The importance of data protection

If a school gets its data protection policies wrong the consequences can be unpleasant and reputationally damaging, says Andrew Gallie

The Data Protection Act 1998 is legislation that all schools must be familiar with. It embodies a series of principles about how personal data should be handled by a school. It is ‘policed’ by the information commissioner (ICO) and he has the power to impose fines of up to £500,000.

Questions that every school must address are: “are we data protection compliant?” and “do we have the right policies and procedures to ensure we are data protection compliant?” Robust pragmatic policies are absolutely necessary in ensuring that a school can answer both in the affirmative.

This article explains why policies are important and provides warnings about the consequences of getting data protection wrong. In short, data protection must be taken very seriously.

The function of written policies, backed up with procedures, is to help staff (and governors) be aware of their responsibilities. They should describe the underlying principles and identify who is responsible for what. They can include guidance as to how to and who can access personal data. They should also deal with:

✥ what information should be retained, or destroyed and when
✥ guidance on the use of computers
✥ the handling of paper records
✥ the use of personal devices

A policy needs to be ‘owned’ by the school so there can be disadvantages in just buying one off the shelf. To implement a live document, a school should use a template which covers the main areas described above and then work through these to make sure they are fully understood and deal with issues specific to the school.

Having policies in place, reviewed and approved by governors is also, in itself, evidence that data protection is taken seriously and that good data protection practices are ingrained. The policies and procedures are as critical as health and safety policies and should be regularly reviewed and tested. Best advice is that they should be considered on, at least, a yearly basis by governors to ensure that they are fit for purpose.

If there is a breach of the Data Protection Act and a school has not put in place policies, then it will have acted in direct contravention to guidance from the ICO. Such a contravention will significantly increase the risk of a fine and increase the risk of reputational damage. A lack of clear policies will be a real indication of a lack of clarity about how data protection issues should be handled and how personal data should be treated. Not only is this disrespectful of the data subjects and their rights, it may well mean an increased burden for staff – from clerical staff to senior staff – and this in itself can be extremely detrimental for the wellbeing of a school.

Personal data is information about a living person. The Data Protection Act is based upon eight principles. These require that personal data:

✥ is processed fairly and lawfully
✥ is obtained only for lawful purposes and is not used for incompatible purposes
✥ is accurate and up to date
✥ is adequate, relevant and not excessive
✥ is not kept for longer than is necessary
✥ is processed in accordance with rights of data subjects
✥ is protected by appropriate technical and organisational measures against unauthorised use and against accidental loss
✥ is not transferred outside the European Economic Area unless to a country with proper protection of personal information

Personal data must be treated with respect – or, put another way, must be dealt with in the same way as you would like information about yourself to be dealt with.

It should be stressed that critical comments about an individual are personal data. A useful rule is: nothing should be recorded which would cause embarrassment if disclosed to the data subject. This is a very basic rule and should be treated as having paramount importance. Information held about an individual belongs to that individual. The fact that disclosure of the information may cause embarrassment is not a recognised exemption under the Act. Destroying information after a subject access request is made is potentially a serious data protection breach. However, if information is destroyed before a request, then this may simply be sensible information management.

Information security is perhaps the most important area for a school. If personal data is lost or there is unauthorised access to it, then this could cause real harm to staff, pupils or parents. This could result in a fine and could cause serious reputational damage. Information security should therefore be treated as seriously as the physical security of the school. Just as a school will review who can visit its premises and for what purposes, it should review who can access information and what security is in place.

Information is often held on computers and there have been a variety of cases where laptops have been stolen from schools or from homes. If there is a failure by the school to ensure encryption or other appropriate security measures are used, then this in itself could be a breach of the Act.

One particular problem is the use of memory sticks. If a school allows the use of unencrypted memory sticks and one is lost, then there really will be no defence. Although encrypted sticks are more expensive, this may mean that they are only used when necessary. If an encrypted memory stick is lost, there will not be a breach of the Act.

It is also advisable to review how paper records are stored. Confidential information must be kept in locked cupboards in order to comply with the Act. Leaving confidential or sensitive information on a desk overnight creates an avoidable security risk.

In order to emphasise the importance of these simple points, it is useful to consider some published cases.

In 2013 the Nursing and Midwifery Council were involved in a fitness to practice investigation against a nurse. It sought to send to the hearing venue three DVDs containing highly sensitive information. But when the packages were opened at the venue there were no DVDs inside. They had been lost and the DVDs were not encrypted. A review of the procedures undertaken recommended that there should be more formal policies and procedures regarding the security of such data, including the encryption of any data stored on removable media. Nonetheless, the ICO imposed a fine of £150,000.

In 2011 an officer of Aberdeen City Council used a secondhand computer for home working. This computer had an automatic file transfer programme installed. This meant that all of her ‘My Documents’ file was automatically uploaded onto the internet – and this included data from her work email and from a USB stick. The material which was uploaded was highly sensitive information about children, their parents and their involvement with social work. The council was fined £100,000. The council’s policies were subsequently strengthened and all council-issued computers are now encrypted.

Cases such as the above are commonplace. Whilst they demonstrate how easy it is to get data protection wrong, with proper procedures and policies in place, providing clarity about where responsibility lies, coupled with proper training, it is also easy to get it right.

In conclusion, there really is only one answer to the question “Are data protection policies worth having?” and that is a resounding “yes”.

Andrew Gallie is an associate at leading education law firm Veale Wasbrough Vizards T: 0117 314 5623