responding to these requests are either:
- within five months of receiving the request; or
- within 40 days of announcing the exam results, whichever date is earliest.
Requests made after the results are announced need to be dealt with as an normal subject access request. However, the ICO understands there may be delays during the pandemic. We have published a document setting out our regulatory approach during the coronavirus pandemic.
This guidance has been quoted directly from the ICO website. All of the ICO’s advice can be found here.
Document Updates – Sharing Test and Trace Data
We have been asked by a number of schools about sharing data with regards to the new NHS Test and Trace data. At the time of writing, there hasn’t been sufficiently detailed advice released to fully implement new documentation with regards to this brand new system.
That being said, we are staying fully abreast of the situation and as it becomes more clear, we will keep you all up to date. Our expectation is that we may need to update privacy notices and/or complete Data Decisions / DPIAs to allow for any data sharing that may occur beyond normal expectations and routines.
As soon as we know more, we will let you all know and provide appropriate guidance and documentation.
New Resources in Global Documents
We have a number of new resources for you in Global Documents on the portal this month. You can see them below and they are:
- Dealing with Data Breaches – Infographic
- CCTV Warning Sign x 2
- Social Distancing Sign
Data Protection in the News
Should all Heads of Compliance/Legal step down as DPO, following the Belgian DPA ruling? – fieldfisher
Home affairs data breach may have exposed personal details of 700,000 migrants – The Guardian
Tokopedia Breach: 91 Million Records for Sale on Dark Web – Infosecurity Magazine
AGoDaddy Suffers Data Breach – Infosecurity Magazine
No cookie consent walls – and no, scrolling isn’t consent, says EU data protection body – TechCrunch
Data Breach Exposes Four Million Dating App Users – Infosecurity Magazine
Tusla fined by Data Protection Commision over three GDPR breaches –
The hidden cost of GDPR data access requests – betanews
One in ten home working Brits are not GDPR compliant – ITProPortal
EasyJet admits data of nine million hacked – BBC
Coronavirus: Serco apologises for sharing contact tracers’ email addresses – BBC
It looks like the UK’s data regulator has given up, blaming coronavirus – Wired
First major GDPR decisions looming on Twitter and Facebook – TechCrunch
As the GDPR turns 2, Big Tech should watch out for big sanctions – CNET
Workers warned over keeping sensitive data secret at home –
Grandmother ordered to delete Facebook photos under GDPR – BBC
Recent and Current Partner OffersCyber Threats
We realise that these unprecedented times have brought about so much change. While the schools are busy virtually supporting their pupils and looking after vulnerable and keyworker children, we want to ensure that their Curriculum Server and Core Applications are working seamlessly in the background.
Currently, admin staff and business managers are putting themselves at risk from catching Coronavirus by having to work on site where their servers and data are based. The alternative of working from home is hampered or made impossible by slow broadband speeds or an inability to connect remotely.
That’s why we have teamed up with Access – one of the largest suppliers of educational finance and HR software in the UK, which supports more than 8000 schools – to offer a completely free hosting solution for schools curriculum servers until 31st August 2020.
The free migration process is simple, secure, speedy and straightforward, with almost no downtime and minimal input from the school or staff. The free Curriculum Server Service is available until the 31st August, at which point the data will be swiftly returned to the schools’ servers unless schools wish to retain a partnership with CloudHappi and Access.
While under CloudHappi’s guardianship, all the data is stored in the secure London Docklands Telehouse data centre, which is trusted and used by some of the UK’s leading brands and Access’s Cloud. It is all backed up to an equally impressive and secure data centre, 26 miles away. Unlike other solutions, the data and applications never leave the UK.
Already, schools across the UK are taking advantage of this service and the feedback has been overwhelmingly positive, giving school business managers and senior leaders the confidence that they can access their applications whenever and wherever.
For more details, or to take advantage of this free service, contact Cloudhappi on SIMSrescue@Cloudhappi.com or visit https://cloudhappi.com/
We have teamed up with Health Go, one of the leading hand sanitation providers in the UK, to bring you a discounted offer on their hand sanitiser stations. These stations were used at Twickenham during the Six Nations and have since been deployed at venues around the UK including hospitals, airports, supermarkets and other public service facilities. Health Go have also developed stations for schools which can include your school logo and branding at no extra cost.
Health Go have produced a schools brochure including a variety of solutions depending on the context of the school. This can be found at the link below. When ordering your sanitation product from Health Go, quoting the code “SchoolPro” will give you a 5% discount on the stations as well as the hand sanitiser itself.
How can we reduce the risk of staff sending out 'blank forms' to recipients with another data subject's data in them?
- Train staff to copy master documents prior to filling them in (rather than filling in the master document and then using ‘Save As’) so the original master is not completed and potentially saved over by mistake.
- Make the master document a ‘template document’ so that it can’t be saved over but has to be saved as a separate file.
- Make the master document a ‘read-only document’ so that it also can’t be saved over but has to be saved as a separate file.
- Keep master documents in a separate folder to completed documents. Combine this practice with the first bullet point so the document has to be copied into the ‘completed document’ location prior to filling in.
Please contact us if you do have further questions at GDPR@schoolpro.uk.
SchoolPro TLC Ltd (2020)
SchoolPro TLC is not responsible for the content of external websites