GDPR

General Data Protection Regulation (GDPR) is an EU-wide piece of legislation which replaces the Data Protection Acts 1988-2003. There are a number of new provisions in GDPR that were not previously in the Data Protection Acts 1988-2003, however, 80% of GDPR mirrors the provisions in the previous legislation. GDPR enhances the individual’s data privacy and data rights and builds on the obligations and responsibilities of data controllers.

Whilst GDPR is the law and supercedes any national legislation, Ireland’s Data Protection Act 2018 applies elements of GDPR in certain, specific ways in the Irish legal context.

GDPR affects all data subjects. An individual under GDPR is known as the ‘data subject’; that is, they are the subject of the data collected about them by the organisation. In schools, a data subject is a pupil; a parent/guardian; a teacher; a school secretary; any employee of the school. All data subjects had certain rights protected under the previous data protection legislation. GDPR enhances and builds on these rights.

Schools shall be responsible for, and must be able to, demonstrate compliance with GDPR principles. The principles are:

•  Fair, transparent, and lawful processing: the data subject should know the type of data collected and the reason the school collects that data.
• Purpose limitation: schools should only collect data for a specific purpose and keep only for as long as necessary.
• Minimisation of processing: schools must only process data that is needed to achieve its processing purpose.
• Data accuracy: schools must take every reasonable step to ensure the data they process is accurate and complete.
• Storage limitation: schools should hold data in a form that identifies a data subject for as short a time as possible.
• Integrity and confidentiality: schools must process data securely to safeguard against unauthorised/unlawful processing, accidental loss, destruction, or damage.

Data protection legislation/GDPR sets out the rights of the data subjects including:

• The right of access:
  • Accessing one’s own data can be done via a Subject Access Request (SAR). This means that a data subject can request a copy of all his/her data (or their own child) free of charge and this must be provided within 30 calendar days.
• The right to rectification:
  • This right means that a data subject can ask the data controller to rectify the data the controller holds e.g. if a data subject’s phone number changes.
• The right to be forgotten/right to erasure:
  • This means that a data subject can apply to a data controller to erase all the data which the controller holds on that data subject. This is not an absolute right and is qualified in certain circumstances e.g. where data is being held for a statutory purpose or in line with legislation, for example, the rollbook/rolla.
• The right to restrict processing:
  • This means that, in certain circumstances, a data subject can apply to a data controller to restrict the processing of his/her data.
•  The right to data portability:
  • Data portability, in simple terms, means that a data subject can apply to have all of his/her data held with one data controller copied and passed to a new data controller.
• The right to object to certain processing:
  • Save for compelling legitimate reasons, this right means that a data subject can object to the processing of his/her data based on his/her particular situation or state of mind.

Personal data is any information relating to an identified or identifiable living person (‘data subject’). An identifiable living person is one who can be identified, directly or indirectly, e.g. by reference to a name, an identification number, location, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that living person/data subject.

Yes, schools are entitled to collect personal data about pupils through the enrolment process and/or through expressions of interest in relation to enrolment. This is legitimate for the purposes of providing education services to pupils. Additional information may be collected from third parties, including former schools and through school activities and interaction(s) during the course of the pupil’s time at school.

Schools also collect personal data about parents and guardians through the enrolment process or expressions of interest for enrolment. Additional personal data may be collected through interactions during the course of the pupil’s time at school.

In addition, schools are also the places of employment and so personal data collected by the school in relation to all employees, including teachers, prior to and during the course of their employment at the school.

The processing of some pupils’ personal data requires consent. For example, the school needs to be sure that parents have consented to allowing photographs of their child to be taken by the school, which may be displayed on the school’s website or on social media platforms or in the print media. Consent can be withdrawn at any time by contacting the school. Please note: consent regarding data under GDPR is different to consent received from parents for the purposes of allowing their child attend, for example, a school trip/tour. That type of consent must still be sought in the usual way by the school, in line with advice from the school patron and/or insurer(s).

A data controller determines what data the organisation/school needs to collect, why that data is needed, how it will be collected, how it will be stored, and for how long. The data controller in schools is the board of management.

Data controllers are required to store data which they process confidentially and securely. If a security or data breach arises, a data controller, by law, must report the breach to the Data Commissioner within 72 hours. This is not optional, but a legal requirement.

In schools, it is advisable to create a culture of awareness and support about GDPR and data privacy. It is vital that all colleagues feel that they can immediately report to the principal/management if they are concerned that they may have inadvertently cause a data breach at the earliest opportunity. The concern can then be reported to the Data Commissioner.
GDPR compliance at school involves looking at – or auditing – the data that is collected in the school. In other words, what data is collected, retained, updated, stored, and/or accessed in respect of pupils, employees, and third parties.

It is vital to foster a conversation about data privacy awareness among staff. Whilst there is an onus on the board of management as data controller, there is an onus on all individuals who handle the data of others to be prudent in that regard. Having a discussion about the types of data processed in the school and the importance of reporting any breach in a prompt manner in a supportive culture is advised. This may involve a discussion amongst staff around the need to make some changes in how the school processes (collects, retains, stores, and interacts with) the data collected.

A data processor processes data on behalf of the data controller, for example, a service provider to the data controller, i.e. the board of management. A good example of data processor for schools would be a third party service provider of IT services.

It is important to ensure that within the agreement or contract a school has in place between the data controller (board of management) and a third party service provider that the following is clarified:

1. The personal date are processed only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation.
2. The confidentiality and security of the data being processed is ensured by the third party service provider.
3. The third party service provider gives an undertaking to the data controller that they respect and are compliant with the data subjects’ rights.
4. The third party service provider can engage subcontractors with the data controller’s approval.
5. Where necessary/appropriate, that the third party service provider will delete or return the data to the data controller at the end of the provision of services arrangement unless European Union or Member State law requires the continued storage of that data.
6. The processor makes available to the controller all information necessary to demonstrate compliance with the obligations under European Union or Member State law.

Regarding the engagement of third party data processors/service providers by a board of management, members are advised to continue to consult with their relevant school patron for advice.

A Subject Access Request (or SAR) is exactly the same as a Data Access Request, in that a data subject can apply to a data controller to be given a copy of any information on record relating to the data subject, which is kept on a computer or in a structured manual filing system operated by the data controller.

In schools, teachers can make a SAR to the data controller, the board of management as their employer, in relation to their own data only. Parents/guardians can make a SAR to the data controller, board of management, on behalf of their own child.

Under GDPR, a SAR can be done by writing to the data controller/board of management requesting copy of the personal data held in relation to the data subject. A SAR must be complied with within 30 calendar days, whether it arises during a school closure or not. Failure to comply within this timeframe may be reported to the Data Commissioner. Crucially, GDPR provides that copy of the data is provided to the data subject free of charge.

A data breach is where, accidentally, inadvertently, or unlawfully, personal data are destroyed, lost, disclosed or accessed, transmitted, stored, or otherwise processed. Schools, as data controllers, are required to store data which they process confidentially and securely. If a data breach does happen or you have concern that it may have happened, you must report your concern to your principal/the board of management immediately. The relevant data subject must also be informed. The reason for the immediate requirement of reporting is that the data controller, by law, must report the breach to the Data Commissioner within 72 hours. This timeframe is not optional, but a legal requirement.

Contact information

The Data Protection Commission: dataprotection.ie/docs/GDPR-Overview/m/1718.htm

Email: breaches@dataprotection.ie

Tel: +353 (0761) 104 800

LoCall: 1890 25 22 31

Fax: +353 57 868 4757

General queries to the Data Protection Commission can also be emailed to info@dataprotection.ie.