• Careers
  • Contact Us

How Does Data Protection Affect Your Handling of Serious Incidents?

on Wednesday, 06 December 2017.

Every once in while unexpected and unfortunate events occur. These can range from parental complaints to allegations of abuse. Data protection is increasingly becoming part of your management of these incidents.

This is largely because interested parties, such as parents and staff, are more aware of their information law rights. 

This position is set to continue when the General Data Protection Regulation (GDPR) applies, from 25 May 2018. Individuals will have additional and stronger rights and it will be able to bring a claim more easily for infringement of their school rights.

Disclosure of Information to Other Parties

When serious incidents occur, agencies and regulators such as the National College for Teaching and Leadership and the Charity Commission may request information from you. Before sharing information, you should make sure that there is a legal basis for doing so and that excessive information is not shared. While it is important that you co-operate with outside agencies, if this is not handled correctly there is a risk that the individual whose information is shared may complain that you have breached his or her data protection rights.

The Right to Information

Individuals have the right to a copy of the information which your school holds about them, subject to various limited exemptions. This is known as making a subject access request (SAR) and this right will remain under the GDPR. We often see parents and staff making a SAR when they have a grievance. Their objective is to find information which would be damaging to your school. These requests become particularly complicated when medical and safeguarding information is involved.

Individuals can complain to the Information Commissioner's Office (ICO) about your school's handling of their SAR at no personal cost to them. Even if the ICO do not take any enforcement action against your school, liaising with the ICO following a complaint can be time consuming and resource intensive.

Separated Parents

Schools often get caught in the middle of family breakups. Parents sometimes make a SAR to try to obtain information on their former partner, which they hope to use in court proceedings. This type of request places you in a difficult position. Parents may also claim that their data protection rights have been breached if your school shares their information with their former partner where there is no legal basis for doing so.

Requests from the Police and Local Authorities

The police and local authorities may ask your school for information connected to their investigations. This may or may not be connected to incidents at your school. For example, if a local authority considers that the parent of a pupil is committing benefit fraud, it may ask you to supply information about the payment of school fees.

There is no obligation to provide the information unless a court order has been obtained. That being said, in our experience most schools are keen to co-operate with the authorities. There is an exemption under data protection legislation which allows you to disclose personal data if not disclosing the information is likely to prejudice tasks such as the prevention or detection of crime. The application of this exemption is complicated and we recommend that you seek legal advice. If information is disclosed where the exemption does not apply, this is likely to constitute a breach of the individual's rights which might lead to a complaint or legal claim.

How Can You Protect Your School?

  • Train Your Staff
    All staff should be trained to recognise data protection requests and complaints about information handling. This training will need to be updated in light of the greater number of rights afforded to individuals under the GDPR.

  • Act Quickly
    Any communication about data protection should be forwarded promptly to the senior member of staff who manages your data protection compliance. There are statutory timeframes for responding to most data protection rights and complaints so the sooner the senior staff know about an issue the better. In addition, staff should understand that if they write inappropriate comments in emails and other documents these may be disclosable under a SAR.

  • Produce Privacy Notices
    Your school should implement GDPR compliant privacy notices which let parents, staff and pupils know that their information may need to be shared with third parties such outside agencies and family members. As well as being a legal requirement, privacy notices help to manage expectations about how your school may use information.

Seeking legal advice at an early stage is often advantageous in the long run. Please contact Andrew Gallie, in our Data Protection team, on 0117 314 5623 if you would like assistance with any data protection matters.

Leave a comment

You are commenting as guest.