Bursars Review | Spring 2018 | Sample

Spring 2018 www.theisba.org.uk 10 Feature In the past, one of the most common complaints about the ICO was the sheer weight and volume of their guidance, and its caution and specificity in interpreting the law – some would call it gold-plating. But in the build-up to GDPR, the opposite complaint has been heard: schools (in common with all sectors) have been crying out for final-form ICO guidance on key areas such as consent, legitimate interests, children, drafting PIAs, the appointment of a DPO and so on. However, despite some ever-expanding general guidance to the GDPR (accessible at https://ico.org.uk/for- organisations/guide-to-the-general-data-protection- regulation-gdpr/ ), the critical final form of the deep-drilling guidance in the key areas of most day-to-day impact is still outstanding in almost every area. EU law In fairness to the information commissioner, the blame for delay on this does not sit solely on her desk. For one thing, only a month after the final text of GDPR was agreed, the Brexit referendum threw the entire status of the legislation (temporarily) into doubt, and government support from the Department for Digital, Culture, Media & Sport (DCMS) − the sponsoring department − has been limited ever since. What is more, now that it is confirmed that UK law will have to reflect EU law on this issue, the ICO also needs to make its guidance consistent with that of the European Commission’s relevant body (the Article 29 Working Party or WP29). This is also producing its own EU-wide guidance that adds to the body of useful, albeit wordy, material available for organisations. For example, in December 2017, the WP29 finally produced its own draft guidance on consent for consultation – a full nine months after the ICO did the same. This is hopefully a step towards a settled version by the time this edition is published, or soon after. Current guidance The above should not fool anyone into thinking that the ICO does not have plenty of useful resources, for example: ■ Sector-specific guidance for education is available on the ICO website, and the page https://ico.org.uk/ for-organisations/education/ (containing a number of links and documents) was updated as recently as 21 st December 2017. Inevitably, however, this is aimed across the board (rather than split into maintained schools, academies, MATs, free schools and independents) – and presents a mix of very general GDPR guidance, an hour-long webinar, and much more specific guidance relevant to schools that is still based on the Data Protection Act 1998. The latter is not a great deal of help when it comes to strategising over the (sometimes critical) finer points of GDPR, that said, many of the basic principles are not changing and schools should feel reasonably comfortable in adhering to such guidance as the ICO continues to publish until better GDPR guidance is available. ■ General guidance , such as the evolving Guide to the GDPR document referenced above, is also conveniently linked from the above page alongside FAQs, step plans and self-help checklists. The most recent changes to the Guide to the GDPR (at time of going to press) were issued in December 2017, and key new or adapted sections cover the following areas: ■ Lawful basis for processing personal data . Central to both current and new data protection law relies on the school establishing a ‘lawful basis’ for any processing of personal data. These include consent and ‘legitimate interests’ (see below). The ICO Guide emphasises the need to consider any existing or new processing and determine which lawful basis is met; and the new requirement to document and publish this in a privacy notice to be actively provided (wherever possible) to relevant individuals. ■ Consent. As above, the ICO is still due to publish fuller guidance on GDPR consent, but the Guide (and the ICO draft − see below) gives a clear idea of its thinking; that GDPR sets a high bar. The ICO Guide reminds you to be clear that individuals can withdraw consent; and that if consent is withdrawn, you cannot then look for a different lawful basis. This makes it all the more important to consider what lawful means are available to process without consent, and the ICO Guide concedes that this is a legitimate approach. ■ Legitimate interests. The Guide notes how flexible this very useful alternative to consent can be, but spells out that you need to: 1. identify a legitimate interest for processing the data and set it out in your privacy notice; 2. be able to show that your processing is necessary for that legitimate interest; and 3. balance your interest against the privacy interests of the individual. It recommends that you carry out and document a ‘legitimate interests assessment’ for relevant processing activities and suggests an approach to this. Please note that legitimate interests alone will not be sufficient to process special category or criminal offence data; or to send electronic direct marketing. ■ Sensitive personal data (now termed ‘special category’ and criminal conviction/offence data). In addition to a lawful basis, these categories of data (including information relating to race, religion, health and sex life) require you to meet a further, narrower, condition. Again, this must be documented and communicated to relevant individuals. ■ New subject rights and how to comply with them (https://ico.org.uk/for-organisations/guide- to-the-general-data-protection-regulation-gdpr/ individual-rights/)