GDPR - General Data Protection Regulation
What is GDPR?
In the UK, GDPR replaced the Data Protection Act (DPA) 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduces hefty penalties for organisations that fail to comply with the rules. It also ensures data protection law is almost identical across the EU.
As of 25th May 2018, the DPA 1998 was replaced by the General Data Protection Regulation which is often referred to as the ‘GDPR’. Although many of the principles remain the same as the DPA 1998, there are some important changes which affect the way we process data.
In general terms, the GDPR places more emphasis on transparency, accountability and record keeping.
Why do we need it?
The update to Data Protection legislation, in many ways, was long overdue as the 1998 Act pre-dates Facebook, Twitter and all types of social media. It is hard to remember, or believe, that in 1998 mobile phones were limited to making and receiving calls and text messaging that was charged by each character. Email was being used, but not every organisation had email addresses and hard copy documents were the mainstay of storage and records.
iPhones, Blackberry’s and other smart phones and tablets were yet to come. Access to the internet was limited and actually required a physical dial up. There was no 3G or wireless hotspots for casting communication and Google went live in 1998 - the same year as the DPA.
The Data Protection Act was fit for purpose then, but all of the changes in the last 19 years mean that a new framework is now essential.
Compliance with the Data Protection Act principles in the UK is largely the responsibility of the Information
Commissioner. The Information Commissioner’s Office (ICO) is the regulatory and supervisory authority. The ICO has the ability to provide advice, undertake audits, access information, impose sanctions and penalties.
What does this mean for Schools?
Schools process a lot of personal data relating to pupils and staff in order to carry out its functions. They also acquire personal data relating to other people including, for example, parents / carers, local governors, trustees, members of the local community, suppliers, contractors and consultants. It is therefore important that all schools ensure they handle personal data carefully and legally.
Our School's View
St John's Angell Town School is committed to protecting the privacy and security of personal information and being transparent about the way in which we use the information we hold. It is our responsibility to make sure we are handling and treating information carefully and legally.
Our school collects a lot of data and information about our pupils, staff parents and carers so that we can run effectively as a school. In our documentation, we explain how and why we collect certain data, what we do with it and what rights parents and pupils have.
The Data Protection Officers for Lambeth is Mr Matthew Ginn - email@example.com
The Data Protection Lead at this school is:
Mr Patrick Williams, Deputy Headteacher
As a school we are required to collect certain information in order to carry out our core functions of providing education and ensuring the well-being and welfare of the children. We do this on the legal basis that we are required to as an authority and therefore require no further permission to do this. There are areas however where we do require your permission to use the information you have given us for activities other than our core functions. These include extra curricular activities and Parent Association events etc. For these additional activities we will seek your specific consent to use your information, this must be freely given, informed and unambiguous.
We have privacy notices (below) to explain in detail what information we will need from you, why it is needed, how it will be stored, who we share it with (if this is required) and how long it will be kept for.