Data Protection - Recent Developments and What's on the Horizon

The Latest on the Data Protection Reform Bill

The Data Protection and Digital Information Bill, which is set to reform data protection law, was published last summer.

In its current form, the Bill is a mixed bag for schools. On the one hand, the proposed changes should make it more straightforward to fundraise without consent and may also make it easier to resist vexatious subject access requests. On the other hand, some of the proposed reforms to reduce data protection 'red tape' are unlikely to make much difference in practice. There may also be a new requirement for schools to appoint a 'senior responsible individual' for data protection compliance.

The Bill was apparently scrapped last September as one of the first acts of the Truss administration, which seemingly favoured a more radical approach to data protection reform and felt that the Bill didn’t go far enough. However, the latest at the time of writing is that the Bill is set to reappear in due course, possibly with further amendments.

It remains to be seen what form the new laws will take, but key changes for schools are likely to be around fundraising, subject access requests and data protection accountability requirements.

ICO Guidance

The ICO has been busy producing new guidance on a variety of topics. This includes:

• draft guidance on employee monitoring and using employee health data. Further guidance will follow during 2023 on a variety of employment related topics. As ever, schools will need to think about how to apply the guidance in an education setting. For example, the draft employee monitoring guidance places a lot of emphasis on the importance of staff privacy in a work context, even when using work issued devices, but this will need to be considered in the wider context of a school's safeguarding duties and the importance of appropriate monitoring of school and IT systems
• the ICO has also published its long awaited guidance on international data transfers. This includes a template transfer risk assessment (TRA). A school is required to carry out a TRA before transferring personal data overseas in some circumstances. For example, if a school used an app that stored school personal data in the USA, then a TRA would likely be required before the transfer takes place

Information Security and EdTech

Information security remains the area of greatest risk and the vast majority of data protection fines, and compensation claims, stem from breaches of GDPR information security requirements.

The risks were brought into focus once again late last year when the ICO issued a £4.4 million fine to Interserve following a ransomware attack. The fine again demonstrates the importance of getting the information security essentials right, and having both technical measures (such as network security) and organisational measures (such as staff training) in place to safeguard personal data to the standard required by data protection law.

Schools are increasingly relying on EdTech to support education and learning. Schools should take steps to ensure that any EdTech supplier that has access to school personal data only does so in a way that is compliant with data protection law. In many cases, an EdTech supplier will be a processor to the school, which triggers specific obligations on the school to carry out checks on the supplier's data security and compliance practices, and to ensure that the mandatory GDPR contractual provisions are included in the contract between the school and the supplier.

Recommended eLearning

We have developed eLearning on data protection and information security, designed to disseminate key information to staff to help you protect the security of personal data within your school and easily evidence that training when needed. The courses have been written by our data protection specialists and will be updated next year in line with the expected change to data protection law.

To support schools with the possible requirement of a 'senior responsible individual' we will also be offering a tailored 'Data Protection Lead' course which builds on understanding of data protection essentials to help individuals carry out their role more effectively.

All staff eLearning starts at £3 per Learner and our role specific courses are individually priced.

To book a demo, please contact Imogen Street in our VWV Plus team on 07384 545 998 or at istreet@vwv.co.uk.

If you would like further information on how we can support your school with data protection compliance, including information on our data protection policies for schools, please contact Andrew Gallie in our Data Protection team on agallie@vwv.co.uk or 07467 220 831. Alternatively, please complete the form below.