Newsflash - Christmas 2020
Newsflash - Christmas 2020
Welcome to our festive newsletter. Unfortunately, our main update is on Brexit but we are also providing some guidance on managing data going into the Christmas and New Year break. We also wanted to say a big well done to everyone for pushing through another difficult term. It really is a tough job trying to keep schools open whilst keeping everyone safe. All of you have done an excellent job at handling this during a difficult time.
In our last newsletter we alerted you all to the fact that there may be data protection issues resulting from Brexit but the Government were hopeful these would be resolved by the end of the transition period (31st December 2020). Here is our updated and more detailed guidance on Brexit and its implications for you.
What is the current position?
As the UK will no longer be part of the EU at the end of the transition period, organisations need to ensure there are safeguards in place to transfer any personal data between the UK and the rest of the European Economic Area (EEA – which is all countries in the EU plus Iceland, Liechtenstein and Norway). Data can be transferred safely from the UK to the EEA as the UK have deemed the EEA to be adequate for data security purposes. The issue is that the EEA have not currently done the same for the UK. The UK were hopeful this would be done by the 31st December but, as of the date of this newsletter, it still has not been completed. If there is no adequacy decision by the EU before the 31st December then organisations will need an alternative safeguard in place to continue to transfer data outside of the UK.
What does this mean for your school?
Should an adequacy decision happen before 31st December you can essentially continue to transfer data as you do now without any additional steps. If this does happen, we will communicate this to you by newsflash. For now, it is best to be prepared and assume that this adequacy decision may not happen in time. Should no adequacy decision be in place by the 31st December, the following steps should be taken. If using any software providers based outside of the UK, in order for them to process data for you, they need to put in place a safeguard. A list of those safeguards is HERE – but the most common safeguards are: -
- Binding corporate rules (when transferring data within the same company);
- Standard contractual clauses (this is the most common safeguard used with third parties); or
- An exception (the full list of exceptions is contained in the link but common exceptions are with the individual’s explicit consent and in order to perform a contract with an individual).
The first step is to determine which of your third parties are affected by this change. It’s important to check which providers are based or store data outside of the UK. Those providers may also use sub-processors who are based outside of the UK. If you are not sure, it is probably best to ask the provider to clarify. We have a third party data sharing register on Jedu which you could use to list your third party providers. This register includes a column to show if the provider is based outside of the UK which will help you record these checks. Once you are aware of those providers affected and if they haven’t confirmed to you by then all they are doing to prepare for Brexit, it may be useful to write to those providers asking for details.
We have prepared a template letter which is in the Template Letters section of Jedu. We would suggest making these communications in advance of the 31st December.
- Can we obtain admissions documentation from students based outside of the UK?
Yes – because the GDPR does not prevent transfers from the data subject themselves (i.e. the individual whose data it is). If you receive it from a third party or organisation who isn’t the data subject, then you will need to ensure there is a safeguard as set out above (for example with the data subject’s explicit consent).
- Are cloud-based storage providers based outside of the UK?
Providers can be based in the UK, the EEA or even further afield. It is worth checking with your providers to see where they are based. If cloud-based storage is based outside of the UK then those providers will need to ensure an appropriate safeguard is in place to transfer data safely post-Brexit.
- What happens if we don’t have a safeguard in place by December 31st?
It’s hard to say currently because, as with a lot of Brexit developments, the outcomes are all very much unknown. The regulator, the ICO, have said that organisations must have safeguards in place by December 31st and if you don’t, you should not continue to receive data from outside of the UK. Where it is not possible to put in place a safeguard, do continue to chase those providers in order to show you are doing all you can to follow the guidelines.
- Do any other documents need to be updated?
We will be updating our privacy notices over the Christmas break. The notices should stipulate those providers you use who are based outside of the UK (rather than just outside the EEA as previously required).
Tips for handling Data over Christmas and New Year
Finally we thought we would provide some general guidance on how to ensure all your data is handled securely over the Christmas break by sharing our 8 top tips.
- Track data that is taken home over Christmas: most staff will want to make the most of the break - and they should, they have earnt it. However anyone who does need to do anything over Christmas should ensure they transport data home safely. Try to avoid using memory sticks but if they must be used, they should be authorised and, ideally, encrypted. For physical documents, consider getting staff to sign them out and in over the Christmas break.
- If using video conferencing, keep it interesting (for example Christmas quizzes) but be mindful about what is being shared and who it is shared with: staff should ensure there is nothing inappropriate in the background to their call (and also to check the same for attendees).
- Remind staff to blind copy (Bcc) recipients into group communications: They may have the best intention by sending everyone a Christmas Quiz but if feuding parents or siblings can then view each other’s email addresses this could result in complaints and/or concerns.
- Consent isn’t a requirement to record nativity plays but at least give parents an opt-out: Ideally you will get parents’ consent as this is the safest method. If this is not possible you could rely on public task as the basis for processing (as nativity plays do normally form part of the school’s function and parents would expect schools to offer them). Should you do this you must ensure that: (a) you give parents an opt out, (b) you are clear with them about what the implications of opting out are and (c) give plenty of notice, possibly sending reminders to ensure parents are aware of your intentions. It is also important they know what you are using recordings/photos for – the wider the potential audience (such as on social media), the more likely it is you should gain consent.
- It is ok to put names in Christmas Cards and to give Christmas Card lists: but maybe use only first name or first name and initial. Try and avoid putting the schools name on the list and to remind parents not to share the lists with others.
- For Freedom of Information Requests, the clock pauses during school closure periods: as the timeframe for response is school days and not calendar days.
- But for subject access requests, the clock doesn’t pause: the timeframe is one calendar month. So be forward thinking - if you will struggle to comply within the normal one calendar month timeframe (particularly if you have or are likely to have staffing shortages) you should communicate any delays as soon as possible. We can assist you in drafting this communication.
- When returning in the new year, consider asking parents/staff to update their contact details: as individuals get new phones (and new phone numbers) during this time. This will help you ensure you keep their data up to date.