Department for Education data protection compliance toolkit: the toolkit and privacy notices

In this second briefing, we focus on one of the most critical tools that schools need to be taking a look at and updating – privacy notices. Here are some hints as to how to achieve the best possible level of transparency without overwhelming anyone looking to understand the arrangements you have in place.

The DfE has issued a toolkit to help schools take their preparations to a conclusion. In our first briefing we explained the importance of getting processes right – time may not be on your side and whilst no formal reprieve from meeting deadlines exist, there are many reasons why delays will be understood and, hopefully recognised – particularly if you are doing the tasks involved with great care and attention to detail.

You can find our first briefing here.

All schools will know that they must have privacy policies in place by 25 May 2018. The vast majority of schools will, of course, already meet this requirement and will set out how it handles personal data through a notice displayed on its website. But there is much more to this subject, as the toolkit explains and as we elaborate in this briefing.

For the long term, you will find that different privacy statements need to be provided in different circumstances. Always keep in mind that your objective, in setting out information, is to communicate with actual and potential data subjects about their personal data. The information you provide must always be calculated to guide and reassure the reader about personal data management. The information must be set out in an easy to understand form.

Take a look at ICO’s draft guidance as to how issues involving children’s data should be managed. That guidance (still in draft form) points out that children’s rights in relation to their personal data are no different to an adult – save of course that for younger children. You are also told to make your privacy notices understandable by a child as well as an adult. We say more about that below.

Not all privacy notices should or need to be displayed on the website – those relating to staff can quite conveniently be placed on the staff noticeboard. But web is by far the most obvious location for most privacy notices.

What is important is giving the information ahead of you receiving the personal data.  So when you send out an application form for a job, make sure that it includes a privacy policy statement.  Don’t send it with the acknowledgement of receipt of the CV!

When you look at the template privacy notice for use on the web, what should you be thinking about in particular?  Your starting point will probably be the DfE templates available here.

Five key points to keep in mind

Here are our five key points to keep in mind. We have assumed that you have already developed an understanding of the personal data you hold.

Make clear who you are – we all refer to “schools” as a term that pupils, parents and staff understand have the access to the personal data.  In legal terms however, it is important to be very clear about who is responsible if something should go wrong.  In the case of a maintained school we are talking about the governing body being the responsible party. For a Single Academy Trust or a Multi Academy Trust school we are talking about the Trust itself.  Make clear that it is the Trust that is publishing the privacy notice and give full details of its address for contact purposes. Make sure details of the Data Protection Officer are included.

Specify in as much detail as possible what you hold – particularly reflect “special category data” (the law prescribes certain types of data as sensitive and requiring special care). Remember (as helpfully suggested by the guidance) that you can actually extend what your organisation considers to require  special care and security by adding in other education-specific categories of data that the European Union did not think about when drafting the GDPR.  Thus you might want to, in addition identify, pupil premium, free school meals and assessment information when linked to an individual pupil.

Remember that you can and should update your policy as circumstances change and you realise you have more data than you previously thought you had.  The notice should be a living document and be republished in line with other developments in the use of personal data.

Make clear why you are entitled to process the personal data – for most of your activities it will be for purposes of performing tasks in the public interest, but there will be other grounds available to you to provide authority for your actions. Annex 4.1 to the toolkit provides a helpful summary. Relevant examples we can suggest would include:

• You rent out a caretaker cottage commercially. Rent arrears need to be pursued. You pass details on to a debt collection agency. This is lawful under legitimate interests – you are entitled to secure payment and if the money is properly due the data subject is not disadvantaged when you balance interests between the two of you;
• You work with a provider of education apps and pass on information to allow individual user accounts to be set up. This is a “nice to have” addition to your provision of education – not strictly necessary and, therefore, you would make sure you have secured consent to pass on the data;

Make sure your Privacy Notice is accurate, reads well and is easy to understand. We believe this is by far the greatest challenge that GDPR presents. A new level of sophistication will be expected in the way that notices are drafted and published.  For education, the notice will need to encapsulate a wide variety of circumstances in which personal data is held, processed, make available and even transferred to other organisations.

As we can see from the guidance, ICO is very keen that the information provided is easy to understand. It will need to be accessible. Most readers will not wish to read the entire document to find what they are looking for – providing a route map within the document to allow the reader to move around the document easily should bring you some compliments!

Engaging someone within your organisation in the overall design of the document will be useful – the use of icons and other graphics alongside the text is an emerging area. A privacy notice may in time be not far removed from a work of art – but still meet the legal requirements expected of it.

At Ward Hadaway we are working hard on the issue of good quality and compliant privacy notices. We plan to provide our clients with an early version of an easy to adopt document shortly.

In our next briefing….

We tackle how to effectively secure Governing Body or Board buy-in to the importance of data protection compliance.

In the mean time, press on with preparation. If you have urgent questions at this stage, please contact Frank Suttie.