The ICO have provided a range of updates and additional guidance since the last 9ine blog. In the last few weeks they have issued a consultation document on Children and the GDPR (see below), updated guidance on the lawful basis of processing for consent, vital interests, legal obligation and also given some useful definitions of what a personal data breach is. The following has been taken from the ICO website and is useful in helping schools understand more about the ‘why’ for the GDPR.
“A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.” Source
“Recital 87 of the GDPR makes clear that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.” Source
Essentially the GDPR is here to minimise the material or non-material damage that may give rise to:
- Identity theft or fraud
- Financial loss
- Damage to the reputation
- Loss of confidentiality
- Unauthorised reversal of pseudonymisation
- Any other significant economic or social disadvantage
Cyber and Data Security: Why such a big deal?
The average amount of time it takes our cyber security team from walking into a school (or even standing in the car park), connecting to the school network (without any credentials), and getting domain administrator rights (control of all your school systems and data) is 4.5 hours. This means having access to all personnel records, health records, MIS / SIS and financial information. Article 32 of the GDPR requires schools to understand the protections that are in place in order to limit the risks of unauthorised access to IT systems. Under the GDPR all organisations need to have documented the risks of access or breach to their IT systems and be taking proportionate action to mitigate those risks.
Every week we are seeing examples from organisations and government departments of raising the profile of potential cyber security risks and vulnerabilities. Only last week we saw the World Economic Forum identify that cyber security and data fraud is the third and fourth biggest threats to global stability. On the 10th January, the ICO announced a £400k fine to Dixons Carphone. This is £100k less than their maximum fine under the current legislation. Under the GDPR the equivalent fine could be in the tens of millions.
We see that about one third of the GDPR is on the protections organisations apply to data and cyber security. For each processing activity schools have to assess the security risks, assess the potential impact and likelihood, then put in place mitigating actions. Each processing activity also needs to be assessed against Article 32, with one of the requirements being for organisations to have in place a mechanism to regularly test, assess and evaluate the effectiveness of those protections. This is a service 9ine offers and something that is proving popular at the moment.
WHAT ELSE IS NEW?
GDPR and Children
The ICO has launched a very useful and interesting consultation document on the GDPR and children. We are advising all our school leaders to read this regardless of the geographic location of your school. The document discusses examples where processing activities may have a detrimental impact on a child’s behaviour, for example technologies that profile what a child is doing, say in an App. From this profile, the App will present information to the child that will seek to influence them to make a decision that they otherwise may not have chosen to make.
Within schools this makes for an interesting interpretation. We know of games-based learning Apps that are free. These Apps make their money through either selling the data of the performance of Children to other 3rd parties, or selling ‘advertising’ and other innovative practices to influence children to make decisions.
In visualising this, consider online gaming that many teens will be doing. In the virtual world of these games there is often in-game advertising, as part of the game, pertaining to real world products / services / films / locations. Such examples could be other games, films, food or drinks etc.
Where this has an impact on school is in the situation where the school, using tablets for example, is deciding on Apps for students to use and loading those on devices. By doing this the school may be inadvertently exposing children to the practices above and influencing the child to make decisions that they otherwise may not.
Importantly, this doesn’t mean that all schools should stop using tablets and the Apps they have on them. The ICO are raising awareness of these practices through their consultation paper encouraging the consideration of the risks of these practices against the rights and freedoms of children, whilst at the same time balancing “....the freedom of children to learn, develop and explore…” (ICO Consultation; Children and the GDPR December 2017).
The takeaway for schools is that during the data mapping process, an assessment needs to be made as to the Apps that are being decided to be used by teachers and the impact those Apps will have on the child. In doing so, the school will need to assess the Privacy Notice provided by the App developer and evaluate the risks via a Data Protection Impact Assessment (DPIA). Where the school is setting up, or directing a child to set up an account with the App provider, the school will also need to consider the lawful basis for processing and the inclusion of this within their own Privacy Notice.
Article 29 Working Party: Adopted Guidance on Consent
The Article 29 Working Party has adopted guidance on consent. This is outlined in a white paper, one that should be read by all those who are leading the GDPR compliance programme for their school.
This is important as all types of processing activity need to be associated with a lawful basis for processing. This applied to all digital and analogue (paper) records. To do this you first have to complete your data mapping, then evaluate which of the six lawful basis of processing applies. Consent is one lawful basis, with the others being:
- Necessary for the performance of a contract (E.g Fee contract for Independent / International Schools
- Necessary for compliance with a legal obligation to which the controller is subject (E.g Keeping Children Safe in Education, School Admissions Code 2014, Education (Pupil Registration) (England) Regulations 2006)
- Necessary in order to protect the vital interests (E.g life and death)
- Necessary for a the performance of a task carried out in the public interest
- Necessary for the purposes of the legitimate interests of the controller (Doesn’t apply to state schools)
Where you choose one of the above you will also need to evidence why you have chosen it. Furthermore you will need to include a description of all the processing activities your school undertakes and the lawful basis for processing within your Privacy Notice.
The ‘Admissions’ problem child
In the next few weeks and months schools will be going through an admissions, enrollment or re-enrollment process for students starting in August / September 2018. For these schools there is a risk that without having sufficiently detailed your processing activities, and without having identified your legal basis for processing, you cannot provide your students / parents with an accurate privacy notice.
In practical terms this means assessing your processing activities, drafting these clearly within a two layer privacy notice, then updating your application / enrollment forms, T&Cs and privacy notice accordingly.
For fee paying schools you will (most likely) want to link the processing activity of your school to the terms and conditions of the contract that is signed for each student. So long as the processing you are undertaking is necessary for you to deliver your side of the contract. By not doing this you are leaving yourselves needing to identify one of the other lawful basis of processing categories.
For state funded schools you may wish to consider linking your processing to a legal obligation (Art6(1)(c)), such as ‘The Education (Pupil Information) (England) Regulations 2005’ (for pupil records), or codes of conduct such as ‘School Admissions Code (2014)’.
The takeaway here is that you need to get on and start data mapping if you’ve not done so.
For any fee paying school seeking to rely on ‘legitimate interests’ rather than contractual, you’ll need to undertake a legitimate interests assessment as well. Better get data mapping to save you more paperwork if you’ve not yet started!
What’s new with 9ine?
Mark Orchison will be presenting ten separate presentations on the GDPR at BETT 2017. He is also available to meet and discuss anything GDPR or technology in Education. Please ‘Get in touch’if you would like to schedule any time.
How 9ine can help your school
Outlined below is a list of consultancy options. If you would like information on how we can help, get in touch.
- Consultancy support and advisory for schools in managing policy, process and procedure where data subjects invoke their rights under the GDPR.
- Assessing your IT systems for risks pertaining to the requirements within Article 32 - Security of Processing.
- Assessing the investment requirement in IT systems and services needed by your school to be compliant with Article 32.
- Supporting your school in compliance with Keeping Children Safe in Education 2016
- Undertaking simulated phishing campaigns to help your school to evaliat
- Digital learning - embedding the use of resources such as Microsoft Office 365 in Practice.