Latest developments from the Information Commissioner's Office
As the calendar year begins, it’s a good time for schools to take stock of recent guidance from the Information Commissioner’s Office (ICO). This article highlights some key areas of recent focus, offering a practical overview of how schools can stay compliant.
Safeguarding
The ICO has issued new guidance to help the education sector feel confident about sharing personal data to safeguard children. The guidance emphasises that data protection law supports, rather than conflicts with, effective safeguarding.
The ICO aims to give schools greater confidence when sharing personal data for safeguarding reasons. The guidance uses practical case studies to illustrate how data protection law operates alongside safeguarding duties in different situations. It also reiterates the ICO’s established view that, in many cases, children from the age of 12 years old can reasonably be presumed capable of exercising their own data protection rights.
Data protection training for staff should reassure them that it is possible to comply with data protection and safeguarding - the two are not in conflict.
Information security
Recent enforcement action by the ICO highlights the risk of staff using personal devices for work. In December, the ICO fined the password manager provider LastPass after attackers gained access to the personal data of millions of users partly due to a compromised employee device. If your school allows staff to use personal devices you must have robust security measures in place. The ICO and the National Cyber Security Centre have published guidance in this area.
All staff (and governors) must receive information security training and guidance. This should cover points such as how to recognise phishing emails, how to work from home securely, choosing strong passwords and who to speak to if they suspect a personal data breach.
We have developed an Information Security Policy for independent schools which forms part of our Data Protection Handbook, and also created information security e-learning. Please get in touch if you would like more information about these products.
Subject access requests
Updates to the ICO’s subject access request guidance take account of the Data (Use and Access) Act. Although many of the Act’s provisions are not currently in force, the guidance provides early support to help organisations plan for future implementation.
The guidance covers the obligation to do a reasonable and proportionate search for personal data (now on a statutory footing), the changes under the Act around seeking clarification and the ICO's latest interpretation of the ability to refuse to respond to manifestly unfounded or excessive requests.
We have observed an increase in subject access requests submitted to schools, highlighting the importance of preparation to ensure requests can be handled efficiently. For example:
- Putting good records management procedures in place so that searches can be done efficiently - particularly in respect of emails
- Complying with the appropriate retention periods so that you do not hold more information than you need
- Training staff how to recognise SARs and not to record unprofessional or embarrassing comments.
If you would like to hear more practical advice on managing SARs, we are running a half day training session on 10 February online.
For more information or advice please contact Alice Reeve in our Independent Schools team.
Get in touch today
Are you looking for legal services?
Fill out our form to find out how our specialist lawyers can help you.