Blagdon Nursery School
General Data Protection Regulation
The new regulations are titled the General Data Protection Regulation (GDPR) and will come into force in the UK from the 25th May 2018. The current act sets general principles which we must follow when handling data such as ensuring it is kept secure and not giving it to third parties without good reason.
The GDPR introduces further rights of the data subject, including the prompt reporting of data breaches to the Information Commissioner’s Office (ICO) with large fines for non-compliance.
We take cyber security and data protection very seriously and are putting steps in place within the school to ensure we maintain secure and compliant systems. To ensure we are compliant with the GDPR programme, we are currently reviewing contracts and service level agreements with our suppliers with regards to their responsibilities in processing personal data and ensuring they are GDPR compliant.
We have recently appointed a data protection officer who is from a company called Judicium. They will be assisting us with meeting compliance.
The main changes that will be brought about by the act are: -
Previously we were allowed to use individual consent as a fair reason for processing individual’s data. However whilst we can still use it, the new regulations do make it more difficult to rely on an individual’s consent as a reason to process their data. Essentially the only way in which we can use consent is when individuals have given their explicit consent (i.e. we can’t rely on implied or assumed consent any longer). They must also be free to withdraw it at any time.
Individuals Data Rights
Individuals currently have a number of rights to their data – the most used one is the right of subject access (i.e. the right to get a copy of their own data). Under the new regulations the time limit is no later than one month. So when subject access requests or requests come in to the school we need to act quickly.
Individuals will also have extra rights such as the right to request deletion of data (where there is no reason for the school to keep the data) and the right to request that data is ported to another organisation in a machine readable format.
All organisations could be asked to provide evidence to show that they comply with the regulations.
There are obligations on the School as an organisation to notify the ICO if there are any personal data breaches which could cause a risk to other individuals.
The breach needs to be notified within 72 hours and we will are currently writing policies to support this.
Increased Regulatory Powers
The ICO will have stronger powers of intervention and can issue fines in their millions (up to 17 million pounds). The ICO are likely to be more involved and expect organisations to be pro-active.
In small circumstances we need to carry out data protection impact assessments when using new technologies and software.
It is likely we will need to put in place more detail on data protection compliance within our policies, in information given to parents and pupils and on our website.
Data Protection Officer
We are now required to have a data protection officer in place who will monitor compliance with the regulations.
Our data protection officer details are below:
Data Protection Officer: Craig Stilwell
Address: 72 Cannon Street, London, EC4N 6AE
Telephone: 0203 326 9174
For further information on the GDPR, please refer to the ICO website: https://ico.org.uk/