This page contains a Flash digital edition of a book.
LEADERSHIP Protecting your data


Solicitor Paula Williamson looks at the new tougher penalties


for breaching data protection law and what schools need to do to get compliant and to keep their data safe and secure


violations rose by 30 per cent last year, according to the information Commissioner’s office. so if you have not done so already, it is probably


P


wise to spend some time trying to get your head around data protection so that it can be hardwired into school governance and culture. an increasing number of schools are now getting to


grips with data protection law but there still are some which choose to stay in the dark. Ducking out of data protection is partly due to ignorance of the penalties for getting caught out. if you do plan on ignoring data protection you should at least understand the dangers involved.


What are the risks?


it is likely that a school that chooses not to get to grips with data protection law will, at some point in time, violate a pupil or other individual’s privacy. the risk of breaking the law has increased in


proportion to the many new ways of working. off-site working is now better facilitated by technology. add to this the increasing appetite for social


networking, school websites and blogs and it is easy to see why scarcely a week goes by without seeing a data protection blunder reported in the media.and because a school deals with children’s information, the media will always be interested in reporting any slip ups. if a school ignores its legal data protection


obligations, at best it will suffer reputational damage and unwelcome scrutiny from the media. However, it could also result in intervention


from the information Commissioner’s office and, at worst, a criminal record, fines and civil compensation claims. also, the information Commissioner now has the power to issue a Monetary Penalty notice (MPn) fining organisations up to £500,000 for serious breaches of the DPa that are likely to cause damage or distress. in order to issue an MPn, the information


Commissioner needs to be satisfied that the breach was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it. for example, the theft of personal data causes a


teacher or parent to become the victim of identity fraud or a school laptop is stolen which contains pupil/staff names and addresses including health information. in both examples, some of the pupils and parents suffer worry and anxiety that their sensitive personal data might be made public.the fact that those worries never materialise is irrelevant. the importance of this new power is that the


regulator does not need to get a conviction in court in order to issue this fine. it also signals the onset of tougher new penalties


still to come including custodial sentences, compulsory data protection audits, and the mandatory disclosure of serious data security incidents.


What is data protection?


it sounds obvious, but data protection is the area of the law that governs what you may and may not do with personal data. Personal data is information which identifies a


living individual and can be held manually (such as hand-written notes, photographs, printed emails and letters) or electronically (such as databases, CCtV images, unprinted emails and so on). Data protection law sets out the legal rules about


obtaining information from your pupils and staff; the ways in which the school may and may not use personal information, such as whether it can or


SecEd • September 16 2010


cannot be shared with external organisations, and the all-important security obligations for the storage of personal data. Data protection also regulates the use of personal data for marketing purposes. all schools hold enormous amounts of personal


data. the DPa will be engaged whenever that personal data is processed by the school. sometimes it is pretty is obvious when data


protection law is engaged. for example, pupil attendance records, contact sheets, records of pupil achievement, consents for administration of medicine, a teacher’s sickness record, emails between staff concerning pupils or staff, and written records of exclusion meetings. However, sometimes the DPa will be engaged


without you even realising it. for example, implementation of pupil biometric systems for catering, library book borrowing or to record attendance; a teacher’s “private” notes on pupils, or posting pupil data on the website or in the school magazine. simply sharing pupil data, including CCtV images,


with an external organisation such as the police, a consultant or a commercial contractor, will all engage the DPa and you need to ensure that such sharing is fair and lawful.


How do you comply with the DPA?


the DPa contains a range of legal obligations which your school needs to understand and comply with. the most well known of these obligations is to register (or notify) with the information Commissioner’s office. failure to notify or to keep your notification up-to-date is a criminal offence. the DPa also requires all schools to process


personal data in accordance with eight principles.these principles govern the standard of processing and require the school to ensure that personal information is: 1, fairly and lawfully processed – has your school


issued up-to-date Privacy notices to pupils and staff? is your use of personal data on your website both fair and lawful? Have you obtained pupil/parental consent for pupil data to be used on your website and for your biometric systems? Do you require parents to opt in or out of pupil photography? 2, Processed for limited purposes. 3, adequate, relevant and not excessive – is your


contact information for primary and secondary carers sufficient? 4, accurate and up-to-date – how often do you update your parental consents and by what method?


What if a parent fails to confirm their information is up-to-date? 5, not kept for longer than necessary – how long


should you retain a child protection allegation for? How about Criminal records Bureau data? Different documents need to be retained for different periods of time depending upon law, guidance and the operational needs of the school. 6, Processed in line with an individual’s legal rights


– one of the legal rights a data subject has is the right to ask for a copy of their personal data (known as a subject access request or sar). it is crucial that the school knows how to recognise and process a sar and what information it can withhold. if your school is maintained it also needs to be able to distinguish a sar from a parental request for access to the educational record of their child. Why? Because these two requests are governed by different legislation. 7, Kept safe and secure – for more on this see below. 8,not transferred to other countries without adequate


protection – if your school website contains pupil or staff information this rule will be engaged simply because this information is available to the world at large. there are exceptions to this rule which will allow you to post personal data on your website, but what about other dangers, like sending pupil information overseas for a school trip or exchange?


Principle 7


this principle – the requirement to keep personal data secure – attracts a lot of media attention (think theft or loss of an unencrypted laptop or memory stick). Principle 7 requires the school to take “appropriate”


technical and organisational steps to prevent data from being accidentally lost, stolen or destroyed or from being handled by someone without authority. the technical steps needed depend upon the


sensitivity of the data concerned but would almost always include appropriate encryption solutions, off- site automated back up to a secure server, use of passwords, and keeping an audit trail of all portable computing devices. sensitive personal information such as health, sexual life, religion and ethnicity data requires enhanced protection. Because teachers often work from home they need


portable computing devices. that is fine, but if you think keeping data secure at school is tricky then keeping it secure in a teacher’s lounge or on the back seat of their car requires real thought. the astute head knows that all employment contracts


should include an obligation to process personal data in line with the DPa and the school’s Data Protection Policy. By tethering data protection to the employment


contract in this way, teachers will have a “contractual interest” in protecting data because if they do not they face disciplinary action. in addition, Principle 7 requires the school to


formalise in writing all of its outsourcing arrangements and to ensure that the contract contains certain data protection terms. failure to do this amounts to a breach of Principle 7. and yet, ask any number of schools who use external contractors whether they have an appropriately worded contract and the answer is invariably “no”. Principle 7 also requires the school to ensure that


all staff that handle personal data have received data protection training that is regularly refreshed. if your staff have not received this training then the school is automatically in breach of Principle 7. But getting staff trained brings other benefits apart from compliance with the law: if the worst comes to the worst and your school finds itself at the centre of a data security incident, the fact that staff have received appropriate training will be taken into account by the information Commissioner’soffice in its investigation and will help determine what enforcement action it chooses to take against the school.


Conclusion


all staff that handle personal data need basic data protection training and failure to do this is automatically a breach of the law. ensuring your staff are data protection savvy


also demonstrates to those that matter (your parents, auditors, the media and the public) that you take your legal obligations seriously and helps with incident management from a Pr perspective. it is worth noting that as well as the school,


senior individuals that have deliberately or recklessly breached the law can also be prosecuted. Given that data protection complaints are on the up, no school, not even the smallest, will want to “put off” data protection for another year.


SecEd


• Paula Williamson is principal solicitor at the Information Law Practice, a firm specialising in data protection in the education sector and which runs three different courses for schools in this area. Visit www.theinformationlawpractice.com/SCDP


13


enalties for breaching the Data Protection act (DPa) have just increased sharply and did you know that not only the school can be liable for a breach, but also a senior member of staff? Complaints about potential privacy


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16
Produced with Yudu - www.yudu.com