Data Protection

The Data Protection Act 1984 gave individuals the right to know what information is held about them, and it provides a framework to ensure that personal information is handled properly. The Data Protection Act 1984 was revised with the Data Protection Act 1998 which changed original definitions and meanings and broadened the scope of the original act. The DPA works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:

The Eight Principles

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

Data Protection Act Terminology related to school activity

• personal data – data relating to any living individual, or from which a living individual can be identified; this can take the form of electronic or manual records as well as photographic and CCTV images.
• sensitive personal data – personal data relating to an individual’s mental or physical health, race/ethnic origin, religious or political beliefs, sex life or trade union membership.
• data subject – an individual to whom any personal data relates.
• data controller – all schools are classed as data controllers, as they are responsible for processing personal data.
• data processor – any external organisation that processes personal data on behalf of a data controller, in this case the school.

Data protection is a complex area and one that all Children’s Services are still working through. A recent report by the Foundation for Information Policy Research (fipr) commissioned by the ICO clearly indicates that there are considerable grey areas with interpretation and practice. It is no surprise that following the publications report, disclaimers started appearing on official guidance to schools.

The principles above form the basis of the law on data protection, and schools should be cautious of anything that extends the use of data. The firm guiding principle is that that any data subject (the person the data is about) should be informed in writing of the data held about them and why it is required. Where the use of data is not specifically covered by an Act of Parliament or Statutory Instrument, the data subject should be informed and give their consent. (The ‘Gillick Competence’ clarifies the age of children at which this consent is appropriate)

The statement in Parliament by Jacqui Smith on 27th Feb (Hansard ref 60227132) that the Education Act 2002 gives schools permission to do whatever they think reasonable is at odds with the Data Protection Act 1998, (interestingly the statement is currently blocked by Hansard) as in all cases of law, a specific act or instrument takes precedence over a general condition.

What do schools need to do … ?

• Register with the ICO.
• Publish a Fair Processing Notice (FPN), the content of which is usually agreed by the Local Authority and Dept. Children Families and Schools (DCFS).
• Provide a Data Protection Policy.
• Provide Acceptable Use Policies (AUP’s) for staff.