This page contains a Flash digital edition of a book.
W: www.ie-today.co.uk


the main areas described above and then work through these to make sure they are fully understood and deal with issues specific to the school. Having policies in place, reviewed


and approved by governors is also, in itself, evidence that data protection is taken seriously and that good data protection practices are ingrained. The policies and procedures are as critical as health and safety policies and should be regularly reviewed and tested. Best advice is that they should be considered on, at least, a yearly basis by governors to ensure that they are fit for purpose. If there is a breach of the Data Protection


Act and a school has not put in place policies, then it will have acted in direct contravention to guidance from the ICO. Such a contravention will significantly increase the risk of a fine and increase the risk of reputational damage. A lack of clear policies will be a real indication of a lack of clarity about how data protection issues should be handled and how personal data should be treated. Not only is this disrespectful of the data subjects and their rights, it may well mean an increased burden for staff – from clerical staff to senior staff – and this in itself can be extremely detrimental for the wellbeing of a school. Personal data is information about


a living person. The Data Protection Act is based upon eight principles. These require that personal data:  is processed fairly and lawfully  is obtained only for lawful purposes and is not used for incompatible purposes  is accurate and up to date  is adequate, relevant and not excessive  is not kept for longer than is necessary  is processed in accordance with rights of data subjects  is protected by appropriate technical and organisational measures against unauthorised use and against accidental loss  is not transferred outside the European


“INFORMATION SECURITY SHOULD BE TREATED AS SERIOUSLY AS THE PHYSICAL SECURITY OF THE SCHOOL”


Economic Area unless to a country with proper protection of personal information Personal data must be treated with respect – or, put another way, must be dealt with in the same way as you would like information about yourself to be dealt with. It should be stressed that critical


comments about an individual are personal data. A useful rule is: nothing should be recorded which would cause embarrassment if disclosed to the data subject. This is a very basic rule and should be treated as having paramount importance. Information held about an individual belongs to that individual. The fact that disclosure of the information may cause embarrassment is not a recognised exemption under the Act. Destroying information after a subject access request is made is potentially a serious data protection breach. However, if information is destroyed before a request, then this may simply be sensible information management. Information security is perhaps


the most important area for a school. If personal data is lost or there is unauthorised access to it, then this could cause real harm to staff, pupils or parents. This could result in a fine and could cause serious reputational damage. Information security should therefore be treated as seriously as the physical security of the school. Just as a school will review who can visit its premises and for what purposes, it should review who can access information and what security is in place. Information is often held on computers and there have been a variety of cases where laptops have been stolen from schools or from homes. If there is a failure by the school to ensure encryption or other appropriate security measures are used, then this in itself could be a breach of the Act. One particular problem is the use of


memory sticks. If a school allows the use of unencrypted memory sticks and one is lost, then there really will be no defence. Although encrypted sticks are more expensive, this may mean that they are only used when necessary. If an encrypted memory stick is lost,


there will not be a breach of the Act. It is also advisable to review how


paper records are stored. Confidential information must be kept in locked cupboards in order to comply with the Act. Leaving confidential or sensitive information on a desk overnight creates an avoidable security risk. In order to emphasise the importance


of these simple points, it is useful to consider some published cases. In 2013 the Nursing and Midwifery


Council were involved in a fitness to practice investigation against a nurse. It sought to send to the hearing venue three DVDs containing highly sensitive information. But when the packages were opened at the venue there were no DVDs inside. They had been lost and the DVDs were not encrypted. A review of the procedures undertaken recommended that there should be more formal policies and procedures regarding the security of such data, including the encryption of any data stored on removable media. Nonetheless, the ICO imposed a fine of £150,000. In 2011 an officer of Aberdeen City


Council used a secondhand computer for home working. This computer had an automatic file transfer programme installed. This meant that all of her ‘My Documents’ file was automatically uploaded onto the internet – and this included data from her work email and from a USB stick. The material which was uploaded was highly sensitive information about children, their parents and their involvement with social work. The council was fined £100,000. The council’s policies were subsequently strengthened and all council-issued computers are now encrypted. Cases such as the above are


commonplace. Whilst they demonstrate how easy it is to get data protection wrong, with proper procedures and policies in place, providing clarity about where responsibility lies, coupled with proper training, it is also easy to get it right. In conclusion, there really is only


one answer to the question “Are data protection policies worth having?” and that is a resounding “yes”. iE


Andrew Gallie is an associate at leading education law firm Veale Wasbrough Vizards T: 0117 314 5623 E: agallie@vwv.co.uk W: www.vwv.co.uk


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48