The Government’s proposed Data Protection Bill, which will incorporate the General Data Protection Regulation (GDPR) into UK legislation, means that despite Brexit, organisations across a vast range of sectors, including education, will have to adjust their data protection strategies.
Organisations will have to be compliant with GDPR by 25 May 2018. Given the wide range of personal information processed by private providers, in particular sensitive personal data relating to children and vulnerable young adults, the need to prepare is particularly urgent.
Since the original data protection legislation, the Data Protection Act 1998 (DPA), came into force, the meteoric rise of social media and other developments in technology have led to vast amounts of personal data being processed.
The GDPR in part is an attempt to catch up with those gargantuan leaps in technology since 1998.
The GDPR will place greater emphasis on transparency and accountability, for example by requiring privacy statements explaining amongst other things, the purposes for which private providers collect and use personal data and the legal justification for doing so, as well as any internal or internal disclosures of that personal data.
For private providers and other educational institutions, which handle large volumes of learner data, this can prove particularly challenging.
Another significant requirement of the GDPR is the need to demonstrate compliance, even if the necessary data protection processes are already in place. This means producing data protection policies, codes of conduct and obtaining relevant certifications.
Ahead of the GDPR-implementation date, institutions should waste no time in conducting a thorough data protection audit.
Carefully considering these five key questions is a solid start:
What personal data they hold
Why they hold it
How they get it
What they do with it
How long they keep it
Answering those five questions will help private providers to comply with the various new requirements such as providing detailed privacy statements and keeping a record of their processing activities.
The GDPR also creates a higher threshold of consent, where consent is the legal basis justifying the use of a person’s data. Consent must be freely given, specific, informed, unambiguous and capable of being easily withdrawn.
For consent to be valid, there must be genuine choice and control.
For example, relying on default settings or pre-ticked boxes during the student enrolment process as the basis for permission will no longer be sufficient to demonstrate valid consent.
Another key principle of the GDPR, ‘privacy by design and privacy by default’, places a responsibility on educational institutions to handle personal data in a way that protects learners’ privacy.
Adapting processes (whether technical or organisational) according to the sensitivity of different types of data, and placing a strong emphasis on data minimisation, for example using codes instead of names will help institutions achieve compliance.
The data protection officer, which is a statutory role, will be key in this process.
The GDPR introduces a new duty to document all personal data breaches.
Further, not only must institutes inform the Information Commissioner when a breach poses a risk to an individual, they must notify the individual as well, unless subsequent actions result in the unlikely materialisation of the data or if it is unintelligible due to encryption, for example.
In addition to the obvious reputational damage likely to be incurred by private providers which fail to comply with the new data protection legislation, they may find themselves facing hefty financial penalties for breaches. The maximum fine for a reckless or deliberate data breach currently stands at £500,000.
Under the new regime there is a two-tiered system of fines with maximum fines of €10m (or 2% annual worldwide turnover) and €20m (or 4% of annual worldwide turnover).
The lower tier applies to breaches including failure to keep prescribed records and failure to ensure privacy by design and default.
The higher tier will apply to breaches relating to individuals’ rights and transferring personal data outside the EU without appropriate safeguards.
The quantum of the fine in either tier will depend on factors such as:
- Remedial steps taken
- Previous breaches
- Extent to which the institution has co-operated with the Information Commissioner.
The capacity for human error may mean that breaches are inevitable, however it is imperative that they are reported internally and remedial action is taken promptly.
Education is a caring profession and educators often want to comply with requests for information from a range of sources, many well-meaning.
Personal data, however, is not institutions’ sovereign property to disclose at will to anyone who seeks it.
Institutions are accountable to the individuals who have entrusted their personal data to them to ensure that disclosures are legally justified and fair.
The GDPR changes the way that personal data is dealt with, irrespective of Brexit, and those changes cannot be implemented by May unless preparation is made now.
Doing so will not only help institutions to comply with the law, it will enhance their business reputation.
Geraldine Swanton, Legal Director and Information Law Specialist at Law Firm, Shakespeare Martineau.