Data protection by design and default is a key feature of the General Data Protection Regulation (GDPR), which comes into force in May 2018.
There are several articles in the GDPR that focus on data protection by design and default and that have implications for schools.
The articles are:
- Article 25 (Data protection by design and default).
- Article 24 (Responsibility of the controller).
- Article 32 (Security of processing).
- Article 35 (Data protection impact assessment).
- Article 39 (Tasks of the Data Protection Officer).
They contain references for proportionate organisational and technical measures to ensure a level of security appropriate to risk of processing activities. An assessment of the key clauses and an interpretation of these within an operational school environment is required to gain an understanding of the practical operational impact.
For example, Article 35 (Data protection impact assessment) sets out that, where processing is using new technology (this could be software, hardware, cloud or other system), and where there is a likely high risk to the rights and freedoms to natural persons, that a data protection impact assessment (DPIA) should be considered.
The problem with this guidance is that you can only really determine whether there will be a “high risk” to the rights and freedoms of natural persons by completing a DPIA.
Furthermore, the regulation stipulates that the controller shall seek advice of the Data Protection Officer (DPO) when carrying out a DPIA.
Obligation to provide access
In practice, schools should consider completing a DPIA when beginning to use any new system or implementing any type of IT project that will have an impact on or processes personal data.
Examples of this include a cloud-based curriculum application where individual logons are needed, the upgrade of servers, switches, laptops, PCs, wireless or the installation of a new MIS platform.
In completing a DPIA, the school will need to seek advice from their Data Protection Officer on the potential impact of the processing activity. This means the Data Protection Officer is likely to need the skills or expertise to evaluate risks associated with possibly complex IT software and systems.
Should they not have the skills or expertise, under Article 38 (Position of the Data Protection Officer), organisations are under an obligation to provide access to the relevant resources.
Importantly, the Data Protection Officer or those initially completing the DPIA (IT for example) need to understand the principles of the GDPR - specifically risk, proportionality and operational / technical measures.
Formal training is, therefore, required. Such as either 9ine’s two-day or five-day courses. To discover more about the courses, click here.
On an ongoing basis, Data Protection Officers need access to resources such as professional HR, Legal, IT or data protection support.
9ine’s GDPR Readiness Tool Kit sets out a process that can be used to complete a DPIA and we can subsequently provide support on the assessment of DPIA’s in accordance with the obligations of the GDPR.To find out how we can help you, contact us today.