Data Protection: Existing Compliance and Preparing for GDPR

Article

08 June, 2017

For schools and colleges to serve their purpose, personal data of your pupils and students is an important asset. By providing various education and vocational courses you will be processing your pupils' and students' personal data and in some cases sensitive personal data. You are also likely to process personal data of your employees, consultants, sub-contractors and the list goes on. Any personal data you hold on your system and anything you do with it including deletion is likely to constitute processing. So are you complying with existing legislation and are you ready for changes to come?

Existing compliance

The Data Protection Act 1998 (the Act) currently sets out the key obligations a business, public authority or charity (otherwise known as the data controller) has in relation to processing personal data. Data is all recorded information whether in an email, image or recording. Personal data is any data relating to an individual who can be identified, whereas sensitive personal data is certain protected characteristics as defined in the Act. Processing is widely defined to include anything you do with the data such obtaining, recording, analysing or sharing it etc.

The Act contains a number of principles which you must abide by in processing personal data such as:

  • Processing fairly and lawfully,
  • Processing for specified purposes,
  • Only processing relevant data;
  • Not retaining data for excessive periods;
  • Respecting individual rights;
  • Having appropriate security measures in place; and
  • Not exporting of personal data to countries without appropriate data protection safeguards.

Failure to comply with these principles can result in the Information Commissioner's Office (ICO) taking action against a data controller by ordering disclosure in the context of subject access request, imposing a monetary penalty notice up to £500,000 and criminal prosecution of individuals for certain offences. In addition, a data controller is likely to face adverse publicity and reputational damage with the potential of additional regulatory action from other regulators and potentially compensation being sought from affected individuals.

Alongside the Act there are specific privacy obligations relating to electronic communications set out in the Privacy and Electronic Communications Regulations (PECR). These set out specific rules on:

  • Marketing calls, emails, texts and faxes;
  • Cookies;
  • Keeping communication services secure; and
  • Customer privacy as regards traffic and location data, itemised billing, line identification and directory listings.

The ICO's powers for non-compliance include criminal prosecution, non-criminal enforcement and audit, as well as monetary penalty notices imposing a fine of up to £500,000.

PECR originates from the e-Privacy Directive, although at European level the process for an ePrivacy Regulation has begun. This means that PECR is also due to change with a target date for implementation of May 2018 alongside the General Data Protection Regulation.

New obligations - General Data Protection Regulation

The GDPR due to be introduced in May 2018 is set to make changes to the Act. Such changes include enhanced:

  • rights for individuals including erasure, rectification, restricting processing, data portability and the right to object;
  • specific rights for children, which is particularly relevant for schools and colleges;
  • data controllers to have in place comprehensive but proportionate governance measures relating to processing of personal data and being able to demonstrate compliance;
  • direct compliance obligations on data processors who may become liable to pay fines for non-compliance;
  • data protection by design and default when designing new products and/or services;
  • conducting primacy impact assessments (which will be obligatory in certain circumstance);
  • notification of data breaches immediately and no later than 72 hours after having become aware of it unless the breach is unlikely to result in a risk for an individual's rights and freedoms. If notification is made later, a reasoned judgment must be submitted;
  • some organisations may be required to appoint a Data Protection Officer;
  • strengthened enforcement with maximum fines increased to up to 2% of annual worldwide turnover of the previous financial year or €20million (whichever is greater).

    The ICO has started issuing guidance on how businesses and organisations can start to prepare. A recent consultation by the ICO focused on obtaining consent as the GDPR sets a high standard of consent whereby data subjects are offered genuine choice and control over how their data is used. Further guidance is likely to be issued in the run up to the GDPR entering into force and the Government has confirmed that it will despite Brexit.

Recent developments

The ICO's enforcement action is wide ranging and recently it has included:

  • Norfolk County Council being fined £60,000 for leaving files that included sensitive information about children in a cabinet sent to a second hand shop;
  • Honda and Flybe have been fined a total of £83,000 for sending marketing emails aiming to clarify customers' choices to receive marketing contrary to the requirements of PECR;
  • 13 national charities (including Cancer Research UK, Oxfam, the Guide Dogs for the Blind Association, NSPCC, WWF-UK, the British Legion and others) have been fined individually for their practices in charity fundraising going back as far as 2003. Their practices which were contrary to PECR included: sharing personal data with other charities, irrespective of charitable causes, ranking individuals based on wealth and finding information about donors that they did not provide affecting in some cases thousands of people and in others millions;
  • A former clerical officer was prosecuted for accessing sensitive medical records of 2 individuals who were estranged family members without the consent of the data controller;
  • Davies Brothers (Wales) Limited was ordered to respond to a subject access request after the ICO found that it had failed to comply with the requirements of section 7 of the Data Protection Act 1998.

These recent developments are a reminder that as an educational provider if you are processing personal data under the current data protection regime as a data controller you have a range of obligations to meet. This includes ensuring you have processes in place to prevent data breaches, respecting privacy rights in marketing communications and responding to requests for personal data in the form of subject access request. Even if your focus is specific such as provision of education or vocational training you must ensure that what you are doing in relation to processing is within the law. Preparing for GDPR is important, although this must be done in accordance with the current rules as failing to respect the current rules can in itself result in enforcement action.

Forbes Solicitors provides advice in relation to a range of data protection matters from responding to subject access requests to reviewing policies and procedures and providing in-house training. We will also be holding information sessions regarding preparation for GDPR compliance which will be published on our website. If you have any questions about data protection compliance under the current rules, the GDPR or ePrivacy Regulation, please contact Daniel Milnes.

Back

Make an enquiry