GDPR is a hot topic these days and there is a lot of information doing the rounds. The new regulations come into play in May 2018 yet here at RecordLink we still regularly talk to schools who have made little or even no headway in making any preparations. Awareness is most definitely one reason behind this, and “GDP what?” is not an unheard of phrase.
If you’re reading this you‘ve heard of GDPR, and chances are that if your current methodologies are DPA 1998 compliant you’ll be more than half way there. Each and every school in the UK will have to conduct a gap analysis to understand exactly where their existing policies fall short before plotting out the change requirements in order to meet the new regulations. Any organisation falling short will be at risk of severe financial penalties that could reach 4% budget or £20m.
Before embarking on such a project it’s only natural to question if it’s absolutely necessary. Does GDPR apply to schools? Well, yes. It applies to all organisations.
GDPR applies to schools as Data Controllers
The final text of the GDPR was agreed back in April 2016 and in Article 4 section 7 defines the Data Controller (ie the organisation or individual to whom the regulations apply) as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The ICO is clear in its Key Definitions of the Data Protection Act that in this context “legal person” means individuals, organisations, and other corporate and unincorporated bodies of persons.
Education is not excluded from the regulation
The agreed text of the Regulation also lists specific exclusions in terms of material scope in Article 2, such as the processing of data by competent authorities for the purposes of safeguarding against and the prevention of threats to public security. This section makes no reference to schools or even education in general.
The GDPR therefore applies to organisations that process personal data and very obviously does not list schools in the list of excluded activities. It seems more than clear that the Regulation very much applies to UK schools and the icing on the cake comes from the ICO itself.
And the ICO says so
No regulatory body has gone as far as publishing a list of discrete activities to which the new GDPR does apply. It is, after all, a blanket regulation at the heart of which lies the the right of everyone to the protection of personal data concerning him or her and there are very few exclusions that are very specifically laid out in the agreed text of the Regulation. However, what the ICO has done is publish specific GDPR guidance to the UK education sector in which it clearly states that Schools are acting as Data Controllers under the DPA and will be doing so under the GDPR.
It’s a slam dunk, not that there should ever be any doubt. GDPR will apply to schools (with the ultimate legal responsibility falling upon the governing body or academy proprietor). So with deadlines looming its time to get that gap analysis done. But don't be daunted, the new regulation is an evolution of the DPA not a revolution and there is a lot of resource available and more coming all the time.
Sources
https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/ http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
RecordLink
Writer RecordLink
eXport RecordLink
4pdf RecordLink
4ShareScan