The GDPR & Schools - An Introduction -

Slides:



Advertisements
Similar presentations
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Advertisements

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The EU General Data Protection Regulation Frank Rankin.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Information Governance Support Information Governance Services
General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)
Key changes with the GDPR
Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation
Issues of personal data protection in scientific research
Viewing the GDPR Through a De-Identification Lens
Presentation to GTMC on GDPR
GDPR – What’s it all about???
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulations: what you really need to know
General Data Protection Regulation (GDPR
General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017
The EU General Data Protection Regulation (GDPR)
GDPR Overview Gydeline – October 2017
Data Protection Update – GDPR or bust
GDPR support January GDPR support January 2018.
GDPR Overview Gydeline – October 2017
Head of Information Management Services Crown Worldwide
Data protection reform:
GDPR Road map to Compliance.
Data Protection & Freedom of Information- An Introduction
Public Sector Organisations - are you GDPR ready?
GDPR - Individual’s Rights
GENERAL DATA PROTECTION REGULATION (GDPR)
Data Protection Reform in Local Government
GDPR - New Data Protection Regulation
General Data Protection Regulation
Introduction to GDPR 09/11/2018.
The General Data Protection Regulation (GDPR)
GDPR in schools and academies
Sue Cawthray, CEO/ Gill Thrush, Catering Manager
Introducing the General Data Protection Regulation 2016
Data protection reform – update from the ICO
State of the privacy union
Information Governance
G.D.P.R General Data Protection Regulations
The GDPR and research data
Data protection in the Education Sector - understanding the impact of GDPR Tuesday 23rd January 2018.
General Data Protection Regulation
Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
GDPR - New Data Protection Regulation
Guide to overview of changes under GDPR ww.ZAKSIT.com
IMPLICATIONS OF GDPR ROBERT BELL.
General Data Protection Regulations 2018
General Data Protection Regulations (GDPR) Training
General Data Protection regulations – Pathway to Compliance
#eaThinkData Get Ready for GDPR #eaThinkData.
GDPR PERSONDATAFORORDNINGEN I PRAKSIS
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
What Governors need to know about GDPR
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
The General Data Protection Regulations 2016
Data Protection What can I do? GDPR Principles General Data Protection
GDPR: Understanding your obligations and the ongoing challenges
GDPR Session
General Data Protection Regulation “11 months in”
The GDPR & Schools - A Guide for Governors and Trustees -
Data Security and Protection Toolkit Assurance 2018/19
Getting Ready For GDPR Simon Marks Director
Presentation transcript:

The GDPR & Schools - An Introduction -

What is The GDPR The GDPR is the ‘General Data Protection Register’ It supercedes the Data Protection Act It comes into effect on the 25th May 2018 ANY organisation that holds data will need to comply Those found not to be compliant can be subject to a fine of 4% of their annual school budget

The Key Aspects Penalties Data Processors Suppliers Data Breaches It will be mandatory to report data breaches within 72 hours to the ICO Fines up to €20 million or 4% of your annual school budget for non-compliance as well as your  Ofsted ratings being impacted if policies and processes are not in place It is the schools responsibility to ensure 3rd party suppliers that  process data for you also comply with GDPR GDPR demands a formal contract/SLA with all  suppliers,  including how data is stored and processed

GDPR gives more control to individuals, Accountability Individual Rights Data Officers Evidence GDPR gives more control to  individuals,  including the right to redact data It will be  mandatory for schools to appoint a Data Protection Officer (DPO) Schools must be able to  demonstrate  compliance Schools must get it right now, in 2018 and beyond

The 9 Rights The GDPR outlines nine ‘rights’ that permeate the legislation. These are : Access Individuals have the right to obtain from you confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to that personal data. Rectification Individuals have the right to obtain from you the rectification of inaccurate personal data and the right to provide additional personal data to complete any incomplete personal data. Erasure In certain cases, individuals have the right to obtain from you the erasure of their personal data. Processing Individuals have the right to obtain from you restriction of processing, applicable for a certain period and/or for certain situations.

Portability Individuals have the right to receive from you in a structured format their personal data and they have the right to (let) transmit such personal data to another controller. Object In certain cases, individuals have the right to object to processing of their personal data, including with regards to profiling. They have the right to object at further processing of their personal data in so far as they have been collected for direct marketing purposes. Automation Individuals have the right to not be subject to a decision based solely on automated processing. Complaints Individuals have the right to file complaints about your processing of their personal data with the relevant data protection authorities. Damages In case you breach applicable legislation on processing of (their) personal data, individuals have the right to claim damages from you for any damages such breach may have caused with them.

(Data Protection Officer) The DPO (Data Protection Officer) All schools must appoint a DPO They must not have any other duties / roles that could be seen to be a ‘conflict of interest’ e.g. Network Manager, safeguarding officer Is responsible for compliance – but senior management and Governors are equally liable Must have the requisite skills to undertake the role e.g. to investigate, audit, monitor, challenge Needs to be supported (financially) to ensure compliance

Vocabulary : Pseudonymisation This new term refers to the technique of processing personal data in such a way that it can no longer be attributed to a particular data subject without cross referencing it with other further information. The further information must be kept separate and subject to technical and organisational security measures so as to ensure that the data subject cannot be identified. Pseudonomised information is still a form of personal data but the GDPR promotes its usage in certain circumstances in order to enhance privacy and contribute to overall compliance. E.g. GDPR may expect pseudonymisation to be considered when personal data is processed in a way which is “incompatible” with the purposes for which it was originally obtained. Alternatively, the technique could be appropriate for schools wishing to use pupil data for historical or statistical purposes.

Vocabulary : PIA’s Privacy Impact Assessments (PIA) are not new but what is new is that the GDPR will expect them to be undertaken in certain cases. PIA’s will need to be carried out when you are planning a new initiative which involves “high risk” data processing activities i.e. where there is a high risk that an individual’s right to privacy may be infringed such as monitoring individuals, systematic evaluations or processing special categories of personal data, especially if those initiatives involve large numbers of individuals or new technologies such as biometrics. The idea behind a PIA is to identify and minimise non-compliance risks.

Vocabulary : DPA’s Data Protection Audits : Schools should review and document the personal data they hold, identify the source and who it is shared with. This exercise is commonly called a data protection audit and can be deployed across the entire school or confined to distinct areas within the school. Unless you know what personal data you hold and how it is being processed, it will be difficult to comply with the GDPR’s accountability principles which require you to be able to demonstrate how the school complies with the data protection principles in practice. Another critical benefit of a data protection audit is that it map flows of personal data into and out of the school and can be used to measure the degree to which the school complies with the law and identify “red flags” which require urgent attention.

Vocabulary : DPPR’s The GDPR is likely to require all schools to review their policies, particularly those relating to data protection. Data protection policies for pupils and parents are used to explain an individual’s legal rights and how those rights can be exercised. Because the GDPR amends those rights, your policies will also have to be amended. Any policies also intended to be read by children will have to be explained in clear non – technical language and in a way that can be readily understood by the intended audience. You should ensure that your policies are easily accessible and not “buried” on your website.

Vocabulary : Training Schools will continue to be subject to an obligation to take organisational steps to keep personal data secure and the deployment of staff data protection training will continue to be expected. New starters should receive data protection training before they have access to personal data and existing staff should receive regular and refresher training. Schools that breach the GDPR (or the current DPA), will be criticised if they have failed to ensure that all staff that handle personal data have received data protection training. This is because, staff training is a simple organisational measure that an organisation can take to reduce the likelihood of data losses.

The Ten Steps To Implementation 1. Raise Awareness Understand the requirements, communicate what is coming to relevant parties e.g. staff, parents, governors 2. Accountability & Data Governance How will you demonstrate compliance to relevant parties ? 3. Communicate The need to tell individuals how you will use their data – how will you achieve this ? 4. Legal Grounds Ensuring that any data collected or held is within the law e.g. held with permission or on legal grounds 5. Consent The need to review how you seek consent and who you allow to give that consent

7. Right of Subject Access 6. Individual Rights How will these be communicated and protected e.g. the process for amending or changing data 7. Right of Subject Access The right to view any data held – how will this be managed ? No fee can be charged now. 8. Data Breaches The procedure for managing and informing and communicating. Plus, how breaches are used to improve practice. 9. Children Children now seen as ‘vulnerable’ and requiring ‘special consideration’. Can children approve / amend their own data ? 10. International Issues Does the school transfer data between itself and overseas ? Will the process comply with the GDPR requirements ?

The School Readiness Assessment Framework Should Be Used To Identify Areas of Strength and Weakness In Your School

The Support Pack Contains A Wide Range Of Resources and Help In Preparation for the GDPR In Your School

The GDPR & Schools - An Introduction -