Our sponsor SchoolPro TLC provide some helpful and current advice about confidential references and subject access requests.
When it comes to subject access requests and exemptions, it is important to understand the various exceptions that apply to certain types of personal data.
One specific exemption relates to confidential references. According to the Information Commissioner’s Office (ICO) and the Data Protection Act 2018, personal data included in a confidential reference is exempt from the right of access in specific circumstances.
The exemption applies to references given or received for the purpose of prospective or actual education, training, employment, volunteer placement, appointment to office, or provision of services by an individual. It is important to note that this exemption only applies to references that are provided in confidence.
To ensure clarity in your documentation, especially for educational references, it is advisable to state explicitly that all references will be treated as confidential. This should be communicated to both the individuals providing the referees and those providing the reference itself.
For example, instead of a simple instruction like “Please provide details of two referees.”
You can modify it to convey that all references will be treated as confidential.
A revised statement could be: “Please provide details of two referees. All references will be treated as confidential.”
If your references are considered confidential, you will need to ensure staff dealing with subject access requests are aware of, and have adequate guidance to follow in order to prevent accidental release of your confidential references.
Understanding these exemptions and clearly communicating the confidentiality of references will help ensure compliance with Data Protection regulations and maintain the privacy and trust of individuals involved in the process.
By Ben Craig for the SchoolPro TLC Team
For more detailed information on other exemptions that apply to subject access requests, check out SchoolPro TLC's SAR Guidance and/or the ICO website and contact the SchoolPro TLC team directly for support.
If you are interested in this topic and wish to find out more about working in this area, you can find out more about how you could Make a Difference with SchoolPro TLC.
We are grateful to our SWIFT sponsors for their services and their support helps to provide additional funding for us to subsidise the cost of conferences and events as part of our high-quality professional development offer to school leaders, teachers and staff.
Our sponsor SchoolPro TLC provides guidance for schools and MATs following the recent infringements by a primary school in relation to the Article 5 (1)(f), Article 24 (1) and Article 32 of UK GDPR.
The unfortunate data breach has emphasised the importance of robust Data Protection practices in schools, colleges and MATs.
The Information Commissioner's Office (ICO) publicly reprimanded Parkside Community Primary School for infringements of the UK General Data Protection Regulation (UK GDPR).
Whilst this is clearly a concern for the school and data subjects involved, it also provides a valuable opportunity for all schools to reassess their Data Protection strategies.
The incident involved the inappropriate disclosure of personal and special category data in a classroom setting, affecting four data subjects including three children. According to the reprimand published, key contributing factors to the breach included insufficient Data Protection policies, inadequate guidance around email security, and a lack of explicit procedures regarding the use of a case management system.
SchoolPro TLC delve here into the key lessons to be learned from this unfortunate event, and provide a checklist to ensure that you are adequately protecting the personal data of your pupils and staff.
Lessons to Learn
The reprimand presents several key lessons that could apply to other schools in the UK:
1. Ensure Adequate Data Protection Policies
The reprimand highlighted that the school lacked detailed Data Protection policies, specifically on the safe handling of personal data over emails and the usage of a specific case management system.
Policies should clearly outline the procedures for maintaining data security and confidentiality, especially when it involves sensitive or special category data.
Schools should have policies specific to high risk software and platforms they use, created in conjunction with risk assessments or Data Protection Impact Assessments (DPIAs).
2. Provide Clear Procedures and Guidance
The lack of written guidance for employees was a significant issue.
Clear instructions need to be in place for using security and confidentiality classifications on emails, and for the usage of any case management system or software.
Guidelines regarding when and where to open sensitive emails, and how to operate electronic devices securely (like electronic whiteboards), should also be clearly provided.
3. Staff Training
Regular and thorough training for staff is necessary to ensure compliance with Data Protection regulations.
This should include training on the operation of specific software or systems, data breach reporting procedures, operation of electronic devices, and general Data Protection principles.
4. Incident Reporting Mechanisms
In this case, staff failed to report the data breach internally.
An effective incident reporting mechanism should be in place, and staff should be well aware of the process to follow if a data breach is suspected or has occurred.
5. Sensitive Data Handling
Emails or alerts containing sensitive information should be appropriately labelled and only accessed under safe conditions (e.g., not in the presence of children or during teaching hours).
Controls should be in place on who can access highly sensitive information and when.
6. Policy Enforcement and Review
All staff and stakeholders should be familiar with the school's Data Protection policies.
Policies should be reviewed and updated regularly, especially in response to incidents, and staff should be required to affirm their understanding and acceptance of these policies.
7. Testing and Audit of New Processes
Any new processes or procedures introduced in response to a data breach should be tested to ensure they are effective and embedded within the organisation.
Action Plan / Checklist
Taking those lessons into consideration, what key actions can a school, college or MAT take to reduce their data breach risk and improve practice?
Policies and Procedures
Review your Data Protection policies and procedures, ensuring they cover all aspects of data handling, including specific written guidelines for using software and systems that process sensitive data.
Training and Awareness
Develop a regular training schedule on Data Protection for all staff.
Emphasise what constitutes a data breach, the importance of reporting breaches promptly, and the consequences of failing to do so.
As a guide, staff should receive Data Protection training as part of their induction to the organisation, and refresher training should be completed at least biennially if not more frequently.
Annual refresher training would be best practice.
Implement security measures for emails that contain sensitive data, such as security classifications or labels. Provide clear guidelines on when and where such emails can be safely opened.
Where possible, use alternative methods of communicating sensitive data such as access-controlled, secure, shared folders, or internal secure data transfer systems if available to your school.
Software and System Security
Review the security measures for all software and systems that process sensitive data.
Ensure staff are trained on how to use these systems securely such as the use of strong passwords and multi-factor authentication.
Also, include procedures, guidance and training for those systems that could be used to view sensitive data such as electronic whiteboards and screen-sharing from staff members' electronic devices.
Monitoring and Review
Regularly monitor and review your Data Protection measures to ensure their effectiveness and make improvements where necessary.
By following this checklist along with your existing practices, and continually investing in data protection, you can better protect the personal data of your pupils and staff, and ensure compliance with the UK GDPR.
The incident highlighted by this ICO reprimand serves as a stark reminder of the potential repercussions of insufficient Data Protection, and the importance of making it a priority in your school, college or MAT.
Stay safe and healthy.
Report by the SchoolPro TLC Team
SchoolPro TLC is led by a committed team of former school and education leaders and Governors with over 60 years combined experience across all stages of education and in a variety of contexts who worked to improve educational provision.
Paragraph 221 of "Keeping Children Safe in Education (2022) states that:
“schools and colleges should consider carrying out an online search as part of their due diligence on the shortlisted candidates. This may help identify any incidents or issues that have happened, and are publicly available online, which the school or college might want to explore with the applicant at interview.”
Our sponsor, SchoolPro TLC works with schools to provide specialist expertise and explains what this means for schools.
Consider the Purpose of this Processing
In this case, it is part of your recruitment process so any data that you collect or process as part of this, should only be used for that purpose.
Make sure you know what lawful basis you are using for this processing.
As this is being proposed within statutory legislation (i.e. KCSIE 2022), the lawful bases that apply are likely to be Article 6(c) legal obligation or Article 6(e) public task. In this case, Article 6(e) would seem to be the most appropriate if you are a state school. If you are a private school, Article 6(c) would be relevant here.
Consider what actual data you are going to be processing.
Are you going to be keeping any results from these online searches? If so, what? And for how long? And how are you going to keep the data secure?
This essentially covers a number of the principles of the UK GDPR such as data minimisation, storage limitation, and integrity and confidentiality.
In terms of retention, use your retention schedule (refer to the IRMS Toolkit or similar) to identify how long you might consider keeping any relevant data from the searches. Make sure this is proportionate to the purpose.
For most checks, you might record in your SCR that the check was conducted.
For others, you may want to keep the evidence in case of a challenge before securely destroying it.
Your job applicant privacy notice should make it clear that this data is going to be processed and explain some of the points above. You should also consider a statement on your application form.
Job Applicant Privacy Notice Template
An updated job applicant privacy notice template is available on the SchoolPro portal (in Global Documents).
For more information or if you have any questions, you can contact SchoolPro TLC.
The Met Office has warned that temperatures could hit 43C over the coming week, which would make it the hottest day ever recorded in the UK.
Our sponsor, Wolferstans Solicitors, provides some guidance for employers as summer temperatures soar.
If it’s too hot to work, can employee’s leave?
Under UK law there is currently only a minimum working temperature set, which is 16C. However, if the employee’s work involves rigorous physical effort, the temperature should be at least 13C.
There is unfortunately, no meaningful figure that can be placed on high temperatures, to indicate if it is in fact too hot to work. That said, employers are responsible to ensure their employees and workers are comfortable and in their working environment. This extends to helping them keep cool. Health and safety should also factor into an employer’s consideration as to whether it is too hot to work.
Can employee’s legally ask for air conditioning in their workplace?
Employers are obliged to keep employees comfortable, which falls within them needing to ensure the working environment is of a reasonable temperature for those using it. From this, the concept known as "thermal comfort" has been established. By managing the thermal comfort within the workplace employers are more likely to improve morale, productivity and health and safety.
The Health and Safety Executive note the six basic factors to cause temperature discomfort are:
A way in which they suggest you can control the thermal comfort of these factors is by using air conditioning units or air dehumidifiers. If you want further advice on whether you should be installing air conditioning, as you feel are having employee complaints about the temperature in the workplace, then please get in contact via the below contact details.
Do employees have to wear their usual work attire in sweltering heat?
This very much depends on the organisation.
For example, if you are employing tree surgeons you would not be complying with the health and safety laws and organisational policies if you allowed you employees to not wear their personal protective equipment, such as the thick heavy chainsaw trousers which they most likely do not wish to be wearing on an extremely hot day.
In circumstances where it is reasonable for there to be a flexible dress code, such as in an office environment, employers should be doing this to help with employee’s thermal comfort and productivity.
If in doubt whether this applies to you, the Health and Safety Executive provide further information on this.
How else can employers ensure that "thermal comfort" is managed well?
Hybrid working is becoming increasingly popular and making the most of this on an extremely hot day could benefit employers and employees. Employers need to consider whether the building they have is equipped for a heatwave. In doing this they should factor in whether there is a lot of glass, if it is an older building, whether there is good ventilation, and whether or not they already have air conditioning installed.
Employee productivity could be higher, should they be allowed to work from home in a cooler environment. If this is not possible then employers need to control the thermal comfort of their employees in the workplace as best as they can, given their circumstances. Ways to do this is by providing fans, if safe to do so, in the event they do not have aircon.
If you have any concerns over your workplace, or employees refusing to attend work during the heatwave, please make contact via our new enquiries section of the website.
By Rachel Lee, Wolferstans Solicitors