The journey to GDPR implementation has been one heavily influenced by digital technology and our growing capacity to store enormous quantities of information and content. The reality of a massive storage space that can be accessed from pretty much anywhere around the globe is one driven by high-speed internet and headlined by Swiss Army knife level-of-versatile pocket PCs – smartphones and ‘phablets’. On the negative front, quicker access and mass centralised storage has also meant a higher potential for data breaches and leaks in methods – and at scales that physical documents, media, passwords and other locally stored information could never be lost or stolen.
Firstly, to rewind: the Data Protection Act of 1984 mainly dealt with how personal data (race, religion, criminal convictions, physical, mental and sexual health, etc.) was handled, purposed to legislate computer bureaus (essentially early IT companies), and pinpointed accountability in the event of data misuse through the introduction of an appointed Data Protection Registrar as well as a Data Protection Tribunal. As IT was fast beginning to play a larger and more integral role in companies, the law was playing catchup – attempting to govern the rising various avenues of potential data misuse.
Because at the time IT services were outsourced pretty much universally, in practice only IT staff were Registrars, and the average business did not see a need – or were mandated to appoint one. However, the introduction of the Data Protection Act of 1998 legislated that a data controller who wishes to process data had to register in a database that was under the control of the UK Information Commissioner’s Office. This act introduced less broad and more detailed offences for data breaches; for example making it a criminal offence to request that someone makes a Subject Access Request in relation to prior cautions or convictions (defined in the legislation as ‘sensitive data’) when attempting to hire or continue to employ them.
Fast-forwarding 20 years, the General Data Protection Regulation (GDPR) in 2018 for all members of the EU and the EEA created a denser paper trail for data collection and its use (as well as more accountability). For example each company/ organisation who determines how the data they collect or hold is used is known as a data controller, but whoever processes the data on behalf of the data controller is known as a data processor. The legislation says that the details of this relationship between the two organisations should be readily available upon request, with their controller and processor contract fulfilling several minimum requirements such as committing to a ‘certain level of confidentiality and security’.
Evidently over time, as each data protection regulation has passed more blind spots and loop-holes created mainly by advancements in digital technology have been closed or exposed; however a major problem with GDPR lies in its very name: it is still very general. A multi-issue bill that covers a truly complex and dynamic environment means that it is genuinely difficult to apply the relevant sections of the law to one’s business or organisation as even the amount of employees as well as the type of data held or processed affects whether certain regulations begin to apply or not.
Schools are a prime example of this legislative nightmare. For instance, companies with fewer than 250 employees are exempt from keeping a record of their processing activities unless their “processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records” (European Commission, 2018).
As of 2016/17 UK schools have an average of around 16 full-time teachers per school (BESA, 2018) and even when factoring in part-time teachers, administration, site and contractual staff, the 250 employee threshold remains a long way away.
However state education officials and staff are carefully monitored and are held to the highest of standards in regards to a criminal record for example, and therefore their data is collected and held by their school employer as part of the previously mentioned “regular activity”. Therefore according to the law a Data Protection Officer (DPO) must be appointed in this event – even though the employee threshold has not been met. Additionally schools also hold enormous quantities of data about current and past pupils, of which requires even stricter measures of safeguarding under GDPR.
So evidently a school DPO – or DPOs have their hands very full with the two separate sets of data they have to safeguard, which both carry differing levels of required compliance in terms of how it can be processed. Therefore staff GDPR training or awareness courses are of the utmost importance in the education sector – from nurseries to notably universities and colleges, who typically employ more staff members than schools and enroll significantly more students.
Although each organisation sets internal levels (or standards) of compliance on top of mandatory regulations, GDPR training is necessary not just to avoid data misuse or breaches but to show an earnest attempt to comply with the law in the event that one occurs anyway, because ignorance is not a solid defense in court.
‘Smartlog’, Safesmart’s compliance and health & safety training software includes among its 20 training courses a basic GDPR training course as well as a much longer, more extensive course that is purposed for an organisation’s DPO. Up-to-date knowledge and frequent refreshment courses concerning the application of legislation are very helpful in promoting a more professional educational environment where students and teachers’ personal data is handled and stored much more carefully and in accordance with current law.
Legislation.gov.uk (-) ‘Data Protection Act 1984 (repealed 1.3.2000)’. Available at: http://www.legislation.gov.uk/ukpga/1984/35/contents/enacted (accessed: 21/02/2019)
Law Society of Scotland (2017) ‘GDPR – Do you need a data protection officer?’. Available at: https://www.lawscot.org.uk/news-and-events/news/gdpr-data-protection-officers/ (accessed: 21/02/2019)
Legislation.gov.uk (-) ‘Data Protection Act 1998’. Available at: https://www.legislation.gov.uk/ukpga/1998/29/contents/enacted (accessed: 21/02/2019)
European Commission ‘Rules for business and organisations’. Available at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en (accessed: 21/02/2019)
GOV.UK (2018) ‘National Statistics: School workforce in England: November 2017’. Available at: https://www.gov.uk/government/statistics/school-workforce-in-england-november-2017 (accessed: 21/02/2019)
BESA (-) ‘Key UK education statistics’. Available at: https://www.besa.org.uk/key-uk-education-statistics/ (accessed: 21/02/2019)