GDPR & Online Safety: Is Your School Compliant?

Security

The General Data Protection Regulation (GDPR), replaces the existing Data Protection Act on May 25th 2018. Organisations who do not comply can be fined €20 million or 4% of their global annual turnover, whichever is higher.

Schools will need to closely examine many parts of their operation in order to ensure they are compliant, but one often overlooked aspect is how GDPR can be accommodated by a school's online safeguarding processes.

The new regulations are being brought in to protect the public by strengthening safeguards and to harmonise data protection standards across the EU. Although this is an EU regulation, the UK government has confirmed that it will be unaffected by Brexit.

Schools have a number of online safeguarding obligations under the Prevent duty, and the more recent Keeping Children Safe in Education guidance that came into effect in 2016. The internet filtering and reporting systems that allow schools to carry out these duties have to collect a large amount of personal data about the users in the form of internet traffic logs.

Typically, filtering systems will use the collected data to profile the users in order to flag up concerning behaviour, or to automatically impose bans on their internet access. A side effect of collecting these data is that the school is now responsible for the handling of data which could reveal very sensitive details about an individual, such as their sexual orientation, political opinions and religious beliefs. Under GDPR, these data are considered "special categories of personal data" and are afforded stronger protections.

The regulations hold the school accountable for the security of data that have been collected by the filtering system, and the lawfulness of their use. There are restrictions on transferring data out of the European Union and this article is written on the assumption that no data will be exported from the EU. Schools that use filters from foreign suppliers should check to ensure they are able to meet the regulations and may need to take additional steps.

As well as evaluating the physical security of any servers which are on the school's premises, "cloud" based filtering systems must also be considered very carefully. Such systems rely on transmitting highly sensitive information across the internet to be stored on a system that is not directly under the school's control. It is important to check with the supplier that both the transmission and storage are done securely. In a recent example, a major cloud based web filtering service was found to be using unencrypted channels. Under GDPR, the liability for such a breach could rest with the school.

The regulations promote data minimisation - avoiding keeping personal data for longer than it is needed. This should be taken into account when deciding upon a suitable retention period. Old data can either be erased or anonymised, since anonymous data is not regulated by GDPR.

It is important to be able to demonstrate compliance, so documentation is key. Schools should document the technical and organisational security measures that they have in place. This may include restricting access to the data to only those who need it and ensuring that staff receive data protection training. Internet filtering systems carry out "systematic monitoring of individuals", so each school must appoint a data protection officer.

One of the most important parts of the regulations is the requirement to keep individuals informed. The school should formulate a privacy policy and make it available to everyone that uses the school's internet connection. The policy will need to contain:

  • The identity and contact details of both the school itself and the school's data protection officer.
  • The reason why the data is being collected and used.
  • Why it is lawful for the data to be collected and used in this way.
  • Information about any third parties that may have access to the data.
  • How long the data will be kept for.
  • Information about any automated decisions which may be made.
  • An explanation of an individual's rights.

The legislation provides a number of criteria that can be used to explain why it is lawful and the school must chose appropriate criteria from both Articles 6 and 9 of the regulations. In short, it is likely that it is lawful for a school's filtering system to collect and use data because the school has a legal obligation under the Prevent Duty and Keeping Children Safe in Education (criteria 6(1)(c) and 9(1)(b)).

It may be wise to avoid citing "consent" as a reason why the data collection is lawful. Although, it may seem that collecting data by an individual's consent might be the best thing to do, the regulations make it clear that there can be no detriment to someone who refuses to consent. This means that a school cannot demand consent from an individual in exchange for allowing them to use the internet. The internet access would need to be provided even if the individual did not consent to monitoring. Relying on consent also burdens the school with the need to accommodate data portability requests and the possibility or individuals demanding the erasure of any data which concerns them.

Depending on the filtering system that the school uses, the filtering supplier may have access to the data in order to support the school, and also in order to improve the filtering. If this is the case, it must be explained in the privacy policy.

Most filtering systems are able to make automated decisions based on the behaviour of individuals, whether that be to alert staff about concerning behaviour or to automatically disable that individual's internet access. The privacy policy should explain this and provide details of how to appeal if they believe the system made an unfair decision.

Finally, the privacy policy should explain the individual's rights. If the privacy policy has specified that data are being collected under criteria 6(1)(c) and 9(1)(b), the individuals rights are: a right of access to the data and to have errors corrected, a right to restrict the use of the data, a right to appeal automated decisions and a right to lodge a complaint with a supervisory authority.

Everyone hopes it won't happen to them, but unfortunately security breaches do occasionally happen. There are new requirements for a supervisory authority, and sometimes the individuals themselves, to be informed in the event that there is an unauthorised access to the data. It is important to have a reporting procedure in place and staff trained to recognise and report breaches.

This is a brief analysis of how the safeguarding obligations of schools fit in with the new regulations, it does not constitute legal advice. Schools that have any concerns about compliance with GDPR should seek independent advice.

The Information Commissioner's Office has published a good overview of the requirements: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

The EU legislation itself is available to download: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN