What Further Education colleges should know about data protection
Data protection is an important aspect of regulatory compliance.
FE Colleges will handle information about students, staff, prospective students and members of the public and must ensure that they comply with the Data Protection Act (DPA). The DPA includes obligations to ensure that personal data is handled fairly and is kept secure. If a FE College does not respect its obligations under the DPA then the fine can be as much as £500,000. FE Colleges will therefore be keen to ensure that their practices comply with the DPA.
Almost any information that relates to an individual such as their name, their date of birth and their payment history is caught by the DPA.
In this article, I explain ten of the most crucial points about data protection for FE Colleges to be aware of.
1. The importance of staff training, policies and procedures
Staff that lack awareness of data protection can make costly mistakes. These may include not keeping personal information secure or using it inappropriately. Every member of staff should attend training in order to prevent such costly circumstances from arising.
Training will enable staff to appreciate the data protection issues at play and what measures should be taken to minimise risk. Annual refresher training is encouraged. Staff should also be aware that they can be personally liable for some breaches of the DPA.
The training should cover the everyday data protection “dos and don’ts” such as the rules around information sharing (generally speaking the rule is that personal data should only be shared on a “need to know basis”) and information security (for example using encryption, double checking fax numbers before sending confidential documents etc).
During training sessions, staff should be made aware of the content of your data protection policies and where to find them. Policies should contain practical examples of practices that are encouraged and discouraged for data protection reasons. Such policies can then act as practical guidance for staff to follow and can inform improved practices. Generic policies without guidance for staff are inadequate. It is even worse however if your policies have not been reviewed or indeed read for quite some time.
Further, policies should be updated to refer to any new practices and technology that you may adopt. Data protection policies should explain, in layman’s terms, what your FE College’s approach is to issues such as data security and sharing information outside of the college.
2. Who is responsible for Data Protection?
Colleges should appoint a data protection officer (DPO). This individual should be referred to in your data protection policies so that staff can ask questions of and refer data protection issues to the DPO. It is important that staff know who holds overall responsibility and accountability for data protection within your FE College.
The DPO should also take responsibility in terms of organising staff training, investigating any suspected information security breaches and keeping informed of best practice.
3. Marketing and promotion
When using personal information for marketing purposes there are additional rules that must be followed (both under the DPA and the Privacy Regulations).
Before using personal information such as students’ email addresses to aid marketing, FE Colleges should be clear on whether they are allowed to use this data for marketing and fundraising purposes. A first step is to make people aware that they may be contacted by you when their personal information is collected but there are extra obligations depending on the nature of the marketing activity (for example, prior consent is normally required before sending marketing emails). FE Colleges which market using purchased marketing databases should ensure that they are confident that the data was collected with consent to use it for marketing purposes.
4. Home-working and using devices such as smart phones and tablets
Increasingly, staff use and may even be encouraged to use personal electronic devices for college work. This is often known as “bring your own device to work” or BYOD. From a data protection point of view, this gives cause for concern as colleges have less control of the security and management of personal devices.
FE Colleges can minimise risk in a number of ways.
One option is to use secure remote access software. This is more secure than allowing staff to access web-hosted email systems such as Gmail to send work related emails which often contain personal data. Secure remote access systems will improve your data protection compliance.
A further measure is to install device management software on devices used for work purposes such as smart phones issued by the College. This allows data to remain secure when staff use smartphones to access work related emails and documents.
A lack of technical measures to keep data secure led the Information Commissioner’s Office (ICO) to fine a local authority £100,000 for allowing homeworking without protecting personal information.
5. Data protection audits
Conducting regular data protection audits is an effective way to prevent issues and to keep data protection practices up to date. The DPO may periodically conduct an audit or may choose to engage third parties such as a law firm to obtain an independent viewpoint. An audit should include interviews of staff and is a good opportunity to remind staff of their obligations.
An audit should take place whenever an FE College starts using personal data differently . For example, if you launch a new website, open a new office or start holding data in a new way then these events should trigger an audit.
Cloud storage is particularly concerning. While this allows individuals to access, edit and save work from anywhere and using several different devices it does present data protection concerns. For example, an employee could create a document on a PC at work, make changes on their smartphone on the train home and then finalise the document later that evening using a personal laptop. This may offer more flexibility but numerous access points can present more points at which data protection problems can arise.
Before storing information in the “cloud”, FE Colleges should carefully consider the data security implications. Cloud storage services which require that devices remain ‘logged in’ can cause security issues. Of equal concern are services which automatically share documents, which may often contain personal data, over the internet.
FE Colleges should be aware that they may be liable for the acts and even omissions of contractors that they engage to handle personal information on their behalf. Contracts with organisations such as IT contractors and payroll providers should contain robust data protection wording that ensures compliance. In my experience the wording used is usually inadequate. You should also monitor, review and audit your contractor’s compliance with the DPA on an ongoing basis and during audits.
6. Privacy notices and the right to know
The DPA gives individuals the right to know how information about them is used by your FE College. The obligation is on you to tell people how you use their personal data.
Organisations usually discharge this duty by displaying a document known as a privacy notice on their website and in any welcome pack given to students or employees.
This notice needs to explain in layman’s terms how you use the personal information that you hold. It is important to make the privacy notice available to anyone who requests information about themselves including employees and members of the public.
7. Subject access requests
Under the DPA, people have a right to ask for and receive the personal data that you hold about them. A request for the information that you hold about someone is known as a subject access request (SAR).
SARs are often made for tactical reasons such as to attempt to force disclosure of information which may assist in an employment tribunal or in litigation. While there are exemptions to disclosure of some information, a SAR must be answered and responded to.
Staff and governors should also note that there is no exemption for “embarrassing” emails. Staff should be warned that unprofessional and insulting comments made via email may have to be disclosed following a SAR. The general rule is if it exists then it may have to be disclosed so discretion should be the watchword.
SARs are a highly specialised area of law and can present a real burden for an uninformed FE College.
8. Insurance
FE Colleges should check whether their existing insurance policies cover data protection risks as ICO fines or the costs of complying with a mismanaged SAR can be extensive.
Insurers now offer “cyber insurance” which covers information security risks including hacking and data theft. FE Colleges should consider taking out such insurance.
9. Disclosing information to third parties
Under related legislation, The Freedom of Information Act (FOIA), individuals have a right to request information held by public bodies. FE Colleges should therefore be aware that their dealings with public bodies may be subject to disclosure following a FOIA request to that public body.
Similarly, a SAR to a third party that your FE College may contract with or share information with can result in information that you have shared with them being disclosed.
10. Registration with the ICO
An FE College that processes personal data such as student names and contact details is a data controller and will usually have to register with the ICO (although some institutions are exempt). Most colleges only need to pay £35 to register with the ICO but some may need to pay a higher fee of £500.
Processing data without registering with the ICO is a criminal offence. It is also an offence not to keep the register updated.
Andrew Gallie is a senior associate specialising in data protection and information law at leading education law firm Veale Wasbrough Vizards. He can be contacted on 0117 314 5623 or at [email protected]
Responses