UK GDPR: The Proposed Changes and Potential Impact on Schools

This is a summary taken from Judicium’s Data Protection  ‘Sofa Session’ from the 12th of October with the Head of Data Services Craig Stilwell, LLB (Hons), L.P.C., PC.dp GDPR.

This session was focused on:  what are the recent changes and the likely timeline of events for upcoming changes; ICO Patterns; and recent breaches and case studies.

Data Protection Laws Update

Over the last year, the government has been hinting at reforming data protection laws.

To summarise, the changes discussed included the removal of:

• The requirement for bodies to appoint a data protection officer and instead require organisations to have in place a senior responsible individual.
• The need for cookie banners for low-risk activities such as website trackers.
• The need for DPIAs (but replace them with assessments of high-risk processing).
• The requirement to keep a record of processing activities and instead require organisations to keep an appropriate record of processing data.

The new requirements are just a slight derogation from current standards.

Timeline:

• 10 September 2021 – The government launched public consultation into reforming UK data protection laws
• 23rd June 2022 – The response to consultation and a new draft bill
• 18th July 2022 – The first reading of the new data bill
• 5th September 2022 – The second reading. See image of the stages an act has to go through parliament and where it is at.

As a result of recent government changes and to allow the government to consider all reforms and  prioritise, this law was momentarily paused.

On 3rd October 2022, the Conservative Party Conference issued a fresh development stating they had paused the above legislation to take another look. Also, the new Secretary of State for digital, culture, media and sport, Michelle Donelan, said they are looking to revamp GDPR.

We will find out in the coming months if the government are planning further changes and whether these will be enforced due to ongoing government uncertainty. Judicium will keep an eye on matters and update accordingly.

The best thing for schools to do now is to carry on with current compliance. The previous reform suggested that if your school complies with GDPR currently, you will likely comply with the new law.

Information Commissioner's Office (ICO) Updates

ICO involvement in data matters has increased substantially over the last 12 months.

The ICO’s structure has started to evolve, with offices in all the countries within the UK. Their guidance and consultations are increasing as are enforcement.

Data protection complaints are high, but relatively consistent:

• 9,900 complaints so far in Q3 2022.
• There has been between 9-12k complaints each quarter in the last 12 months.

In terms of enforcement action, the ICO has upheld complaints in full or in part 49 times against education institutions in the last 12 months.

Breach reports – What the numbers mean.

The most common form of data breaches remains emails sent to the wrong person – about 15% of the total breaches reported.

It still occurs due to human error, but training and awareness, email delays and turning off auto complete of email addresses can also make a difference in reducing these breaches.

Data posted or faxes to the wrong person comprises about 10%. Therefore, sending things to the wrong person makes up a total of a quarter of all reported breaches.

Other common breaches include hardware and software misconfiguration and ransomware.

Ransomware cases have increased by nearly 400% in the last few years.

The highest number of breaches reported were in the health sector (20%), but surprisingly education is still the second highest with 16% of breaches and 313 breaches reported in quarter 2 of 2022.

Next, the action taken with breaches has changed. Now only 15% of reports have no further action whilst a massive 72% result in informal action taken (such as guidance and decisions) and 7% result in an investigation being pursued.

In 2019, 86% of breaches reported required no further action and 0% had informal action taken.

• Only about two-thirds of breaches are recorded in the required 72-hour period.
• About half of the reports only involve 10 data subjects or less.

Top tips to minimise data breach impact

1. Training and awareness can help minimise breaches
   • It helps if staff are aware of risks to data in their day-to-day practice. You can also bring staff together to discuss better practices and ways of managing data.
2. Make sure you keep a log of data breaches and incidents.
   • This is a requirement under law but can help you see that breaches are being reported and the outcomes/decisions from them.
3. The reason breaches need to be logged and reported quickly is so, if an issue arose, the DPO can deal with the incident and manage any potential risk promptly.
   • Do staff know who to report to and the turnaround times for reporting?
4. Ensure that you also consider improvements to practices from breach incidents.
   • This could involve discussing near misses as a team or deciding on safer practices as a result. Breaches can be a good way of improving daily practice.
5. Look at your school’s breach log for patterns
   • For example, if there are no breaches reported at all this could be lack of awareness on what a breach is.
   • If sending emails to the wrong person is common, training for better awareness or a need to put an email delay or turn off auto complete for email addresses may be worthwhile. If the issue is oversharing data using joint forms, provide better training on using them and how to limit their use.

Focus areas for the ICO

 The key area the ICO is focusing on currently is Freedom of Information.

They released information about how they have acted against organisations who are not responding to requests.

Also, some organisations have received decision notices (informal action) from the ICO about non-compliance.

The ICO has also issued its first enforcement notice (formal action) for persistent failures of the Department for Business, Energy and Industrial Strategy to comply with FOI requests.

It has made holding public authorities to account one of their goals under their new strategy and this seems to mirror what they are doing in practice.

Data protection impact assessments (DPIAs) is another area of focus. Judicium has worked with the ICO on driving better guidance on innovative technologies and when they can be used. This resulted in more specific guidance produced by the ICO about using CCTV in toilet areas.

Case Studies

Warwickshire NHS Trust case

A now ex-employee (who was employed at the time of the breach) has been individually punished by a Magistrate’s Court for accessing patients records without a legal reason.

He unlawfully accessed the records of 14 patients, who he personally knew, without a reason to do so and without the knowledge of the NHS trust.

The ICO said: “This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.”

It was the first time the ICO issued a compensation award in a criminal prosecution. They have issued fines to organisations in the past and individuals have had legal action taken against them in a court setting (without ICO involvement).

The ICO doesn’t have the power to award compensation direct to data subjects, but they do have criminal enforcement powers and can elect to make an application to the Court so that victims can obtain compensation

Important points:

• Ensuring there are access levels to data (particularly sensitive data). Although the NHS Trust were found to have followed process here, it is best to ensure through access levels that staff are prevented from seeing data they are not entitled to see.
• Training – a key factor here was that the Trust provided regular training to staff on what information they were entitled to see and their responsibilities. It is important to continually enforce staff responsibilities through data protection training.
• Employees should be made aware there are serious implications to them by looking at data they know they shouldn’t. In this situation termination of employment was a consequence as well as a financial penalty.
• Be careful how staff handle information. Just because you have a process, doesn’t mean you shouldn’t audit/review processes to see how they work. Examples include data audits or sweeps of classrooms to see things are locked away.

New Developments for Data Protection and Safeguarding

There was the big change in Keeping Children Safe in Education (KCSIE) in 2022, which suggested (but didn’t require) schools to consider online checks as part of its safer recruitment.

Section 221 states: “In addition, as part of the shortlisting process schools and colleges should consider carrying out an online search as part of their due diligence on the shortlisted candidates. This may help identify any incidents or issues that have happened, and are publicly available online, which the school or college might want to explore with the applicant at interview. See Part two - Legislation and the Law for information on data protection and UK GDPR.”

They did originally suggest social media checks rather than online searches and their guidance isn’t clear how far employers should go in the search. It’s important to be aware the search isn’t mandatory. However, if you do it, consider how far to delve into the search and how you will do it fairly.

Helpful Information:  

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.