How concerned should schools be about Consent?
Like many of you, we’ve never understood why parts of the press, and some consultants, have made such a strong push on the fact that everything centres around the ‘consent’ element of the legal basis for processing data. According to the ICO “Consent is not the ‘Silver Bullet’ for GDPR Compliance”.
Here’s what we think schools need to consider when identifying the legal basis for processing data.
Compliance with a Legal Obligation
Our research has already shown that the processing of Educational Records would fall within the areas of “6(1)(c) – Processing is necessary for compliance with a legal obligation” also contained within the draft Data Protection Bill currently going through Parliament as a result. Schools have a legal obligation to send data to the local authority and/or the DFE and other bodies and may use this legal basis if no other fits although almost certainly Public Interest fits most areas for schools.
We also know that for some schools, “6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person” is being investigated on the grounds of safeguarding. Whilst a school can argue rightly that in many cases data is processed to ensure a child is safe and well cared for, this reason fits better in cases of serious and emergency situations. An interesting one to follow over time to see how it holds up.
However, we do see that many schools will opt on “6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” This is the one schools will likely rely on the most.
Teaching children in a school is in the public interest and therefore data may be processed to ensure the school functions effectively. You simply need to ask yourself – do we need this data as part of running a school which is in the interests of the public? Registration, achievement records, payment of school meals, informing parents of behaviour or whether the school is closed because of snow are examples of where data needs to be processed to allow the school to function effectively. If you only use your text messaging service to market events and items to parents then this is not in the public interest and consent would be required.
Consent of the Data Subject
Consent will be required in certain areas, and we already have examples of that … use of photos not for direct educational purposes (though schools who *still* insist on opt-out will have to sort their act out and make sure they show explicit consent), biometrics and so on.
Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. For example, staff are contracted to school and you can’t fulfil that contract, ie pay them, without a payroll package which processes their personal data.
Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. A statement from the ICO clearly shows that state-funded schools, colleges and universities, as public bodies, cannot use Legitimate Interests to process data 6(1)(f) as it “excludes this possibility for processing carried out by public authorities in the performance of their tasks”.
At the end of the day, you MUST justify processing data within at least one of the above categories otherwise you have no legal basis for processing and it would therefore be illegal for you to do so.
We know there’s plenty of work to be done and it’s likely the ICO will revamp their guidance at some point however we also know this can’t be done right now as the new DP bill is still going through Parliament.
The DfE are in a similar position, but it is good to see that they are starting to engage with schools on this and get the message out that change is coming and they need to start planning.
No matter which reason you choose as the legal basis for processing the rights of the data subject must be met. If schools just do a data audit of what they have, how they got it, where they store it and why they are using it *today* it will make their life easier to work through what they will or won’t do with data later on.