The General Data Protection Regulation Six months on – What’s changed John Harle Data Protection Officer for: Bay Education Trust Coast Academies Trust Maids Care CIC

Objectives of the presentation What is GDPR and what changed from the data protection act 1998; The post 25th May 2018 data world; How much information is too much information; The school DPO view, what do I expect to see from companies wanting to work with schools; General questions and concerns from you.

Who am I? Been in education now for two years and I am currently the Data Protection Officer for Bay Education Trust, Coast Academies Trust and a Social Care Provider in South Devon. I was formerly the Information Governance Manager for NHS Northern, Eastern and Western Devon Clinical Commissioning Group. Essentially, if someone wanted your health information, they had to go through me.

GDPR and the Data Protection Act 2018 – The principles Reduction from 8 principles to six, they are found in article 5 of GDPR Personal data must be processed fairly, lawfully and transparently (lawfulness, fairness and transparency) Personal data must only be collected for specified, explicit and legitimate purposes (purpose limitations) Only collect data which is necessary for the business function (Data minimisation) Data must be kept accurate and current (Accuracy) Data must not be retained for longer than is necessary (Storage limitation) The confidentiality and integrity of personal data must always be maintained (Integrity and confidentiality)

GDPR and the Data Protection Act 2018 – The principles Whilst not a fundamental principle, it is vitally important: The need to demonstrate Accountability and Compliance This can have major implications (and headaches) for DPO’s if it is not achieved – not only do you have to adhere, you have to be able to demonstrate it.

GDPR and the Data Protection Act 2018 – The fundamental rights Right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right do data portability The right to object The rights in relation to automatic decision making and profiling.

GDPR and the Data Protection Act 2018 – Exemptions Not a huge amount has changed from the DPA 1998 and many of the exceptions are included in this. Specific categories which are exempt in education include: Education data processed by the courts; Education data serious harm Education data restriction of the right of access. More information can be found on the below webpage https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions/

The Post 25th May 2018 world - The view of the Information Commissioner Fines have increased significantly and current cases demonstrate that they are not afraid to issue enforcement penalties (up to 17 million pounds or 4% of global turnover) The ICO view is that they will continue to review and monitor as they were pre GDPR days; however They will be looking at specific cases and amending the guidance as they go along. Essentially, as more clarity is obtained, the more stringent the ICO will become on enforcement action. How I understand this is that you have to be able to justify why you have taken a specific course of action at that given time.

The post 25th May 2018 – How much information is too much What is your view on this? Consent is king in any data protection process but this doesn’t mean you can collect anything you want, it is still subject to the DPA principles and remember, you have to justify why you have collected it if challenged. The ICO may need to be contacted for advice if you cannot mitigate the risks involved in a project.

What am I expecting to see from any provider Are your policies and procedures up to date including privacy notices? Is the information you a requesting or wish to share in line with the principles set out in the DPA 2018? How will you keep our information secure? What is your disaster recovery processes? Data flow mapping A valid information sharing agreement, this can be as part of a contract of service and clearly sets out the above information including breach notification and key contacts Once the above has been satisfied, I would be happy to allow the information to flow between organisations.

Any questions? Be gentle

Key pages and documents Data Protection Act 2018 Schedule 3 – Part 4 (Education Data) https://www.legislation.gov.uk/ukpga/2018/12/schedule/3 Bay Education Trust policies and procedures including Data Protection policies and privacy notices https://www.bayeducationtrust.org/trust-policies/ ICO GDPR Pages https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions/

Contact details John Harle – DPO for Bay Education Trust john.harle@bayeducationtrust.org I am here for the day so if there are any additional questions you can think of, please don’t hesitate to come and have a chat with me.