08 June, 2017
For schools and colleges to serve their purpose, personal data of your pupils and students is an important asset. By providing various education and vocational courses you will be processing your pupils' and students' personal data and in some cases sensitive personal data. You are also likely to process personal data of your employees, consultants, sub-contractors and the list goes on. Any personal data you hold on your system and anything you do with it including deletion is likely to constitute processing. So are you complying with existing legislation and are you ready for changes to come?
The Data Protection Act 1998 (the Act) currently sets out the key obligations a business, public authority or charity (otherwise known as the data controller) has in relation to processing personal data. Data is all recorded information whether in an email, image or recording. Personal data is any data relating to an individual who can be identified, whereas sensitive personal data is certain protected characteristics as defined in the Act. Processing is widely defined to include anything you do with the data such obtaining, recording, analysing or sharing it etc.
The Act contains a number of principles which you must abide by in processing personal data such as:
Failure to comply with these principles can result in the Information Commissioner's Office (ICO) taking action against a data controller by ordering disclosure in the context of subject access request, imposing a monetary penalty notice up to £500,000 and criminal prosecution of individuals for certain offences. In addition, a data controller is likely to face adverse publicity and reputational damage with the potential of additional regulatory action from other regulators and potentially compensation being sought from affected individuals.
Alongside the Act there are specific privacy obligations relating to electronic communications set out in the Privacy and Electronic Communications Regulations (PECR). These set out specific rules on:
The ICO's powers for non-compliance include criminal prosecution, non-criminal enforcement and audit, as well as monetary penalty notices imposing a fine of up to £500,000.
PECR originates from the e-Privacy Directive, although at European level the process for an ePrivacy Regulation has begun. This means that PECR is also due to change with a target date for implementation of May 2018 alongside the General Data Protection Regulation.
The GDPR due to be introduced in May 2018 is set to make changes to the Act. Such changes include enhanced:
The ICO has started issuing guidance on how businesses and organisations can start to prepare. A recent consultation by the ICO focused on obtaining consent as the GDPR sets a high standard of consent whereby data subjects are offered genuine choice and control over how their data is used. Further guidance is likely to be issued in the run up to the GDPR entering into force and the Government has confirmed that it will despite Brexit.
The ICO's enforcement action is wide ranging and recently it has included:
These recent developments are a reminder that as an educational provider if you are processing personal data under the current data protection regime as a data controller you have a range of obligations to meet. This includes ensuring you have processes in place to prevent data breaches, respecting privacy rights in marketing communications and responding to requests for personal data in the form of subject access request. Even if your focus is specific such as provision of education or vocational training you must ensure that what you are doing in relation to processing is within the law. Preparing for GDPR is important, although this must be done in accordance with the current rules as failing to respect the current rules can in itself result in enforcement action.
Forbes Solicitors provides advice in relation to a range of data protection matters from responding to subject access requests to reviewing policies and procedures and providing in-house training. We will also be holding information sessions regarding preparation for GDPR compliance which will be published on our website. If you have any questions about data protection compliance under the current rules, the GDPR or ePrivacy Regulation, please contact Daniel Milnes.