Alagbe Olorunniisola, profile picture
Uploaded byAlagbe Olorunniisola
PPTX, PDF14 views

An-Introduction-to-Data-Protection-GDPR-Presentation.pptx

An Introduction to Data Protection

Embed presentation

Download to read offline
Looking for more ideas? Visit us at www.creativeeducation.co.uk AN INTRODUCTION TO DATA PROTECTION
 What counts as ‘personal data’ and what do we mean by ‘processing’?  What the key principles are of good data protection  How we differentiate between standard and highly sensitive or ‘special category’ data  When can we process personal data lawfully?  When can we process special category data lawfully?  When can we share data?  How do we identify, report and prevent a data breach?  Receiving and responding to an information rights request DURING THIS COURSE YOU’LL LEARN
‘information that relates to an identified or identifiable living individual’ ‘PERSONAL DATA’ IS…
Taking any action with someone’s personal data. This includes recording it, keeping it, changing it, using it and deleting it. ‘PROCESSING’ IS…
Personal Data should:  Be processed lawfully, fairly and transparently  Be used for a specific purpose  Be relevant to that purpose  Be accurate  Be kept no longer than necessary  Be kept securely And lastly that you should be accountable with what you do with Personal Data and how you comply with the other principles. THE 7 PRINCIPLES OF GDPR
Special Category data includes:  racial or ethnic origin  political opinions  religious or philosophical beliefs  trade-union membership  genetic information  biometric information (for example, a fingerprint)  health matters (for example, medical information)  sexual matters or sexual orientation SPECIAL CATEGORY DATA
 a safeguarding matter  pupils in receipt of pupil premium funding  pupils with special educational needs and disability (SEND)  children in need (CIN), and  children looked after by a local authority (CLA) CONSIDER SIMILARLY
1. Consent 2. Contract 3. Legal Obligation 4. Vital Interests 5. Public Interest 6. Legitimate Interests THE 6 LAWFUL BASES
Special Category data includes:  racial or ethnic origin  political opinions  religious or philosophical beliefs  trade-union membership  genetic information  biometric information (for example, a fingerprint)  health matters (for example, medical information)  sexual matters or sexual orientation SPECIAL CATEGORY DATA
1. Explicit consent 2. Employment, social security or social protection 3. Vital interests 4. Manifestly made public 5. Substantial public interest RELEVANT ADDITIONAL CONDITIONS
• what personal information you’re sharing • why you’re sharing it • who you’re sharing it with and what they’ll use it for • how you’ll share their information, and • the process for withdrawing consent WHEN GETTING CONSENT, EXPLAIN…
Personal Data being • lost or stolen • destroyed without consent • changed without consent, or • accessed by someone without permission A DATA BREACH IS…
1. Store physical data securely 2. File documents clearly and consistently 3. Be careful working offsite 4. Send electronic documents securely 5. Don’t share passwords with colleagues 6. Check before sharing your screen 7. Lock your screen when away from your desk 8. Be discrete when discussing Personal Data KEEPING PERSONAL DATA SAFE
• To access the personal information you hold about them, which is also known as a Subject Access Request • To request to change inaccurate personal information you have about them • To request to remove their personal information or record • To request to restrict the processing of their personal information, and • To request to stop processing their personal information INFORMATION RIGHTS
Looking for more ideas? Visit us at www.creativeeducation.co.uk THANK YOU

More Related Content

PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PPTX
Media_644046_smxx (1).pptx
byMichelleSaver
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
PDF
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
PPTX
General Data Protection Regulation or GDPR
byNupur Samaddar
 
PDF
data privacy handbook: A starter guide to data privacy compliance
byDesmondMontgomery2
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
Media_644046_smxx (1).pptx
byMichelleSaver
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
General Data Protection Regulation or GDPR
byNupur Samaddar
 
data privacy handbook: A starter guide to data privacy compliance
byDesmondMontgomery2
 

Similar to An-Introduction-to-Data-Protection-GDPR-Presentation.pptx

PDF
2014-09-18 Protection of Personal Information Act readiness workshop
byPaul Jacobson
 
PPTX
GDPR – what does it mean for charities and what you need to consider - Iain P...
bym-hance
 
PPTX
Data Privacy: Protecting Information in the Digital Age
bySajal Jain
 
PPTX
Overview of privacy and data protection considerations for DEVELOP
byTrilateral Research
 
PPTX
GDPR in the Healthcare Industry
byEMMAIntl
 
PPTX
CYBER SECURITY TH GENERA DATA PROTECTION
byvaibhavtiwari302572
 
PDF
GDPR for public sector DPO's seminar, April 2018, Manchester
byBrowne Jacobson LLP
 
PPTX
Data protection
byRaviPrashant5
 
PDF
GDPR for public sector DPO's, April 2018, Nottingham
byBrowne Jacobson LLP
 
PPT
Data privacy & social media
byProf. Jacques Folon (Ph.D)
 
PPTX
3A – DATA PROTECTION: ADVICE
byCFG
 
PPT
Building a register of data processing
byTim Gough
 
PPTX
GDPRpresentationFeb-Apr2018.pptx
bypixvilx
 
PDF
DPOs in the public sector, May 2018, Birmingham
byBrowne Jacobson LLP
 
PDF
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
byictseserv
 
PDF
data-privacy-egypt-what-you-need-know-en.pdf
bykiruthigajawahar6
 
PDF
On GDPR - Regulation on Personal Data Protection
byAldo939112
 
PDF
DPOs in the public sector, May 2018, London
byBrowne Jacobson LLP
 
PPTX
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
byCodemotion
 
PDF
GDPR webinar for business leaders
byDeeson
 
2014-09-18 Protection of Personal Information Act readiness workshop
byPaul Jacobson
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
bym-hance
 
Data Privacy: Protecting Information in the Digital Age
bySajal Jain
 
Overview of privacy and data protection considerations for DEVELOP
byTrilateral Research
 
GDPR in the Healthcare Industry
byEMMAIntl
 
CYBER SECURITY TH GENERA DATA PROTECTION
byvaibhavtiwari302572
 
GDPR for public sector DPO's seminar, April 2018, Manchester
byBrowne Jacobson LLP
 
Data protection
byRaviPrashant5
 
GDPR for public sector DPO's, April 2018, Nottingham
byBrowne Jacobson LLP
 
Data privacy & social media
byProf. Jacques Folon (Ph.D)
 
3A – DATA PROTECTION: ADVICE
byCFG
 
Building a register of data processing
byTim Gough
 
GDPRpresentationFeb-Apr2018.pptx
bypixvilx
 
DPOs in the public sector, May 2018, Birmingham
byBrowne Jacobson LLP
 
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
byictseserv
 
data-privacy-egypt-what-you-need-know-en.pdf
bykiruthigajawahar6
 
On GDPR - Regulation on Personal Data Protection
byAldo939112
 
DPOs in the public sector, May 2018, London
byBrowne Jacobson LLP
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
byCodemotion
 
GDPR webinar for business leaders
byDeeson
 

Recently uploaded

PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PPTX
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 

An-Introduction-to-Data-Protection-GDPR-Presentation.pptx

  • 1.
    Looking for moreideas? Visit us at www.creativeeducation.co.uk AN INTRODUCTION TO DATA PROTECTION
  • 2.
     What countsas ‘personal data’ and what do we mean by ‘processing’?  What the key principles are of good data protection  How we differentiate between standard and highly sensitive or ‘special category’ data  When can we process personal data lawfully?  When can we process special category data lawfully?  When can we share data?  How do we identify, report and prevent a data breach?  Receiving and responding to an information rights request DURING THIS COURSE YOU’LL LEARN
  • 3.
    ‘information that relatesto an identified or identifiable living individual’ ‘PERSONAL DATA’ IS…
  • 4.
    Taking any actionwith someone’s personal data. This includes recording it, keeping it, changing it, using it and deleting it. ‘PROCESSING’ IS…
  • 5.
    Personal Data should: Be processed lawfully, fairly and transparently  Be used for a specific purpose  Be relevant to that purpose  Be accurate  Be kept no longer than necessary  Be kept securely And lastly that you should be accountable with what you do with Personal Data and how you comply with the other principles. THE 7 PRINCIPLES OF GDPR
  • 6.
    Special Category dataincludes:  racial or ethnic origin  political opinions  religious or philosophical beliefs  trade-union membership  genetic information  biometric information (for example, a fingerprint)  health matters (for example, medical information)  sexual matters or sexual orientation SPECIAL CATEGORY DATA
  • 7.
     a safeguardingmatter  pupils in receipt of pupil premium funding  pupils with special educational needs and disability (SEND)  children in need (CIN), and  children looked after by a local authority (CLA) CONSIDER SIMILARLY
  • 8.
    1. Consent 2. Contract 3.Legal Obligation 4. Vital Interests 5. Public Interest 6. Legitimate Interests THE 6 LAWFUL BASES
  • 9.
    Special Category dataincludes:  racial or ethnic origin  political opinions  religious or philosophical beliefs  trade-union membership  genetic information  biometric information (for example, a fingerprint)  health matters (for example, medical information)  sexual matters or sexual orientation SPECIAL CATEGORY DATA
  • 10.
    1. Explicit consent 2.Employment, social security or social protection 3. Vital interests 4. Manifestly made public 5. Substantial public interest RELEVANT ADDITIONAL CONDITIONS
  • 11.
    • what personalinformation you’re sharing • why you’re sharing it • who you’re sharing it with and what they’ll use it for • how you’ll share their information, and • the process for withdrawing consent WHEN GETTING CONSENT, EXPLAIN…
  • 12.
    Personal Data being •lost or stolen • destroyed without consent • changed without consent, or • accessed by someone without permission A DATA BREACH IS…
  • 13.
    1. Store physicaldata securely 2. File documents clearly and consistently 3. Be careful working offsite 4. Send electronic documents securely 5. Don’t share passwords with colleagues 6. Check before sharing your screen 7. Lock your screen when away from your desk 8. Be discrete when discussing Personal Data KEEPING PERSONAL DATA SAFE
  • 14.
    • To accessthe personal information you hold about them, which is also known as a Subject Access Request • To request to change inaccurate personal information you have about them • To request to remove their personal information or record • To request to restrict the processing of their personal information, and • To request to stop processing their personal information INFORMATION RIGHTS
  • 15.
    Looking for moreideas? Visit us at www.creativeeducation.co.uk THANK YOU

Editor's Notes

  • #1 Within schools and colleges we store lots of different types of information about our learners, about their parents and carers and about our staff. Names, addresses, contact details, race, sex, gender, health conditions, test results, safeguarding information, and for staff, bank accounts, performance reviews, and a whole host of other information. In the vast majority of cases, collecting and using this data is essential to help our school or college to function and to deliver great outcomes for our learners. But, we have a responsibility to ensure that we’re collecting and using the right information, for the right reasons, and we’re keeping it safe. Good data protection is everybody’s business. And by everybody we really do mean everybody. Within the DfE guidance they include any staff who ‘creates and stores data’, ‘enters data into applications and software’, ‘decides if and when they’ll process certain data’ or ‘handles paper documents’. And in practice this makes good sense. Keeping private information secure and using it appropriately is a whole organisation’s responsibility, so everyone who works for that organisation has to step up. Within your organisation you’ll have a Data Protection Officer whose overall role is to ensure that Personal Data is well protected. In order to do this, they’ll have set out a Data Protection Policy. This will cover both the key principles and processes to make sure that your school or college complies with the law. Before you get started you’d be well served making sure you know who your Data Protection Officer is and getting hold of a copy of your Data Protection Policy. Give it a good read through. Don’t worry if there’s any terminology you don’t know, just note it down and we’ll be covering all the key terms in the modules that follow.
  • #2 During this course we’re going to help you get to grips with the essentials of good data protection practices, including: What counts as ‘personal data’ and what do we mean by ‘processing’? What the key principles are of good data protection How we differentiate between standard and highly sensitive or ‘special category’ data When can we process personal data lawfully? When can we process special category data lawfully? When can we share data? How do we identify, report and prevent a data breach? And, Receiving and responding to an information rights request The course is split into 3 sections, each a week apart so you’ll have a chance to revisit the key topics and really internalise the essential principles of good data protection practice. All throughout we’re going to try and keep the jargon to a minimum and use plenty of examples. So, let’s jump in.
  • #3 So, what counts as Personal Data? What exactly is this Personal Data we need to protect? Put simply, ‘Personal data is information that relates to an identified or identifiable living individual.’ Let’s think of a few possible examples here and test it against that definition. An email address is information, and it’s linked to an identified living individual. What about a photo of someone without a caption on a website? It’s information (in its broadest sense) and the image would be identifiable, so that counts as Personal Data too. What about an anonymised examination score? Yes, it relates to an individual but as long as they’re not identifiable from it – it doesn’t count as Personal Data. Sometimes, you’ll see that ‘identified or identifiable living individual’ referred to as the ‘Data Subject’. They’re the person that information relates to.
  • #4 One last piece of terminology. You’ll see lots of references to ‘Processing’ Personal Data. ‘Processing’ is a broad term that means ‘taking any action with someone’s personal data’. This includes recording it, keeping it, changing it, using it and deleting it. The principles of data protection apply to Personal Data in all of these circumstances, so it helps to have a catch-all term that refers to the wide range of actions you can take. The key takeaway here is that data protection is not just about whether to store Personal Data in the first instance, but also when to change it, whether to keep it, and how to use it.
  • #5 As we’ve already gathered, there are lots of different types of personal information we can store, change and use, or as we call it ‘Process’, for different reasons. Schools and colleges are complex organisations so how do we decide what data we can Process, and what we can’t? Well, let’s with some broad principles. These are set out in the UK’s General Data Protection Regulation, or GDPR for short. I’ve paraphrased one or two of these for clarity, but there’s a link to the full list in the notes below. These are that data should: Be processed lawfully, fairly and transparently Be used for a specific purpose Be relevant to that purpose Be accurate Be kept no longer than necessary Be kept securely And lastly that you should be accountable with what you do with Personal Data and how you comply with the other principles. So, let’s look at each of these in turn. Firstly, you need to process data Lawfully, Fairly and Transparently. The GDPR sets out a number of grounds on which you can process Personal Data lawfully, and we’ll come on to those in the next module – but in addition you can’t process data in a way that breaks any other laws. You must process data Fairly ‘considering how the processing may affect the individuals concerned’ and being able to ‘justify any adverse impact’. This includes only processing Personal Data in ways people ‘would reasonably expect’ and if not being able to ‘explain why any unexpected processing is justified’, and more generally not to ‘deceive or mislead people’ when you collect their personal data. And lastly you must be Transparent working in an open and honest way. How might this work in practice? Let’s look at an example that we can use to explore these 7 principles in action. Say you wanted to collect Personal Data on learners’ gender identities in order to ensure transgender students progressed as well as cisgender. So, remember the principle is to process the data in a way that’s ‘Lawful, Fair and Transparent’. You’d need a lawful reason for doing so – we’ll explore this in a later module. You’d need not to be breaking any other laws. No issue there. You’d then need to ‘consider how it might affect the individuals concerned’ and ‘justify any adverse impact’. It could be stressful being asked your gender identity and knowing this was recorded, in particular if this was information you hadn’t yet shared perhaps with friends, teachers or family members. Here the principles don’t tell you the right answer, but they give you a framework within which to make a reasonable decision. Lastly, you’d need to be transparent, to be clear to the students concerned about why you’re collecting the data, and what you’d be using it for. This leads on to the second principle – that Personal Data should be used for a specific purpose [/3]. In the example above, the specific purpose is to close opportunity gaps between transgender and cisgender learners. What you can’t do is say, just gather Personal Data, with a vague idea you might use it later. You also can’t change your purpose significantly without getting the data subject’s consent to do so. So, you know now why you’re processing the Personal Data, but how much do you need? This is the third principle, that Personal Data is ‘adequate’, ‘limited’ and ‘necessary’ or what you might call more colloquially ‘the Goldilocks principle’. You should process not too little data for your purpose, not too much, but the amount that’s just right. If your purpose in our example were instead to narrow achievement gaps for all learners with a range of protected characteristics – for example race, gender, special educational need as well - it’s pretty clear that only collecting information on gender identity wouldn’t be sufficient. Nor could you collect information that wasn’t relevant at all to your stated purpose. The fourth principle is ‘accuracy’. There’s an obligation to make sure that ‘Personal Data you hold is not incorrect or misleading’, that it’s kept updated if that’s required, that you take reasonable steps to address inaccurate data, and that you ‘consider any challenges to the accuracy of personal data’. Apart from anything else, this is just good practice. You’ll be storing your Personal Data for a purpose and if it’s inaccurate or misleading you won’t be able to achieve that purpose when you use it. Continuing our example, if the Personal Data you hold on learners’ gender identities is incorrect the analysis will be meaningless. The fifth principle is to ‘not keep data for longer than you need it’. So, if you collected that Personal Data on gender identity for a one-off piece of analysis you should delete it afterwards, if you planned to repeat the analysis it may be appropriate to keep it for a length of time. It’s also a good idea every now and then to review the Personal Data you hold and to ‘erase or anonymise it if it’s no longer needed’. The sixth principle is that Personal Data is kept securely. This is a whole team effort, but in the Data Breaches module we’ll be discussing some ways you can help keep data secure in your organisation. And lastly, there’s the principle of accountability that requires you to take responsibility for what you do with Personal Data and how you comply with the all other principles. There’s a lot to take in there, so it’s worth spending a few minutes having a think about how this might apply to you in a real life situation.
  • #6 So to recap, Personal Data is any information about an identified or identifiable living individual and the act of ‘Processing’ Personal Data covers the whole range of different things we can do with it – storing it, keeping it, changing it, using it, deleting it. The first thing to recognise is that, clearly, some Personal Data is more sensitive than others. A learner’s age being seen by someone who shouldn’t see it is clearly a very different thing to their entire safeguarding records being seen by someone who shouldn’t. This difference is recognised in the UK’s GDPR. The Personal Data that is particularly sensitive is called Special Category Data and you need additional justification in order to process it. So Personal Data is any information related to an identified or identifiable living individual, but it’s classed as Special Category Data if it relates to: racial or ethnic origin political opinions religious or philosophical beliefs trade-union membership genetic information biometric information (for example, a fingerprint) health matters (for example, medical information) sexual matters or sexual orientation
  • #7 In a school or college, the DfE has additional guidance that states it would be best practice to also treat as Special Category Data any personal data about: a safeguarding matter pupils in receipt of pupil premium funding pupils with special educational needs and disability (SEND) children in need (CIN), and children looked after by a local authority (CLA) And I think in general, this goes along with our natural intuition – if data is more sensitive and it has greater potential to cause distress if it fell into the wrong hands – then we should safeguard it more carefully. This is certainly the case with data about whether someone has committed a criminal offence. Schools and colleges process criminal offence data through requesting and storing the results of DBS checks. Even if the check doesn’t reveal a conviction it’s still classed as Criminal Offence data. This data is treated in a similarly sensitive way to Special Category Data. Understanding which data is Personal Data, which is Special Category Data and which is Criminal Offence data is going to be important, so you’ll have an opportunity now to practice this to make sure you can tell which one’s which.
  • #8 The first principle of the UK GDPR says we must Process Personal Data in a way that is Lawful, Fair and Transparent, but what are the justifications for processing Personal Data Lawfully? A common misconception is that good data protection is about always asking for consent to process data. Consent is just one of the potential justifications for processing Personal Data – but it’s not always the best or most appropriate. The UK GDPR outlines 6 lawful bases. To process Personal Data you need to ensure at least one lawful basis applies and to pick the most appropriate one. They are: consent – you would use this where this is the most appropriate choice and you’re able to give the someone a real choice in how you use their data contract – you would use this where your use of the data is necessary for a contract the school or college has or will have with the individual concerned legal obligation – you would use this where your use of the data is necessary to permit the school or college to comply with the law vital interests – you would use this where your use of the data is necessary to protect an individual’s life public interest – you would use this where your use of the data is necessary to permit the school or college to carry out a task in the public interest or its official functions, and that task or function has a clear basis in law legitimate interests – you would use this where your use of the data is necessary for the school’s or a third party’s legitimate interests (unless there’s a good reason to protect the individual’s personal data that overrides those legitimate interests) See if you can memorise these 6 lawful bases. You’ll use these a lot when making decisions around your day-to-day practice processing personal data. Most of the legal bases are quite self-explanatory, but what exactly do we mean by Legitimate Interests and when might it apply? Firstly, it’s got to be the most appropriate basis and it’s more appropriate to justify much of the day-to-day work of a school or college under Public Interest, Contract or Legal Obligation. Secondly, is the processing necessary? You can only use Legitimate Interests as a justification if you couldn’t achieve the same goal without processing the data. Thirdly, you must balance it against an individual’s rights and freedoms. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests. So, let’s look at some examples and see what we think the most appropriate legal basis might be? You take a photo of a pupil and want to use it on your school or college’s website – is the processing, or in this case the recording and using of the photo, lawful? Let’s review the 6 lawful bases again. Consent would be an option. There’s no contract per se between you and the student, so not Contractual Obligation. It’s not a Legal Obligation either, nor is it a matter of life and death so it’s not in their Vital Interests. It’s not really in the Public Interest, but could it be classed as being in the school or college’s Legitimate Interest? The processing probably couldn’t be achieved another way – it’s hard to have a school website with just pictures of buildings, but how does your Legitimate Interest as a school or college balance against the student’s interest? There may well be times where having a photo of a student published when they hadn’t specifically consented could cause distress, so in this instance the student’s interests would trump those of the school or college. In fact, the DfE have specific advice on the use of student photographs in their guidance. You must get consent to: share photos on your school or college’s social media channels include photos of pupils and staff in your prospectus or other marketing material use a photo of a pupil in your displays, or take a photo for a newspaper article This example gives us a good opportunity to see the 7 principles of data protection that we discussed earlier in action and start pulling these threads together. You need a lawful basis to process the data. Here it’s consent. It must be for a clear purpose – a promotional photo on a school or college website. If you want to use the photo for a different purpose – say on a social media channel – you need fresh consent for that purpose. You should also make it clear how long you’ll use the photograph or. What about publishing exam results in a local newspaper? Again, it’s unlikely Contract, Legal Obligation, Vital Interests or Public Interest apply here (remember Public Interest is solely ‘where your use of the data is necessary to permit the school or college to carry out a task in the public interest or its official functions, and that task or function has a clear basis in law’). So, to use the data in this way it would either need to be under the basis of Consent or Legitimate Interest. Publishing such data is in the Legitimate Interest of the school and the wider community, it’s a relatively common practice that students and their parents would probably expect and is often a real motivator to students, so in this instance it would be appropriate to use Legitimate Interest as the justification and not seek consent from each student. However, there is still the requirement to operate openly and transparently – so being clear with parents and learners that this will happen and giving them an opportunity to object and remove themselves from publication would be appropriate. Again, it’s a good idea to take the opportunity to practice making these decisions yourself on day-to-day activities.
  • #9 Now we’ve had a chance to explore the legal bases you can use to process Personal Data, let’s look at how this differs when we look at the most sensitive type of Personal Data, what’s referred to as Special Category Data. To recap, Special Category Data is information about a person’s: racial or ethnic origin political opinions religious or philosophical beliefs trade-union membership genetic information biometric information (for example, a fingerprint) health matters (for example, medical information) sexual matters or sexual orientation And as we said earlier, in a school or college, the DfE has additional guidance that states it would be best practice to also treat as Special Category Data any Personal Data about: a safeguarding matter pupils in receipt of pupil premium funding pupils with special educational needs and disability (SEND) children in need (CIN), and children looked after by a local authority (CLA) The test here about whether you can collect, store and use this kind of Personal Data is more stringent. It must meet one of the 6 legal bases we discussed in the previous module plus at least one of the following 10 additional conditions for processing Special Category Data. Of the 10, five are unlikely to apply regularly in a school or college setting: not-for-profit body – it’s necessary for the legitimate internal-only purposes of a membership body with a political, philosophical, religious or trade-union aim legal claims or judicial acts – it’s necessary for a legal case or required by a court of law health or social care – it’s necessary for the provision of healthcare or treatment, or of social care, and there’s a basis in law public health – it’s necessary for reasons of public interest, and there’s a basis in law archiving, research and statistics – it’s necessary for reasons of public interest, and there’s a basis in law
  • #10 The remaining 5 though are more likely to be relevant: explicit consent – the accessing or processing of this personal data has the written consent of the individual concerned employment, social security or social protection – it’s necessary for one of these 3 stated purposes and authorised by law vital interests – it’s necessary to protect an individual’s life manifestly made public – it relates to personal data the individual has themselves deliberately made public substantial public interest – there’s a relevant basis in UK law and one of 23 specific public interest conditions has been met So, for example, say you have a member of staff who is a public advocate for neurodiversity and has a publicly available blog where she discusses issues related to this and education. Her autism diagnosis is a Health Matter and would be classed as Special Category Data. However, because the individual involved has deliberately made this public then, providing your processing still meets one of the original 6 legal bases, it would be acceptable to process this data. Listening to this though, you might be concerned about some of the Special Category Data we might regularly process in a school or college setting. For example, Personal Data surrounding Safeguarding. The DfE guidance encourages us to treat safeguarding information as Special Category Data, but which of the 10 conditions does it satisfy? It’s not for a membership body, nor always a legal claim, not for health and social care, nor for public health, nor for archiving, research and statistics. You generally don’t get explicit consent, it’s not relevant to employment, vital interests are sometimes involved but not always, and the data certainly isn’t manifestly made public. That leaves Substantial Public Interest where one of the 23 public interest conditions needs to be met. It would be going beyond the scope of this introductory course to detail these in full, but four key ones for our purpose are: Ensuring Equality of Opportunity or Treatment Support for individuals with a particular disability or medical condition Counselling etc, and Safeguarding of children and of individuals at risk You will see that much of the Special Category Data we collect in schools or colleges fit under these headings. Another example would be collecting data on students’ ethnicities to ensure that learners of different ethnic groups achieve similar outcomes. This would be justified under Ensuring Equality of Opportunity or Treatment under that same Substantial Public Interest condition. If you have further questions on whether it’s appropriate to collect, store and use Special Category Data in a specific situation it’s best to ask your school or college’s Data Protection Officer.
  • #11 We’ve talked a lot about the need to safeguard and protect Personal Data, but in certain circumstances it can be important to share data with others. Usually, before sharing any Personal Data, you’ll need consent. If the individual is 13 or over this consent would be from the student, if under 13 their parent or guardian. It stands to reason that any time you ask a young person for consent, it should be in a way that they can understand. When getting consent, you need to explain: what personal information you’re sharing why you’re sharing it who you’re sharing it with and what they’ll use it for how you’ll share their information, and the process for withdrawing consent And you can see again here how this links back to 7 key principles of data protection including being transparent, having a specific purpose and not keeping Personal Data for longer than necessary. Say you’re organising an external trip with another school and you need to share allergy and other medical condition information to ensure all the learners are safe on the day. Before sharing any data the DfE guidance advises: consider all the legal implications check if you need permission to share the data confirm who needs the data, what data is needed and what they’ll use it for make sure that you have the ability to share the specified data securely check that the actions cannot be completed without the data You’d be well placed to seek out your school or college’s Data Protection Officer before you share anything to make sure it’s done right. There may, however, be some circumstances where it’s not appropriate to ask for consent. Such as: if the individual cannot give consent if it’s not reasonable to ask for consent, or when there’s a safeguarding concern To keep children and vulnerable adults safe sometimes you’ll need to share information with other schools and colleges and with children’s social care teams. Such decisions are complex, and sensitive Personal Data is at stake so you should leave it to your Designated Safeguarding Lead to decide if and when such Personal Data needs to be shared.
  • #12 So that’s how we can share Personal Data on purpose, but when something happens to Personal Data by accident or without our permission – this is a data breach. A common misconception is that data breaches are just about losing Personal Data, but actually it can be broader than that. A data breach is a security incident that has resulted in Personal Data you hold being: lost or stolen destroyed without consent changed without consent, or accessed by someone without permission Data breaches can be deliberate or accidental. As a member of staff, you have two main responsibilities when it comes to data breaches. Firstly, you should know what one is and how to report it. Should you identify that a data breach occurs you should inform your Data Protection Officer as quickly as possible following your school or college’s policy. They will then take responsibility for assessing its severity, reviewing how it happened, and reporting it to the Information Commissioner’s Office and the affected individuals if required. And secondly, you should take appropriate precautions to minimise the risk of a data breach occurring in the first place.
  • #13 We’ve compiled 8 top tips to help you can help keep Personal Data safe in your organisation: Store physical data securely - Even in the digital age we still have much that’s stored on paper. Protect this information by having a clear desk policy and keeping any printed information with Personal Data in locked filing cabinets. File documents clearly and consistently – filing documents clearly and consistently, both in paper and on computer systems, minimises the chances that Personal Data will be lost Be careful working offsite – whether you’re taking Personal Data in physical files or on school or college laptops data is more at risk when working offsite. Ensure all Personal Data on electronic devices is secured with a password, and preferably 2 Factor Authentication. Exercise similar caution with Personal Data on USB sticks which can be easy to lose. Send electronic documents securely – Many schools and colleges use productivity software from Microsoft or Google that allows you to share links to files rather than emailing attachments. This is more secure as you can revoke access easily, unlike attachments where once you send it you lose control of the data. If you do need to send an attachment, password protect it and send the password in a separate email. If you’ve never password protected a document before there’s a link in the notes below to show you how to do this for Microsoft and Google documents. Don’t share passwords with colleagues – This applies not just to your main username and password, but also login details for online tools your school or college uses. As a rule, you should look to have a different password for each different software or website you use, but many people don’t. So if you share your username and password for one service you may be unwittingly be sharing it for others too. Check before sharing your screen – Many of us now share our screen using videoconferencing tools. Before you do so on a call, make sure there isn’t any Personal Data visible. Lock your screen when away from your desk – Get into the habit of locking your computer when you leave you desk. On a Windows machine you can do this with Windows key + L and on Mac with Shift-Command-Q. Be discrete when discussing Personal Data – old fashioned as it may be, but overhearing conversations is still a key method that Personal Data is shared accidentally. Where you are discussing a matter that involves an individual’s Personal Data, do so in a private setting. At this point, the key thing for you to do is to review your organisation’s Data Protection Policy. If you were to discover a data breach, make sure you know who you would report it to and through what channels.
  • #14 So far, much of the discussion has focussed on decisions that we make as professionals – whether we’re justified to process Personal data in one way or another - but what scope do the individuals whose Personal Data we hold have to control what happens to their data. Individuals, including children, have several information rights relating to personal data you hold about them. This includes the right: To access the personal information you hold about them, which is also known as a Subject Access Request to request to change inaccurate personal information you have about them to request to remove their personal information or record to request to restrict the processing of their personal information, and to request to stop processing their personal information Together these are known as ‘Information Rights Requests’. These are only requests, they do not have to be granted, but unless there’s a valid reason the school or college should respond within one calendar month. There’s no pre-defined format for an ‘Information Rights Request’ – they can come in verbally, in writing or via social media. It could be as simple as an email asking for you to delete someone’s information or a formal letter from a parent’s solicitor. Now would be a great time to get out your school or college’s Data Protection Policy. There’ll be a section in there that talks about what your process is for an Information Rights Request and who it gets escalated to. If you’re unclear, talk to your Data Protection Officer.