How to gather and manage personal data in your school

The Data Protection Act 1998 has received wide press coverage — mainly where organisations blame errors on the Act’s ‘red tape’. This cumbersome piece of legislation is problematic (not least because of its turgid prose) but it has at its heart a key aim, aptly summarised by the Council of Europe Convention. The convention said the Act recognised ‘that it is necessary to reconcile the fundamental values of respect for privacy and the free flow of information between peoples'.

Data protection principles

The eight data protection principles in the Act work to achieve a balance between privacy and information flow. The principles require that all use of personal information be fair and lawful and that such usage should not be excessive.

What the law says

What is the law surrounding the collection and use of such personal information? The Data Protection Act provides that a data controller (such as your school) may only process (‘processing’ includes the obtaining, recording, holding and disclosing) the personal data (anything held that identifies a living individual and that may affect his or her privacy — such as names and addresses) of a data subject (such as pupils, staff and parents) in accordance with the Data Protection Act.

Schools must comply with the eight data protection principles. These state that all personal data held must be:

1. processed lawfully — that is, in accordance with the Act
2. obtained and processed for specified purposes only — those set out in school’s data protection registration
3. adequate, relevant and not excessive
4. accurate and, where necessary, kept up to date
5. kept for no longer than is necessary
6. processed in accordance with the rights of data subjects (who all have rights to see copies of their personal data)
7. kept securely
8. transferred outside the EU only in very limited circumstances

The principles raise important questions for organisations collecting personal information that does not relate directly to their requirements.

Schools and personal data
We live in an information society. Organisations now collect large amounts of data from individuals — but those people will not always expect the information to be retained.

Schools are not immune to this trend. They have, for example, begun to use fingerprint recognition technology and cashless ‘epos’ (electronic point of sale) systems in canteens — raising concerns amongst parents as to how data will be used and stored, as well the prospect of future identity theft.

Processing personal data

Each school must satisfy itself that it has the benefit of one of the conditions in the Act (more on these below) that allows it to process personal data. Schedule 2 sets out some of these conditions. For example:

• the data subject (or his or her parent or legal guardian) consents to the processing
• the processing is necessary:
  • for the performance of a contract to which the data subject is a party
  • for compliance with any legal obligation to which the organisation is subject
  • for legitimate interests pursued by the organisation or by the third party to whom the data may be disclosed, provided that the rights of the organisation or third party outweigh the rights of the data subject

The simplest condition to fulfil in order to process the pupil, parent and staff data is to obtain the consent of the data subject. You can do this by clearly explaining (through policies and 'opt-in' or 'opt-out' statements) why the school needs to hold and/or use the information.

Sensitive personal data

The Act sets sensitive personal data apart from the ordinary data (such as names and addresses). Schools will need to hold sensitive personal data so that they can look after their pupils and staff properly.

Such data include: details of medical conditions; details of the commission or alleged commission of offences; and trade union membership details. How do organisations hold and, where necessary, disclose such sensitive personal data lawfully?

In processing sensitive data, schools must, as well as having the benefit of one of the Schedule 2 conditions mentioned above, also have the benefit of one of the Schedule 3 conditions. For example:

• the school has the explicit consent of the data subject to hold or disclose the sensitive personal data
• the processing is necessary for medical purposes
• the holding or disclosing is necessary:
  • to protect the vital interests of the data subject or someone else
  • for the exercise of any functions conferred by law

Is this data necessary?

Of course, it becomes more difficult to comply with the Act in relation to more peripheral data processed by your school. For example, has the school obtained consent to hold this peripheral data (see the first data protection principle)? Has the school considered if the data is relevant and absolutely necessary (see the third data protection principle)?

If the school has not documented these thought processes, it may be difficult to deal with any complaints about the holding of such data.

The register
Each school must register as a data controller with the Information Commissioner's Office. Details of your school's registration are online here

Your school's registration sets out the purposes for which your school may process personal data. For each such purpose, the registration sets out who the data subjects are likely to be, where the school will get the information from, and to whom the school may disclose this information when necessary.

It is a breach of the Act to process personal data otherwise than in accordance with your school's registration under the Act.

Guidance
The ICO has also published a number of guides for schools to help ensure that they process personal data appropriately. These guides relate to: the pupil information regulations; publishing of pupil photos; and exam results. For links, visit the ICO education page.

Audit policy, procedure and personal data

Can your school be absolutely clear that it has a lawful purpose for all the personal and sensitive information that it holds? Does your school have policies governing what data may be processed and in what format it may be stored?

The Act does not apply only to personal information that your school has collected since it came into force (March 2000). It applies to all personal and sensitive information that the school holds (there are some exemptions for manual data recorded before 24 October 1998).

Your school must ensure:

• that it holds this data lawfully and fairly (through ensuring that a Schedule 2 and, if necessary, a Schedule 3 condition can be relied upon for every piece of data), and
• that it complies with the remaining seven data protection principles — in particular, the requirement that all personal data be accurate, relevant and up to date

Best practice

Only periodic audit of the personal data 'out there' in your school can ensure such compliance. Auditing will allow you to identify what, if any, further policies and staff training are necessary for compliance. Here are some of the questions that your school may wish to ask during such an audit:

Data gathering

• What type of personal data does your school hold and process?
• What type of sensitive data does your school hold and process?
• From whom is this information obtained?
• What documents are pupils (and/or their parents) provided with and/or asked to sign to give their informed consent to your school's use of the data?
• What guidance is given to the person gathering the data as to what may and may not be gathered?
• Who audits the data gathered before it is stored?

Data storage

• Has your school implemented ISO/IEC 27002 on information security management? Available at standardsdirect
• Where does your school store personal data? Could you comply with an access request within the statutory time limits (from a pupil, parent or former pupil within 15 days; from anyone else within 40 days)?
• What measures does your school have in place to prevent accidental loss of, damage to, or theft of personal data (both manually and electronically held)?
• What is your school's policy on the use of laptops off school premises?
• What is your school's data retention policy and how regularly do you review files (manual and electronic) containing personal data?

Subject access requests

• How does your school identify and publicise (internally and externally) who its data protection compliance officer is? What training do you give him or her?
• What data protection training have staff at your school received in relation to educational records? Would they recognise a subject access request and understand what data and supporting information a pupil, parent or other data subject is entitled to?
• What is your school's policy on staff data protection (how you give staff access to their personnel files and use of staff data)?
• Has your school received any subject access requests? If yes, what issues arose?

Disclosures to third parties

• Which third parties (other than parents) may request disclosure of personal data from your school?
• In what circumstances does the Data Protection Act allow such disclosure?
• What documentation does your school require from the third party requesting disclosure?
• What documentation does your school keep to log when it makes disclosures?
• How does your school tell pupils and parents what data may be passed to third parties?

Simon White is an associate at Browne Jacobson LLP