MATs should be mindful of data protection issues when sharing personal data. This is the case even where such sharing takes place in order to comply with mandatory regulatory or legal requirements, for example when reporting a concern to Children's Services or sharing data with Ofsted in connection with an inspection.
In particular, a MAT should ensure that the academies it is responsible for comply with the information security requirements of data protection law. A MAT is the 'data controller' of the personal data held by its academies which means that the MAT would be liable should an academy be in breach of the requirements.
Many organisations will provide platforms to enable information to be shared confidentially, eg a secure file transfer service or secure email. Although this is the case, the MAT must still be satisfied that the method used by the academy is robust. In most cases, we would expect MATs to conclude that what is offered is sufficiently secure, but if in doubt, the data should be encrypted before it is transferred. This will help ensure that the data remains secure, even if there is a security breach (eg if the secure email platform is accessed by a hacker).
Subject Access Requests
Individuals can make a request for a copy of the information held about them, and in some cases, a copy of information held about their child - a subject access request (SAR). As any person who has had to deal with such a request will know, SARs can take up a lot of time and effort and are often used by individuals to 'fish' for information that may be relevant to an ongoing dispute or claim.
There is a requirement to respond to a SAR within 40 calendar days. Unlike Freedom of Information Act requests there is no exemption for non-school days when it comes to SARs.
This means that if an academy receives a request shortly before the start of the summer holidays it cannot wait until the new term starts in September before responding. MATs should ensure that academy staff are trained to spot SARs so that they can be dealt with promptly and in good time before the academy breaks up.
Our compliance management solution for academies, My OnStream, includes two data protection e-learning modules for staff. The first covers the data protection essentials and the second focuses on information security. These modules provide practical guidance to staff on a wide range of data issues including those set out above.