Data Protection Compliance in Schools: ICO Issues New Guidance

The Information Commissioner’s Office (ICO) has recently undertaken a survey of schools and concluded that schools need to do more to satisfy data protection laws.  The ICO has produced new guidance for schools which they will have to consider seriously and take steps to meet.

One of the recommendations is that schools need to be clearer in notifying pupils, members of staff and visitors about the use of CCTV.  With many schools now installing CCTV systems there is a need to recognise that the processing of these images falls within the scope of the Data Protection Act.  It is important to ensure that the CCTV systems are installed for an appropriate and legal purpose, ensuring that there is no unnecessary invasion of privacy.  Policies ought to be in place to deal with the handling of the images for example, deciding what is to be recorded, how long the images are to be kept, how the images should be used and to whom they may be disclosed.

Much of the data stored by schools is confidential and one of the fundamental data protection principles requires adequate IT security to avoid unauthorised or unlawful processing of the data and accidental loss or damage.  This is probably one of the most important areas for schools and during the course of its survey the ICO found that about a third of the schools interviewed believed that passwords protecting computer systems would not necessarily be strong passwords or that there would not be prompts to change them regularly.  A few schools said all their portable devices were encrypted, while a few said none of them were: unencrypted laptops and storage media have been the basis of many recent actions by the ICO aganist public bodies. 

Breaches of data protection legislation could lead to lead to a school incurring a fine and serious damage to its reputation.  It is essential to ensure there are robust IT security measures in place to prevent security breaches or limit the damage if they do occur.

The ICO has reiterated the need to avoid unauthorised or unlawful processing of the data when it comes to disposal.  The ICO stresses that the disposal of data ought to be carried out in such a way so as reduce the risk, as much as possible, of unathorised access or unlawful processing.  It is important to remember that even where the disposal of data is carried out by another company, the school (as the data controller) will still be responsible for any breaches of the Data Protection Act.

Forbes Solicitors regularly advises schools and other public and private bodies on all aspects of data protection and can help with the areas highlighted by the ICO in its guidance.  If you require any advice or assistance in relation to the Data Protection Act and its enforcement please contact Daniel Milnes.

Daniel Milnes

About Daniel Milnes

Dan is a Partner and Head of Contracts & Projects. Dan’s blogs cover the areas in which his specialities lie in commercial, regulatory and governance law which cover a broad range of matters dealing with contracts, projects, corporate and group structures, funding and compliance with a range of legal regimes including data protection. This also involves writing and advising on various forms of commercial contracts including joint ventures, development and construction agreements and intellectual property contracts including IT agreements, sponsorships and other rights licensing arrangements.
This entry was posted in Corporate & Restructuring and tagged , , , , , .