GENERAL DATA PROTECTION REGULATION (GDPR) Staff Training MAY 2018

What is gdpr? New data protection legal framework across the EU. Need to show we are working towards compliance by 25 May 2018 Applies to ‘Data Controllers’ (school and GB), ‘Data Processors’ (3rd party organisations) and ‘Joint Data Controllers’ (school, GB and 3rd party joint decisions) GDPR applies to personal data and sensitive personal data (special category personal data), including developing digital technologies.

GDPR principles Processed lawfully, fairly & transparently Collected for specific, explicit & legitimate reasons, and not processed further in a manner incompatible with those purposes (does not include ‘in the public interest’) Adequate, relevant & limited to the purposes Kept no longer than necessary (does not include ‘archiving in the public interest’) Processed securely. Protected from unauthorised / unlawful processing, accidental loss, destruction / damage.

Legal basis Consent: the individual has freely given clear and unambiguous consent Contract: the processing is necessary for a contract you have with the individual Legal obligation: the processing is necessary for you to comply with the law Vital interests: the processing is necessary to protect someone’s life. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, i.e. needed to run the school safely and effectively Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party

(Groupcall: GDPR for schools) “A school is considered to be a public body and it is obviously in the public interest that we operate schools and educate our children. Accordingly, for all the common tasks carried out by schools we do not need to ask for the data subject’s consent but rather we can use ‘public interest’ as our legal basis for processing the appropriate personal data. This would cover our use of personal data for all the everyday tasks within schools – operating a curriculum, storing personal data about our pupils, their parental contacts, staff, timetable information, cashless catering, library systems, the annual census requirements…” (Groupcall: GDPR for schools)

Personal data Relates to an identifiable living individual. Name Identification number Location data Online identifier Physical, physiological, genetic, mental, economic, cultural or social identity.

Sensitive personal data Greater legal protection: expected to be treated as private and confidential. SEND Medical Race or ethnicity Political opinions, religious beliefs or membership of trade unions, Physical and mental health or sexuality Criminal offences, genetic or biometric data

Data protection officer (DPO) Inform and advise school re. obligations. Monitor compliance and policies. Raise staff awareness. Staff training. Advice regarding Data Protection Impact Assessments. Contact point for Information Commissioner Office.

Steps to compliance 1. Raise awareness: SLT, GB, staff 2. Data Mapping: Document what personal data held & process, where it comes from & who it is shared with 3. Privacy notices: Review / update and plan any necessary changes 4. Individual’s Rights: Consider all personal data held / processed. Does it comply? Could we deal with data erasure requests or withdrawn consent? 5. Subject Access Requests: Update and develop procedures. 6. Agree Lawful basis for processing: Identify & document legal basis and update Privacy Notices to explain it 7. Consent: Decide how to get it, record & update it 8. Data breaches: Everyone’s responsibility. Report to DPO 9. Privacy Impact Statements: Required for high-risk processing and new technologies

Reportable Data breaches Loss or unauthorised access to personal info is likely to cause most harm Staff must be aware of process and inform DPO / HT Penalties are for major breaches, affecting large numbers or causing huge issues ICO must be notified within 72 hours If breach is potentially ‘high risk’ schools must also notify the Data Subject

consent Consent conditions have been strengthened considerably Data Subjects have the right to be informed: what data you are using, why and for what purpose (applies across all lawful bases for processing as well) Must be freely given., for a specific purpose and clearly explained and informed Consent must be a clear affirmative action Can be withdrawn at any time Only requested if no legal way of obtaining / processing information

rights To be in formed Consent Access Rectification Erasure Restrict processing Rights may are dependent on the basis they are being processed (e.g. Public Interest: generally no right to Erasure)

Data map Share current document. Staff suggest additional data collection, processing and who data is shared with.