Data Reform Bill | potential impact on schools

​We recently saw the release of the Government’s response to their consultation on the proposed Data Reform Bill.

It is still early days for the proposed legislation and there is a lot to go through from this response. In addition, the timeline for the new legislation and exactly what it will look like based on this response is unclear at this stage.

But our sponsor, SchoolPro TLC, has looked at the consultation outcome and you can read their initial reaction and thoughts about how it might impact on working with schools in the future.

Department for Digital, Culture, Media & Sport | Consultation outcome | Data: a new direction - government response to consultation

Privacy Management Programmes to be a Compliance Requirement
This is one that we have been expecting and we have built the online audit/accountability tool in the new portal with this possibility in mind.

Essentially, the proposal is to reduce down the accountability requirement to the following six key areas (from the current ten):
 

• leadership and oversight
• risk assessment
• policies and processes
• transparency
• training and awareness of staff
• monitoring, evaluation and improvement

 
This potentially simplifies the process and our audit tool has been developed to be fully configurable.
So, if this change goes ahead as suggested, the existing tool can be adapted to the new Privacy Management Programme and relevant information, actions etc already in the tool, can be ported across as required. The Government have been keen to highlight that this is not to reduce the rigour of accountability and lower standards, but to create a more flexible tool that can scale depending on the risk level of the organisations. This may well ease some of the burden on smaller schools, for example.

Data Protection Officers (DPO) to no longer be mandatory and to be replaced with a ‘senior responsible individual’
This proposal removes the need for an independent DPO with no conflicts of interest and allows the role to be taken on by a senior individual within the organisation. That person will still fulfil many of the existing roles of a DPO, so it is likely that many organisations will simply continue with their existing arrangement. The ‘senior responsible individual’ will be responsible for:

• representing or delegating a representative to the ICO and data subjects
• ensuring appropriate oversight and support is in place for the programme and appointing appropriate personnel
• providing tailored training to ensure staff understand the organisation’s policies
• regularly auditing the efficacy of the programme.

 
At present, it is not fully clear if this will apply to all organisations; or whether it will be only small organisations and those that do not process high levels of sensitive data that are able to drop the requirement for a “DPO”. We are obviously going to keep a keen eye on this one!

Removal of Data Protection Impact Assessments (DPIAs)
The thought here is to provide a more flexible and tailored approach to organisations.

Again, the Government are keen to emphasise that this is not to reduce rigour and lower standards and they state that organisations will still have to identify, assess and manage risk. This may allow for a more risk-based approach where lower risk processing has a simpler risk management approach and higher risk processing still follows a similar DPIA process to what is currently in place.

However this is implemented; thankfully, this should not involve new risk management for legacy systems as the Government has stated that “existing DPIAs would remain valid as a way of achieving the new requirement.

Removal of the Record of Processing Activities (RoPA) Requirement
As with DPIAs, this is to provide a more flexible approach that can be tailored to different organisation depending on size and the nature of their processing activities. This will link to the Privacy Management Programmes and will require organisations to have “personal data inventories” that “describe what and where personal data is held, why it has been collected and how sensitive it is.”

​From what we have read so far, we believe that our existing data mapping tool will allow for these inventories to be created still with very little need to be adapted from their current format.

Those are a few of the points we think will have an immediate impact on schools.
Of course there are more detailed analyses of all the proposals available online, such as this useful one from the IAPP:

iapp | UK data protection reform: What is in the government’s proposals?

It is also clear that not everyone is happy with the proposals.

​Reading through the response, the prevailing theme appears to be “we asked about this, most of you weren’t happy with proposed changes… so we’re going to make some anyway;” which is an interesting approach to a consultation.

All we can say is, watch this space…
​
Report by Ben Craig CIPP/E, Director of SchoolPro TLC Ltd

SchoolPro TLC | more information