Data protection in colleges: Avoid the legal pitfalls
In recent statistics published by the Information Commissioner’s Office (ICO), the education sector has the third highest amount of data protection breaches after the health sector and local government. For the full statistics, please visit the ICO’s website here.
There is a variety of different breaches submitted to the ICO, the most common one being the loss or theft of paperwork. Sending an email to the wrong address is easy to do but is another common breach that is reported. With the high number of data protection breaches within the education sector, it is important to ensure that your organisation has appropriate measures in place in order to comply with the Data Protection Act 1998 (DPA).
These statistics show how important it is to have data protection procedures and strategy in place.
It is important to remember that the definition of personal data is very broad. It includes any data relating to living individuals who can be identified from that data and other information, in the possession of, or likely to come into the possession of, a data controller. A data controller being a person who decides the purpose and manner in which personal data is to be processed. In the education sector, personal data could include items such as dates of births, names, exam results and medical records. If you do hold medical records within your organisation, you must be aware that such information satisfies the definition of sensitive personal data and brings with it heavier restrictions for the data controller. In most cases, anyone processing data as a data controller must notify and register with the ICO.
With an equally broad definition, the processing of data encompasses such a range of actions, including collecting, retaining or disposing of data, that handling personal data in any manner will be likely to be included in the definition of processing. If any of your data is handled by a third party on your behalf or with your permission, it is still ultimately your responsibility to ensure compliance with the relevant data protection laws and so having a written agreement addressing data processing and the protection of data is advised. Whether you have third parties handling data or not, the importance of internal training on data protection and how to avoid breaches cannot be underestimated and is encouraged among all organisations.
The DPA sets out 8 data protection principles that must be adhered to in order to avoid a breach of the DPA.
1. Personal data must be processed fairly and lawfully;
2. Personal data must be obtained for lawful purposes and not processed in a manner which is incompatible with those purposes;
3. Personal data must be adequate, relevant and not excessive in relation to the purposes for which it is processed;
4. Personal data must be accurate and kept up to date;
5. Personal data must not be retained for longer than is required;
6. Personal data must be processed in accordance with the rights of the data subjects under the DPA;
7. Appropriate technical and security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of, destruction of or damage to personal data; and
8. Personal data must not be transferred outside the EEA unless the country ensures adequate level of protection for the rights of the data subject in relation to the processing of personal data.
In addition to the information above, we have highlighted some key points of particular relevance to the education sector. Please read and consider the following:
- Putting a ‘fair processing’ or ‘privacy notice’ in place, is one way of processing personal data fairly and such a notice should be provided to parents.
- Staff and employees should be restricted so that they only handle personal data they need to perform their role.
- Students and pupils or their parents on their behalf have a right to see the information you hold about them and can make a subject access request. It is important to have appropriate internal procedures in place to deal with subject requests within the required time frame, i.e. within 40 days receipt.
- When sharing personal information, you should always ensure that you are allowed to share it, adequate security is in place to protect it and that you have advised the data subject of the fact that you will be sharing personal information, for example, within the privacy notice.
- Ensure you inform students of exam results before you publish them in local newspapers or other public media.
- Always remember to carefully consider the method of transfer, for example, ensuring that it goes to the correct email address. When sending circular emails to parents ‘bcc’ them in to ensure their email addresses are not disclosed as this would amount to a breach of the DPA.
Data protection is an important issue and with simple steps and procedures, it is possible to minimise the number of breaches and ensure compliance with the DPA. Please seek legal advice if you require more information or assistance with data protection and issues surrounding it.
Nora Grassmair is a solicitor at Thomas Eggar, the law firm
Responses