1/2/2024 0 Comments
As part of their experience within the education sector, our sponsor SchoolPro TLC provides the role of Data Protection Officer (DPO) as a service for schools.
The SchoolPro Team have been receiving a number of queries from schools about the issue of sending home flyers for third-party organisations by email or post.
See below for their guidance on sending out communications from third-party organisations to parents. The team are able to draw on their knowledge as former school leaders, as well as their DPO expertise.
Your school, for example, might be thinking about sending home a communication about local community events or third-party activity providers. Email is often used by schools for this, although SchoolPro TLC have reservations due to email being subject to Privacy and Electronic Communications Regulations (PECR) and additional consent requirements.
When the SchoolPro Team first spoke to the Information Commissioner's Office (ICO) about the possibility of using soft opt-in (which they had thought would not be possible), the ICO responded as follows:
“You are correct in your understanding that soft opt in relies on you having provided a similar product or service to the individuals. As you have said that the events are run by third party organisations, you wouldn’t be able to use soft opt in, as you will have never provided them with that product or service. You would need to rely on consent instead.
You would need to obtain their consent, possibly by an opt in box, asking if people will consent to receiving marketing from your trusted third-party organisations. You should let people know who it is they will be receiving marketing from, so a link or the names listing the third parties you will use should be sufficient.”
This marketing definition might be helpful clarification for you.
Direct marketing is any type of advertising or promotional material aimed at a particular person. Mass marketing, such as an advertisement in a magazine, is not aimed at anyone in particular.
As for sending home flyers in pupil’s school bags, SchoolPro TLC consider this to be a more straightforward approach.
As for sending home flyers in pupil's school bags, SchoolPro TLC consider this to be a more straightforward approach. In essence, the ICO is saying:
“If you’re sending direct marketing by post, you don’t need consent.
However, if you’re putting someone’s name on a letter or flyer, you’ll need a lawful basis for using their personal data. This also applies if you know the name or other information which can identify the person you’re sending the marketing to.”
Because the school does know the name / can identify the person to whom they are sending the flyers, they should have a lawful basis for sending that data. That is likely to be legitimate interest in this case.
The school would need to conduct a Legitimate Interests Assessment (LIA) to assess if this is a valid lawful basis in this case. If it is, the school would then need to notify people that they are going to receive this marketing and then record if anyone specifically requests that the school doesn’t send them flyers home (and then make sure that they don’t).
SchoolPro TLC advise that a school could add to a parent newsletter (or similar communication) the following words to the effect:
“We will occasionally send home flyers from trusted third parties, such as the Local Authority in pupils' bags. This is to make you aware of events, activities, services and products that we think may be of interest to you or your family. Please let us know if you object to this and we will ensure that you don’t receive this information.”
We hope that you find this advice helpful and the SchoolPro TLC Team are available should you need further guidance and support.
With thanks to Director Ben Craig and the SchoolPro TLC Team.
Our sponsor SchoolPro TLC provide some helpful and current advice about confidential references and subject access requests.
When it comes to subject access requests and exemptions, it is important to understand the various exceptions that apply to certain types of personal data.
One specific exemption relates to confidential references. According to the Information Commissioner’s Office (ICO) and the Data Protection Act 2018, personal data included in a confidential reference is exempt from the right of access in specific circumstances.
The exemption applies to references given or received for the purpose of prospective or actual education, training, employment, volunteer placement, appointment to office, or provision of services by an individual. It is important to note that this exemption only applies to references that are provided in confidence.
To ensure clarity in your documentation, especially for educational references, it is advisable to state explicitly that all references will be treated as confidential. This should be communicated to both the individuals providing the referees and those providing the reference itself.
For example, instead of a simple instruction like “Please provide details of two referees.”
You can modify it to convey that all references will be treated as confidential.
A revised statement could be: “Please provide details of two referees. All references will be treated as confidential.”
If your references are considered confidential, you will need to ensure staff dealing with subject access requests are aware of, and have adequate guidance to follow in order to prevent accidental release of your confidential references.
Understanding these exemptions and clearly communicating the confidentiality of references will help ensure compliance with Data Protection regulations and maintain the privacy and trust of individuals involved in the process.
By Ben Craig for the SchoolPro TLC Team
For more detailed information on other exemptions that apply to subject access requests, check out SchoolPro TLC's SAR Guidance and/or the ICO website and contact the SchoolPro TLC team directly for support.
If you are interested in this topic and wish to find out more about working in this area, you can find out more about how you could Make a Difference with SchoolPro TLC.
We are grateful to our SWIFT sponsors for their services and their support helps to provide additional funding for us to subsidise the cost of conferences and events as part of our high-quality professional development offer to school leaders, teachers and staff.
Our sponsor SchoolPro TLC provides guidance for schools and MATs following the recent infringements by a primary school in relation to the Article 5 (1)(f), Article 24 (1) and Article 32 of UK GDPR.
The unfortunate data breach has emphasised the importance of robust Data Protection practices in schools, colleges and MATs.
The Information Commissioner's Office (ICO) publicly reprimanded Parkside Community Primary School for infringements of the UK General Data Protection Regulation (UK GDPR).
Whilst this is clearly a concern for the school and data subjects involved, it also provides a valuable opportunity for all schools to reassess their Data Protection strategies.
The incident involved the inappropriate disclosure of personal and special category data in a classroom setting, affecting four data subjects including three children. According to the reprimand published, key contributing factors to the breach included insufficient Data Protection policies, inadequate guidance around email security, and a lack of explicit procedures regarding the use of a case management system.
SchoolPro TLC delve here into the key lessons to be learned from this unfortunate event, and provide a checklist to ensure that you are adequately protecting the personal data of your pupils and staff.
Lessons to Learn
The reprimand presents several key lessons that could apply to other schools in the UK:
1. Ensure Adequate Data Protection Policies
The reprimand highlighted that the school lacked detailed Data Protection policies, specifically on the safe handling of personal data over emails and the usage of a specific case management system.
Policies should clearly outline the procedures for maintaining data security and confidentiality, especially when it involves sensitive or special category data.
Schools should have policies specific to high risk software and platforms they use, created in conjunction with risk assessments or Data Protection Impact Assessments (DPIAs).
2. Provide Clear Procedures and Guidance
The lack of written guidance for employees was a significant issue.
Clear instructions need to be in place for using security and confidentiality classifications on emails, and for the usage of any case management system or software.
Guidelines regarding when and where to open sensitive emails, and how to operate electronic devices securely (like electronic whiteboards), should also be clearly provided.
3. Staff Training
Regular and thorough training for staff is necessary to ensure compliance with Data Protection regulations.
This should include training on the operation of specific software or systems, data breach reporting procedures, operation of electronic devices, and general Data Protection principles.
4. Incident Reporting Mechanisms
In this case, staff failed to report the data breach internally.
An effective incident reporting mechanism should be in place, and staff should be well aware of the process to follow if a data breach is suspected or has occurred.
5. Sensitive Data Handling
Emails or alerts containing sensitive information should be appropriately labelled and only accessed under safe conditions (e.g., not in the presence of children or during teaching hours).
Controls should be in place on who can access highly sensitive information and when.
6. Policy Enforcement and Review
All staff and stakeholders should be familiar with the school's Data Protection policies.
Policies should be reviewed and updated regularly, especially in response to incidents, and staff should be required to affirm their understanding and acceptance of these policies.
7. Testing and Audit of New Processes
Any new processes or procedures introduced in response to a data breach should be tested to ensure they are effective and embedded within the organisation.
Action Plan / Checklist
Taking those lessons into consideration, what key actions can a school, college or MAT take to reduce their data breach risk and improve practice?
Policies and Procedures
Review your Data Protection policies and procedures, ensuring they cover all aspects of data handling, including specific written guidelines for using software and systems that process sensitive data.
Training and Awareness
Develop a regular training schedule on Data Protection for all staff.
Emphasise what constitutes a data breach, the importance of reporting breaches promptly, and the consequences of failing to do so.
As a guide, staff should receive Data Protection training as part of their induction to the organisation, and refresher training should be completed at least biennially if not more frequently.
Annual refresher training would be best practice.
Implement security measures for emails that contain sensitive data, such as security classifications or labels. Provide clear guidelines on when and where such emails can be safely opened.
Where possible, use alternative methods of communicating sensitive data such as access-controlled, secure, shared folders, or internal secure data transfer systems if available to your school.
Software and System Security
Review the security measures for all software and systems that process sensitive data.
Ensure staff are trained on how to use these systems securely such as the use of strong passwords and multi-factor authentication.
Also, include procedures, guidance and training for those systems that could be used to view sensitive data such as electronic whiteboards and screen-sharing from staff members' electronic devices.
Monitoring and Review
Regularly monitor and review your Data Protection measures to ensure their effectiveness and make improvements where necessary.
By following this checklist along with your existing practices, and continually investing in data protection, you can better protect the personal data of your pupils and staff, and ensure compliance with the UK GDPR.
The incident highlighted by this ICO reprimand serves as a stark reminder of the potential repercussions of insufficient Data Protection, and the importance of making it a priority in your school, college or MAT.
Stay safe and healthy.
Report by the SchoolPro TLC Team
SchoolPro TLC is led by a committed team of former school and education leaders and Governors with over 60 years combined experience across all stages of education and in a variety of contexts who worked to improve educational provision.
We recently saw the release of the Government’s response to their consultation on the proposed Data Reform Bill.
It is still early days for the proposed legislation and there is a lot to go through from this response. In addition, the timeline for the new legislation and exactly what it will look like based on this response is unclear at this stage.
But our sponsor, SchoolPro TLC, has looked at the consultation outcome and you can read their initial reaction and thoughts about how it might impact on working with schools in the future.
Department for Digital, Culture, Media & Sport | Consultation outcome | Data: a new direction - government response to consultation
Privacy Management Programmes to be a Compliance Requirement
This is one that we have been expecting and we have built the online audit/accountability tool in the new portal with this possibility in mind.
Essentially, the proposal is to reduce down the accountability requirement to the following six key areas (from the current ten):
This potentially simplifies the process and our audit tool has been developed to be fully configurable.
So, if this change goes ahead as suggested, the existing tool can be adapted to the new Privacy Management Programme and relevant information, actions etc already in the tool, can be ported across as required. The Government have been keen to highlight that this is not to reduce the rigour of accountability and lower standards, but to create a more flexible tool that can scale depending on the risk level of the organisations. This may well ease some of the burden on smaller schools, for example.
Data Protection Officers (DPO) to no longer be mandatory and to be replaced with a ‘senior responsible individual’
This proposal removes the need for an independent DPO with no conflicts of interest and allows the role to be taken on by a senior individual within the organisation. That person will still fulfil many of the existing roles of a DPO, so it is likely that many organisations will simply continue with their existing arrangement. The ‘senior responsible individual’ will be responsible for:
At present, it is not fully clear if this will apply to all organisations; or whether it will be only small organisations and those that do not process high levels of sensitive data that are able to drop the requirement for a “DPO”. We are obviously going to keep a keen eye on this one!
Removal of Data Protection Impact Assessments (DPIAs)
The thought here is to provide a more flexible and tailored approach to organisations.
Again, the Government are keen to emphasise that this is not to reduce rigour and lower standards and they state that organisations will still have to identify, assess and manage risk. This may allow for a more risk-based approach where lower risk processing has a simpler risk management approach and higher risk processing still follows a similar DPIA process to what is currently in place.
However this is implemented; thankfully, this should not involve new risk management for legacy systems as the Government has stated that “existing DPIAs would remain valid as a way of achieving the new requirement.
Removal of the Record of Processing Activities (RoPA) Requirement
As with DPIAs, this is to provide a more flexible approach that can be tailored to different organisation depending on size and the nature of their processing activities. This will link to the Privacy Management Programmes and will require organisations to have “personal data inventories” that “describe what and where personal data is held, why it has been collected and how sensitive it is.”
From what we have read so far, we believe that our existing data mapping tool will allow for these inventories to be created still with very little need to be adapted from their current format.
Those are a few of the points we think will have an immediate impact on schools.
Of course there are more detailed analyses of all the proposals available online, such as this useful one from the IAPP:
It is also clear that not everyone is happy with the proposals.
Reading through the response, the prevailing theme appears to be “we asked about this, most of you weren’t happy with proposed changes… so we’re going to make some anyway;” which is an interesting approach to a consultation.
All we can say is, watch this space…
Report by Ben Craig CIPP/E, Director of SchoolPro TLC Ltd