GDPR’s six principles
If it is starting to all sound quite complicated, then the good news is that GDPR can be summarised as six principles of how companies and organisations should use personal data.
Personal data should be:
Processed fairly, lawfully and in a transparent manner.
Used for specified, explicit and legitimate purposes.
Used in a way that is adequate, relevant and limited.
Accurate and kept up to date.
Kept no longer than is necessary.
Processed in a manner that ensures appropriate security of the data.
Controllers and processors
While these terms may sound like they refer to warring factions in a sci-fi film, they are in fact the terms used in GDPR to describe the two parties that can be involved in processing personal data.
If you are a school, you are usually a controller.
Controller: the data controller is the person or organisation who decides what data is extracted, what purpose it’s used for and who is involved in the processing.
Processor: the processor is responsible for processing the data on the behalf of the controller. Processors must maintain records of personal data being processed and the means in which it’s processed. They can be held legally responsible for a breach. Processors typically used by schools could range from photographers, shredding companies or online learning platforms. For each one, the school must have the necessary paperwork in place.
“If a school engages with a third-party piece of software, the school has got to have their own data processing agreement [for that use],” says Jonathan Harrex, DPO and information security specialist at thinkdpo.com. “The third party’s is not going to be sufficient because the school is the data controller and it has got to determine how the data is processed.”
Records of processing
As part of GDPR’s emphasis on evidencing compliance, schools are required to record every point where the processing of personal data takes place. This could be a large job, but the record doesn’t need to be overly complex.
“It’s just capturing how the processing takes place,” says Harrex. “You need to record what you’re doing, what the systems are, whether there’s any third-party contracts, how it’s designed and whether it’s subject to a Data Protection Impact Assessment (DPIA). All organisations processing data are accountable for that data being processed and they have to be able to demonstrate their compliance if questioned.
“If you’re then processing special categories of data, then you need to look at the risks processing that data presents by using the DPIA and if necessary increase your controls.”
For more on records of processing, see how to become compliant.
More on data protection impact assesments (DPIA)
What is classed as personal data?
Personal data is defined by the ICO as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”.
Personal data could range from pupils’ grades and attendance records to more sensitive information, such as biometrics.
“A lot of schools are now turning to a lot of things like biometrics in order to keep track of what’s happening in their schools,” says Claire Williams, an information and cyberlaw specialist from law firm Mills & Reeve. “You’ve got to think very carefully about legal basis before you start using that kind of data.”
This ‘special category data’ is subject to a list of conditions for processing because, according to the ICO, “this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.”
As well as satisfying the lawful bases for processing that apply to personal data, you must also identify additional conditions for special category data.
There are additional conditions for processing both special category (or sensitive) data and criminal offence data.
What is a lawful basis for processing data?
You can only process personal data if there is a legal basis for doing so. GDPR lists six lawful bases for processing personal data. Although this effectively replaces the previous ‘conditions for processing’ stated in the DPA, schools now need to determine their lawful basis before processing personal data.
“Schools and other organisations are going to have to think a bit harder about the parameters of each of these legal grounds and exactly whether or not they do apply to the processing that is going on,” says Williams. “Because for each bit of processing you do you’ve got to hang your hat on a particular legal ground and you can’t change your mind later.”
The legal basis you use to process data should be included in your record of processing.
The six legal bases:
Consent: the individual has given consent for you to process their personal data for a specific purpose
Contract: the processing is necessary for a contract you have with the individual
Legal obligation: the processing is necessary for legal reasons
Vital interests: the processing is necessary to protect someone’s life
Public task: the processing is necessary for you to perform a task in the public interest
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests.
Data subjects and the rights of the individual
One of the major changes from the previous legislation is that the rights of the individual (or data subject) have been expanded. Previously, an individual could ask for a school to produce a copy of all their data being held. Now, the school could be asked to delete all that data, produce it in a portable format or could withdraw any previously given consent.
Subject rights under GDPR are:
The right to be informed
The right of access
The right to rectification
The right to erase
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
What an individual can ask for will depend on what their data is being used for, so understanding the lawful basis is closely linked to responding to requests from individuals.
“The exercising of rights is built on the lawful basis,” says Harrex, “because the lawful basis dictates what you can and can’t do.
"If you take, for example, your processing of data for pay then your rights with regards to that data are governed by anything to do with income tax regulations, so someone couldn’t ask for it to be erased because it is being processed under the lawful basis of legitimate interest.”
A developing picture
So there you have it. Admittedly, it is a significant change for schools, but all the experts agree that it should not be too onerous once you get your head around it.
Do check out our guides on what GDPR means for schools and how to be compliant. Also, check out the full range of Tes guides and tutorials we are producing to help your school manage the transition to GDPR, launched 5 March on the Tes School Portal.
And remember: after 25 May, the picture on how GDPR will be enforced will become much clearer - regularly checking these pages will ensure you are fully up to date with any changes that occur.