We are often asked whether consent should be sought before taking and using photographs. The answer will often turn on how privacy intrusive the photograph (or its use) is.
For example, a photograph featured on the front cover of a school's prospectus will likely require consent but not usually if the photo was being used on an internal display at the school.
NB - if consent is not sought, you should still be transparent about your practices so that individuals have an opportunity to object.
We are finding that a lot of schools have not yet put in place compliant privacy notices. The purpose of the privacy notice is to set out how the school uses personal information. Not only is the provision of privacy notice information a legal requirement but schools are also finding they are useful in relation to disputes.
For example, a parent with an ongoing dispute may seek to argue that the school has breached its data protection obligations through not being transparent regarding how the parent's data is used as an additional strand to the complaint. If the school can show that what the parent has complained about is covered in the privacy notice, then this will often go a long way to rebutting the alleged non-compliance.
A number of schools have fallen victim to cyber-attacks. These range from phishing emails, through to remote attacks made against the school's network and IT infrastructure. We have found that attacks are often successful through schools failing to provide essential training to staff or failing to take basic steps to secure the school's network.
You should therefore ensure that you have done enough to protect your systems from attack. The GDPR contains explicit obligations around information security, for example, in relation to documentation, encryption, back-ups, and ongoing testing and assessment, and schools should have regard to these in particular.
Subject access requests (SARs) remain by far the most common type of request made against a school despite the abundance of new rights granted under the GDPR.
Of particular note is that the exemption which allowed a school to withhold third party information (ie, where third party data is mixed with the requester's ) under a SAR no longer applies if the third party is "a teacher or other employee at the school".
This is a significant change which makes it more difficult to lawfully withhold staff information, for example, in circumstances where a school wanted to withhold the identity of a whistleblower. However, this is not to say that third party staff data must necessarily be disclosed in all cases, in some situations there may be alternative exemptions which would be applicable.
A school will often use the same alumni database as its alumni society. In these circumstances, it is not always clear who 'owns' the data as between the school and the society (or to use data protection terminology, who the data controller is). That the school may physically control the database is not determinative.
A risk is that the society argues that it, and not the school, is the controller. If the society is right, then the school would have no right to use the data for its own purposes. A data sharing agreement between the school and the society can help to regularise the relationship. An agreement should in particular, make it clear that the school is a controller of the data (if indeed this is the case) to prevent any dispute further down the line. Often these agreements provide that both the school and the society are controllers.