Newsflash - Data Protection

We have recently added a Privacy Notice for Pupils, a one-page document designed to be easily accessible for young pupils, to our documents section. We have also introduced a booklet containing top tips and common FAQs surrounding GDPR. This can be given to staff or displayed in common areas (such as the staff room) to increase awareness. Don’t forget that there are template privacy notices and letters regarding Covid-19 and test and trace also available in our documents section.

Brexit and transfers of Data outside of the UK

As a result of Brexit, from the 1st January 2021, the UK will be a third country for the purposes of GDPR. This means that, unless the EU make a finding that the UK’s data protection levels are adequate before 1st January 2021 then alternative measures will need to be in place with third party providers in order to transfer data from Europe into the UK.

There are several alternatives available. One of the easiest to implement is Standard Contractual Clauses (SCCs) with the third party you intend sharing data with outside of the UK. For now, there is no need to do anything substantial with those third parties affected by this change. The official communication is that the UK remain hopeful an adequacy decision will be in place before the Brexit date.

But as the date draws closer, it is important to note any third parties you use that process data outside of the UK, in case an adequacy decision is not reached in time. This can be done by using a third-party data sharing register which is on our documents portal (under the section “Processing”) and then reviewing third parties privacy information as there are education providers who are affected by this change. Judicium can review providers privacy information for you and advise further if you are unsure.

In another development, a recent case on 16th July 2020 invalidated the EU-U.S Privacy Shield, a mechanism that previously made it safe for organisations to transfer data to the USA. As a result of this case, it is also important to determine whether any third parties process personal data in the USA (again there are some education providers who are affected by this). Those companies who process data within the USA will need to put in place an alternative measure (such as SCCs) and so schools should be seeking to put these provisions in place as soon as possible.

Judicium can advise further on how this may affect your school and can communicate directly with those third-party organisations on your behalf where possible