Bursars Review | Autumn 2017 | Sample

Feature 11 Where IT systems and culture combine As above, I emphasise that GDPR is not an ‘IT problem’ – this is primarily to give a wake-up call to those (and there are many!) who have tried to pass the buck to the technical department, claiming all this ‘data stuff’ is not their area. In fact, compliance is an issue that starts with the foot-soldiers – any of whom could make a mistake for which the school could be legally liable – and goes all the way up to the board of governors, who are expected to have full visibility of (and take responsibility for) the issue of data privacy at the school. However, this is not to play down the importance of IT. In a modern school it has a big role to play; if data protection law may be characterised (very broadly) as the way the law describes human interactions between organisations and individuals, then as we know, an increasing majority of those interactions now happen (and are recorded) digitally. This goes particularly for email, intranet, e-filing and record-keeping – as well as automated systems, monitoring and storage. Alongside systems that are secure and fit for purpose, what is equally important is how humans and IT combine. There are two sides to this coin: 1. How do staff record information? How do they use email? Are they aware that, with only limited exceptions under subject access rules, anything they say about an individual (colleague, pupil or parent) could be provided to that person on request? Are they aware of the need to be accurate, and not excessive, in how they ‘record’ information about people – given how long the memory of digital data is? 2. How prepared is your school to deal with requests from people? For the reasons set out below, your ability to deal effectively, promptly and proportionately to these requests will in large partly depend on the quality of your systems. Dealing with data subjects Under GDPR it will not simply be subject access (which itself is a huge burden, and the response time is being reduced from 40 days to 30). Additional subject rights will include: 1. The right to object to certain ways in which you process their data – not just an automatic right to object to marketing (including fundraising), but also to challenge where you are relying on ‘legitimate interests’ to process their data. This is even more critical because of the ease with which individuals can now withdraw any consent previously given. Schools may still have valid legal grounds to process, but the burden will be on them to show it – or the ICO could make them stop. This emphasises the need to have systems and records in place such that these questions can be quickly and confidently answered, and those answers supported by policies and PIAs. 2. The right of rectification or erasure of data (sometimes called ‘the right to be forgotten’). This right is by no means absolute, but again you will need to be there with prompt and ready answers; why do we need this data? How did we get it? Does the purpose still stand? And for justified complaints; how easy will it be to fix? This emphasises the need for systems which are readily accessible, searchable and amendable – as well as containing key data points like, what category of data is this, how did we get it and, what legal grounds are we relying on to use it? 3. The right of ‘data portability’ – if someone transfers to a different school, for example, they have the right to ask that all their personal data records are copied across to the new school. This emphasises the need for systems to keep personal data in organised, intelligible and transferrable formats. Bursars will need no reminding of how hard subject access requests can be to deal with; these new rights further up the stakes. But the positive spin is this; think how much easier your life would be already if your systems were this efficient! Getting the message across Once again, there are two sides to this coin. There are your staff and governors, from whom you need buy-in – urgently and wholeheartedly. Bursars cannot shoulder this alone, whether or not you are ‘Data Protection Officer’ – which, in a separate point, is probably not a title you should be using from next May unless guidance comes out in the future saying that you have to (but that is a subject for a separate article in itself). Ideally, you want a squad of data privacy ‘champions’ in different areas of the school, notably IT, HR, legal (if applicable) and someone in the staffroom. These champions will need to take an internal comms lead in emphasising the importance, and benefits, of improving data health and practices – rather than treating it as yet more dreaded red tape. Existing specialists with duties around safeguarding, archiving and development will also have a role to play: narrower, perhaps, but vital in their fields. The appointment, and suitable training, of appropriate people in these roles does not override the need to give all staff a basic and regular level training in data protection issues. This should not be limited to a crash course in the law, but involve the clear explanation of relevant policies: why decisions were reached, and why they matter. Ideally, you want a squad of data privacy ‘champions’ in different areas of the school @the_isba Autumn 2017