The Data Protection and Digital Information Bill, which is set to reform data protection law, was published last summer.
In its current form, the Bill is a mixed bag for schools. On the one hand, the proposed changes should make it more straightforward to fundraise without consent and may also make it easier to resist vexatious subject access requests. On the other hand, some of the proposed reforms to reduce data protection 'red tape' are unlikely to make much difference in practice. There may also be a new requirement for schools to appoint a 'senior responsible individual' for data protection compliance.
The Bill was apparently scrapped last September as one of the first acts of the Truss administration, which seemingly favoured a more radical approach to data protection reform and felt that the Bill didn’t go far enough. However, the latest at the time of writing is that the Bill is set to reappear in due course, possibly with further amendments.
It remains to be seen what form the new laws will take, but key changes for schools are likely to be around fundraising, subject access requests and data protection accountability requirements.
The ICO has been busy producing new guidance on a variety of topics. This includes:
Information security remains the area of greatest risk and the vast majority of data protection fines, and compensation claims, stem from breaches of GDPR information security requirements.
The risks were brought into focus once again late last year when the ICO issued a £4.4 million fine to Interserve following a ransomware attack. The fine again demonstrates the importance of getting the information security essentials right, and having both technical measures (such as network security) and organisational measures (such as staff training) in place to safeguard personal data to the standard required by data protection law.
Schools are increasingly relying on EdTech to support education and learning. Schools should take steps to ensure that any EdTech supplier that has access to school personal data only does so in a way that is compliant with data protection law. In many cases, an EdTech supplier will be a processor to the school, which triggers specific obligations on the school to carry out checks on the supplier's data security and compliance practices, and to ensure that the mandatory GDPR contractual provisions are included in the contract between the school and the supplier.
We have developed eLearning on data protection and information security, designed to disseminate key information to staff to help you protect the security of personal data within your school and easily evidence that training when needed. The courses have been written by our data protection specialists and will be updated next year in line with the expected change to data protection law.
To support schools with the possible requirement of a 'senior responsible individual' we will also be offering a tailored 'Data Protection Lead' course which builds on understanding of data protection essentials to help individuals carry out their role more effectively.
All staff eLearning starts at £3 per Learner and our role specific courses are individually priced.
To book a demo, please contact Imogen Street in our VWV Plus team on 07384 545 998 or at istreet@vwv.co.uk.