On May 25 2018, the General Data Protection Regulation (GDPR) will come into force, replacing the existing Data Protection Act (DPA). It introduces many wide-ranging changes in the way companies and public-sector organisations need to store and manage customer data, as well as how they dispose of it once it’s no longer needed.
Schools are custodians of more information than ever before, from student and staff records to CCTV footage. So it’s essential to understand the GDPR and what it means for your school, so you can be ready for the new regulations before they come into force.
At first glance, you might be forgiven for thinking that things hadn’t changed that much, since the GDPR covers many of the same areas as the DPA. But there are important differences.
Treatment of children
One of the most important changes under the GDPR is to the rights of children. The GDPR identifies children as “vulnerable individuals” who need “special protection”. Children must give their active, informed consent for information to be gathered and processed, and there are specific legal grounds for doing so. For children under 16, parental consent is required.
As a “data controller”, your school will need to make reasonable efforts to verify that you do have consent for the data processing you are carrying out.
Non-compliance and accountability
Non-compliance is sure to mean a decline in your Ofsted rating, and could also leave you facing a hefty fine from the ICO, with penalties significantly higher once the GDPR is in force. That applies to the Data Controller – your school – and anyone else involved in storing, processing or getting rid of your data.
Under the GDPR, you have to actively demonstrate that you are compliant. So you may have to put new accountability measures in place, such as Privacy Impact Assessments, data protection audits, policy reviews and activity records. In some cases, you may be obliged to appoint a DPO (Data Protection Officer).
A Privacy Impact Assessment is carried out when you implement a new change or project that involves “high risk” data processing activities.
Contracts and accreditations
You may already have written contracts, or SLAs, with your IT provider, other third-party data processors or data disposal companies. Once the GDPR comes into force, it’s essential to have a contract with these service providers to show they meet acceptable standards within their area, and hold the right accreditations.
Points to consider
Here are a few points to help you start thinking about what your school needs to do before the new regulations come into force. They’re based on the Information Commissioner’s Office’s 12-point plan for organisations who’ll be affected by the GDPR, plus some other suggestions.
- Does everyone know? Make sure everyone involved understand that the GDPR is coming, and what it will involve. Think about what staff training you might need to make sure everyone is up to speed.
- Do you need a DPO? Data protection is a big job, and if your school is above a certain size, you may need to appoint a DPO (Data Protection Officer), if you don’t already have one.
- What data do you hold, and how do you process it? The first step to protecting your data is knowing what data you’ve got. Carry out an information audit to establish exactly what personal and staff data you currently hold, where you got it from and who else uses it, or has access to it. Identify your legal basis for any data processing you do, and document it – you will now have to explain it in your Privacy Notice.
- How will you handle review rights and access requests? Do your current procedures cover all the rights that individuals have? How will you respond if someone asks to access the data you hold on them? Or if they ask to have it deleted?
- How do you manage consent? How do you ask for, obtain and record people’s data consent? Will it need to change? Bear in mind that consent must be actively and freely given (not just assumed, or bundled in with another agreement) and can be withdrawn at any time.
- How do you verify ages? How will you verify students’ ages, and obtain parental consent if you need it?
- How will you deal with breaches? If personal data was lost or stolen, what would you do? How will you find out about a breach, report it and investigate it?
- Should you use pseudonymised data? Pseudonymisation means processing data in such a way that it can’t be linked to the original person without accessing other data. Pseudonymised data is still personal data, but using it can be a better approach in some situations – for example, when using data on past pupils to compile statistics.
How we can help
One of the most important aspects of data security is securely disposing of confidential data and IT assets when they’re no longer required, to make sure any personal information on them cannot be recovered. At Shred Station, we offer a full shredding service for all types of document, IT equipment and other items.
- For IT equipment, you can select collection and transport via GPS-tracked vehicles to our secure destruction depot
- For confidential documentation, hard drives, and digital media you can opt for collection and destruction on-site with our secure mobile destruction vehicles
- Our hard drive and digital media shredders can carry out destruction to meet all your DPA and GDPR requirements – no data is retrievable following destruction
- Our accreditations meet the highest standards for secure data destruction, including EN15713 relating to the secure destruction of confidential information (see https://www.shredstation.co.uk/about-us/accreditation-compliance/)
- A certificate of destruction is provided to complete your data audit trail
- We’re an eco-friendly supplier: all destroyed equipment is disposed of in an environmentally friendly manner, and we have a strict no-landfill policy.