28 January, 2021
December was a busy month for those involved in data protection compliance. Therefore, we've set out a short summary of the most relevant updates for our education clients.
As you will no doubt have heard, the UK and the EU reached a trade and cooperation agreement on Christmas Eve. That agreement granted a further six-month extension for personal data transfers from the EU to the UK without the UK being considered a third country. This extension to the transition period will allow further time for the UK and the EU to negotiate an adequacy decision, which if granted, will allow the continued free flow of data from the EU to the UK. Therefore, any data transfers to or from the EU can continue without any additional compliance required for the time being.
That said, an adequacy agreement by the end of June is not guaranteed and therefore education providers should take steps now to put in place alternative transfer mechanisms (e.g. Standard Contractual Clauses), to safeguard against any interruption to the free flow of EU to UK personal data at the end of this 6 month extension period.
Education providers will also need to update any statutory references in their policies and procedures to reflect that the UK is now subject to the 'UK General Data Protection Regulation'.
At the end of December, the ICO published its finalised Data Sharing Code of Practice. This Code of Practice has been introduced following a consultation exercise which began in July 2019. The long-awaited Code of Practice, provides practical guidance to organisations about how to lawfully share personal data.
The Code of Practice addresses many aspects of the UK GDPR and the Data Protection Act 2018 including transparency, lawful basis' for processing personal data, the accountability principle and the requirement to record processing activities. The Code of Practice also provides case studies, checklists and template forms to assist organisations in sharing personal data.
Having responded to the ICO's consultation of the Code of Practice back in September 2019, we are pleased to see that some of the points we raised have been addressed in the final code. This included expanding the sections on 'Data Sharing and Children' and 'Data Sharing in an Urgent or in an Emergency Situation'.
The Code of Practice will provide invaluable guidance to education providers in how to share data lawfully. The Code makes clear that data protection law does not prevent organisations from sharing personal data where necessary, including where this is to safeguard and promote the welfare of children at risk of abuse or neglect. There is specific provision in data protection law for such situations and the Data Protection Act 2018 includes the 'safeguarding of children and individuals at risk' as a condition for processing special category data in the public interest.
A copy of the Data Sharing Code of Practice is available to view at - Data sharing: a code of practice | ICO
The ICO has also this month announced that it has successfully prosecuted an individual for breaches of data protection law. The ICO brought proceedings against an employee working for RAC, who had transferred personal data to an accident claims management firm without the authorisation of RAC.
An investigation by the ICO found that concerns were raised by a fleet management company who complained that one of its drivers was receiving nuisance calls about an accident he had been involved in. The fleet management company suspected that there had been a data leak from RAC as they had recovered the vehicle after the accident. After being notified of this concern, RAC conducted an investigation and found that an employee had been compiling lists of data of those involved in accidents and sending them to the director of an accident claims management firm. Nuisance calls were then made to those individuals on the list.
The employee received eight months' imprisonment, suspended for two years after pleading guilty to conspiracy to secure unauthorised access to computer data. In addition, both the employee and the director of the accident claims management firm were each ordered to carry out 100 hours unpaid work and contribute £1,000 costs. Finally, a Confiscation Order, under the Proceeds of Crimes Act, was made in which the employee must pay a benefit figure of £25,000 and the director must pay a benefit figure of £15,000. Both individuals will face three months' imprisonment if the benefit figures are not paid within three months.
This prosecution shows the severe consequences of breaching data protection law and the action that can be taken against employees who break the law. The employee involved has now lost their employment, received a criminal record, has to pay a large fine and faces imprisonment if they are unable to pay the fine or fail to comply with the terms of the court order.
Whilst the actions of this employee may be extreme, it is applicable to employees of education providers as they also have access to a large amount of personal data. This prosecution will be a useful demonstration in training exercises to demonstrate how personal data must only be used for the purposes for which it was obtained and that a failure to do so can result in severe personal consequences.