Data protection law requires that personal data remains protected when it is sent overseas. This is often easier said than done unless the country in question benefits from an 'adequacy decision', ie a government decision that data can be sent to that country without additional safeguards. If no adequacy decision is in place, one way to protect the data is to put in place contractual clauses drafted by the EU which place certain obligations on the receiver. However, this became more complicated last year due to an EU case which held that contractual clauses might not be sufficient on their own and that additional measures might be needed. Please see our previous article for more information on this case.
The Information Commissioner's Office (ICO) (the data protection regulator) is taking a relatively pragmatic stance over what is required for compliance (at least when compared to the stance taken by the EU regulators). The ICO's latest documents (which are currently out for consultation) include a replacement to the EU contractual clauses, and guidance on how to decide if additional measures are needed and what these might look like. The ICO will also be updating its guidance on international transfers after the consultation period.
Although the ICO's documents are not yet finalised, technically it is already a requirement to put in place additional measures in some circumstances. Therefore, your school may wish to consider what you can do now in this area. In light of the ICO's pragmatic approach to enforcement one option is to do risk assessments now only on riskier transfers, for example, transfers that involve safeguarding or medical information.
The Government has recently announced its intention to grant more adequacy decisions to make it easier for personal data to flow between the UK and other countries. The Government is prioritising partnerships with countries including the USA, Australia, the Republic of Korea and Singapore.
Please get in touch if you would like to discuss this area of your school's compliance.
The really large fines for data breaches often get the most attention in the press, but smaller organisations can be subject to enforcement action too. The ICO issued a £25K fine to the charity Mermaids a few months ago, again, demonstrating that information security should be a priority for organisations of all sizes.
Schools should ensure that they have robust measures in place to keep personal data secure. For example, your school's IT team should be familiar with the latest guidance from the National Cyber Security Centre. Training for all staff is essential because cyber criminals target everyone and a simple mistake can be costly. Our latest eLearning for school staff provides practical training and keeps a record that staff have completed the training so that you can prove your compliance (remember accountability!). Please contact Imogen Street for a free demo.
If you've attended one of our data protection webinars (or pre-pandemic an in person event!) you'll know that we're very keen on accountability. Accountability requires that not only does your school comply with data protection law but that it can demonstrate its compliance. As well as being a legal requirement, the ICO are clearly focusing on accountability when considering enforcement action.
The ICO updated their Accountability Framework a couple of months ago which outlines its expectations around how organisations can comply with the accountability requirement. In practice, schools should have documents and procedures which illustrate how data protection law is embedded into your school's culture. This should include policies, privacy notices, documents explicitly required by data protection law (eg a record of processing activities) and contracts with processors.
We've updated our Data Protection Handbook for schools recently to take account of the latest ICO and NCSC guidance. The Handbook consists of the key documents that your school should have for data protection compliance. Please do let us know if you'd like to find out more.
The Age Appropriate Design Code (aka the Children's Code) gives extra protection to children's personal data online and it became enforceable on 2 September. The ICO has confirmed that schools are not caught by the Code when offering their core educational services. If your school offers an online service outside of its core educational services (eg an online summer school) then we recommend considering if you are caught by the Code.
However, some suppliers of online services to schools will be caught by the Code. If an online service is caught by the Code we recommend checking its compliance before using it because your school can be held liable for the GDPR non-compliance of its processors (a service provider that uses personal data on the school's behalf).
Last week the Government launched a consultation on how to reform data protection law post-Brexit. It's much too early to say exactly what's on the horizon but the Government is clearly aiming to maintain high data protection standards whilst encouraging innovation and economic growth. This new regime will also include a reformed ICO with John Edwards (currently New Zealand's Privacy Commissioner) as the new Information Commissioner.
If you'd like to stay on top of this fast moving area of law consider signing up to the data protection module of our Compliance Toolkit. For a small annual fixed fee you receive monthly updates with practical guidance on what your school needs to do to stay data protection compliant.