The general data protection regulations, or GDPR as it is commonly referred to, will come into effect in May 2018. These new regulations add to the current data protection act (DPA) and impact on all organisations which store data on European citizens including schools. At the point GDPR comes into force the UK will still be part of the EU. Post Brexit I would expect the UK to continue to use GDPR or to adopt something similar. As such, GDPR needs to be the focus of some discussion in schools between now and May, not least due to the significant fines which can be applied where data breaches occur, fines which are multiple times higher than those currently on offer via the Information Commissioners Office (ICO) under the current data protection act.
Since starting to look into GDPR some months ago I have heard various individuals and groups present on how GDPR represents a significant change to DPA and how we must make major process and systematic changes in order to remain compliant with the new legislation. However, I note that a lot of these individuals or groups sell products or consultancy services which would “help” with GDPR compliance and therefore their presentations were not without a certain amount of self-interest or bias. My belief is that the differences between DPA and GDPR are not as insurmountable as these people make out and that if a school has good policies and processes around data protection they should largely be most of the way down the road to being compliant with GDPR. There are however a couple of key areas which I think will require some consideration in schools.
Permission for using data
Permission for storing and processing data plays a large part in the new GDPR regulations whether this permission is gathered as explicit permission for a specific purpose, as part of an agreement or contract or for historical or other public benefit purposes. With GDPR it will be important for us to identify how permission has been gathered for the various data categories which we gather, store and process as the method of permission will determine the extent of some of the rights of data subjects in relation to data.
Third party sites and services
There are a massive number of websites and other resources available online. In order to gain access to them we usually need to provide some personal data, be it student email address, names or other details dependent on the specific site. Not using these services due to data protection concerns would be a sad loss, however in using these sites and services we need to make sure we have carried out due diligence. Do we know what security measures the site has in place to safeguard the data we provide them? Do we know if the data is ever shared with other parties or what happens to the data should the school cease using the service? I think this is an area which will need some significant work in ensuring a full list of sites with which data has been shared is created and maintained and in ensuring that due diligence has been conducted on each site.
This is another area that I think will need to be considered in terms of the length of time we retain records of our students. Our school management system retains a lot of information on our current students, however, should it be used to retain data on students who have left the school 10, 20 or 30 years earlier? If it is retaining data should it retain all of the data including individual assessments for teachers or minor conduct issues? The issue here is not just one of how long we retain data but also what data we retain and the specific format of this data. I am currently considering creating a student archive record as a solution whereby a number of years after a student has left their school management record is archived for historical purposes, but no longer retained in the school management system itself.
Subject Access Requests (SARs)
It is likely that as GDPR draws closer it will start to make an appearance in the national press. With this, the legislation will more easily come to mind and with this, I would suggest we will see an increase in subject access requests for data. In preparation for GDPR we must, therefore, give some consideration to the processes in place to respond to such subject access requests. It should also be noted that GDPR will require a prompt response to SARs plus no longer allows for a fee to be levied against all requests which again should contribute to the increase in requests which I envisage will occur.
GDPR will require schools to prove they have undertaken every measure possible to protect school data. Part of this will be protecting IT systems. As such it will be critical that schools undertake a risk assessment of their IT security and that they act accordingly to address risks which they identify. This risk assessment will need to be continually revisited and reviewed in light of changing risks and threats. The use of external third parties to perform security reviews would be ideal, however, this is likely to be viewed as cost prohibitive although when compared with the costs associated with a data breach I am unsure this viewpoint can be considered valid. As a minimum, I think it will be important that schools work together to collectively share best practice and ensure they have protected their data to a level which they can reasonably be expected to do so.
The General Data Protection Regulations provide us with a great opportunity to review what we are currently doing in terms of how we manage the data in our care. We have to bear in mind, however, that the Data Protection Act has been with us for almost 20 years and as such in considering GDPR we need to be thinking about processes and systems which will be fit for the next 20 years.
Gary is an educator with a passion for educational technology combined with experience working in the primary, secondary, further education, higher education and international schools. Also currently a Microsoft and Google Certified Educator and a Microsoft Innovative Educator Expert. Find him on Twitter at
@garyhenderson18 and read his blog at techandlearning.wordpress.com.