With the joys of Brexit behind us the government is preparing to legislate on changes to the UK-GDPR. Their view, the EU-GDPR is too onerous and limits innovation. A consultation has been completed, the proposed changes published and we now understand what the government is proposing to do and how this may affect schools.
The impact will be felt for Academy Trusts in England, given there is a correlation between data protection and the Academy Trust Handbook. And then additionally, the impact for all schools in the UK given the relationship of safeguarding and ‘Keeping Children Safe in Education 2022’. Consequently, the changes in the UK-GDPR shouldn’t be seen in isolation.
DPOs to be made redundant
Apologies to any DPOs out there, but yes, in many cases your formal title will be made redundant. With the mandated need for a DPO for public authorities, many schools panicked and either hired a DPO or purchased an outsourced provision from a third party. The intent of the GDPR is to build data privacy and protection capability and capacity within an organisation. This is so the organisation can make objective decisions on privacy related risk. Outsourcing this to a company for a couple of thousand pounds a year doesn’t meet this requirement (always seems to surprise people). Why?! Well, can within that fee for service, an external party understand the unique processing characteristics of each school it serves then provide objective assessments to the governing body on what needs to change and the resources (people, budget time) to do so? Fundamentally no. Outsourcing the DPO on this basis is window dressing for compliance, and is what the changes proposed by the government are seeking to address.
There will however be no lasting ‘hurrah, we don’t need a DPO’. The consequences of the change are more nuanced and far reaching. Schools will instead need to designate a senior responsible individual to be responsible for and to oversee a privacy management programme. Specifically their role will include:
The government is saying that it’s down to you as a school to determine whether having a DPO is the best way to monitor and improve compliance. Regardless of whether you do, it is still a requirement for a senior leader to oversee your privacy management programme (in addition to the DPO if you have one). As a school, you’ll need to make the decision whether you continue to fund a DPO provision, or direct the costs of resourcing that provision to training or supporting the senior leader who is designated with the responsibility.
- Representing or delegating a representative to the ICO and data subjects
- Ensuring appropriate oversight and support is in place for the programme and appointing appropriate personnel
- Providing tailored training to ensure staff understand the organisation’s policies
- Regularly auditing the efficacy of the programme
Out with the DPO, in with the Privacy Management Programme
An unfamiliar term to many, the Privacy Management Programme (PMP). But not to the team at 9ine. Many countries require a PMP including Singapore, Canada and Japan. Such was the need for 9ine to support schools with a PMP that we developed our own 9ine Privacy Framework structured into nine areas. These are set out in the image below, a snippet from the 9ine App. Each of the modules, from (1) Leadership & Governance, through to (9) Policies & Notices have set tasks that need to be completed.
In each module, the tasks are listed, with details provided on those tasks and an estimated amount of time to complete the tasks. This is demonstrated in the screenshot below. Now, before you stop reading and think this is a sales pitch, take a look and then give me a few more minutes of your time!
In the words of the government:
“The principle of accountability is key for privacy management programmes, and responsible use of personal data will continue to be at the heart of the accountability framework under the new regime. A move to a framework based on privacy management programmes will enable organisations to take a more proportionate approach in meeting the requirements of the UK’s regime. It will help to reduce the prescriptive regulatory burdens faced by smaller organisations, while enabling many organisations to focus on the outcomes required to help demonstrate compliance to relevant stakeholders.”
Now, if you’re a senior leader in a school and want to understand the depth and breadth of a PMP, then your starting point is here, with this email. This email is better than a 2-4-1 voucher offer at Pizza Express, it gives you a free 14-day trial of our App with integrated PMP! You can’t say better than that.
A focus on risk. One way to measure compliance through these changes is the organisation’s ability to evidence the privacy risk. The proposed changes remove the automatic need for a DPIA, instead requiring organisations to have a robust risk framework.
“[organisations] … will be required to ensure there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation”
9ine’s Privacy App has comprehensive risk tools as features. This includes the ability to capture, evaluate, treat and report on risk. Not only for privacy, but also for capturing other risks that require management such as safeguarding and technology. It’s almost as though we forecast the changes in law and built a platform for schools that enables compliance!
Accountability at the centre of privacy & safeguarding
For the first time KCSIE links having the appropriate security in place with guidance from the National Cyber Security Centre (NCSC) Cyber Security Training for School Staff. This is generally a nuanced change and fits with the general direction of statutory guidance in relation to Cyber and Data Protection as also seen this year within the Academy Trust Handbook. The positioning of Cyber as a requirement within KCSIE is therefore being seen as a contributing risk to overall safeguarding in schools and a topic in which schools are expected to demonstrate management of when being evaluated against compliance with KCISE.
Whilst not new, in paragraph 134 KCSIE 2022 states: ‘It is essential that children are safeguarded from potentially harmful and inappropriate online material. An effective whole school and college approach to online safety empowers a school or college to protect and educate pupils, students, and staff in their use of technology and establishes mechanisms to identify, intervene in, and escalate any concerns where appropriate.’
Compliments this, paragraph 144 expects an annual review of technology and the risks and harms related to it. Specifically as KCSIE acknowledges that technology contributes to risks of harm.
You will find, when looking closely at privacy and safeguarding, that the protection of children’s data can reduce safeguarding risks of harm. This was recently investigated by Human Rights Watch. The senior leader responsible for your school's PMP is going to have to understand the relationship between the two, and put in place measures to manage these at an operational level in school. Modules six and seven of 9ine’s Privacy Framework enable you to do so, with 9ine’s Vendor Assessment feature of our App, the vehicle in which you are evaluating safeguarding risks of harm for technology in school.
Hide SARs in a cupboard
I lied, you can’t actually put them in a cupboard and forget about them. There are however some important changes so lets start with how they have been historically ‘weaponised’ . In many cases SARs are used as a means to infuse fear into schools. We have seen them used multiple times by individuals and law firms as a means to gain leverage when raising other disputes - primarily as they are time consuming and in many cases costly for schools to complete. The lack of guidance / case law in this area means that often requestors ask for ‘everything’ when what they really need actually relates to a specific topic or period of time. In the government’s own words ‘[to change] the current threshold for refusing or charging a reasonable fee for a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. This material difference should allow schools to fundamentally refuse vexatious requests, albeit the detail on which to determine whether a request is vexatious or not is yet to be determined. We anticipate that this will give greater grounds for schools to ‘demand’ rather than (as is currently) 'politely ask’ requestors to be specific on the scope of their request. In practice, when a SAR is received a school can ask the requestor to be specific as to the processing activities, dates and damage that is likely to be caused should the request not be fulfilled. If only there was a service that helps interpret SAR requests in the context of schools and current case law, which isn’t a lawyer and speaks common sense…. It’s either 9ine’s DPO Essentials or someone needs to develop a service that deals with these challenges with confidence.
Readying your school for changes to the UK-GDPR
9ine’s Privacy App, designed with an integrated Privacy Management Programme is what schools need to understand the breadth, depth and scope of work to meet the proposed changes in the UK. With over 90 detailed tasks, checklists, time estimates and template resources, the App enables your school to quickly demonstrate a PMP.