Bursars Review | Summer 2018 | Sample

Feature 11 @the_isba Summer 2018 assessment of that pupil’s grasp of the concepts. To minimise the occurrence of these situations it is important to familiarise parents and students regularly with when and how their results will be published. In the event that a pupil does grasp the relevant concepts and refuses consent to publish, the school may want to consider anonymising that data. Requests for information which is not the applicant’s personal data under the DPA should be treated as requests under the Freedom of Information Act (FOIA). These provisions can, for example, allow parents to access their child’s personal data where it is not held in a structured filing system. Personal data is exempt from disclosure under the FOIA if disclosure would breach any principles of the DPA. Again, the child’s consent would need to be explored depending on their grasp of the relevant concepts. Always establish whether the requesting individual has parental responsibility. Double check the identity of those concerned. Then check with the pupil whether they understand the concepts involved and consent to the disclosure. 2. Retention of data in relation to potential claims of abuse Schools will want to help with any enquiry into allegations of abuse in order to be demonstrably transparent. Schools are also the guardian of their staff’s wellbeing and have to comply with the DPA. These can seem like competing requirements. The starting point is what does your insurance require? Some insurers are requiring schools to retain all data that might be relevant to a potential claim of abuse for a minimum of 60 years. Pending further guidance from the Independent Inquiry into Child Sexual Abuse (IICSA), and in light of recent court decisions very significantly extending the applicable limitation period on claims of abuse, current legal advice is often to retain relevant data for the lifetime of the member of staff concerned. So how can that be balanced against the DPA requirements? The answer is not to use reliance on the need to defend a potential claim to justify failing to review and cleanse the data held. Discard anything that will not be relevant to an employment claim once the employee leaves, check again for relevance once the time limit for that employee to bring a claim against the school expires. Keep a note of what you discard and why. Remember, it is not only the presence of suspicions on a file that might later be relevant. The absence of such information could later be valuable when defending the school’s reputation. 3. Fundraising and marketing under DPA There are twin tracks of legislation that govern an independent school’s ability to contact its parents and alumni: the DPA and the Privacy and Electronic Communications Regulations (PECR). Schools need to be compliant with both sets of legislation. To process the data of your alumni and parents you need a lawful basis on which to do so under the DPA. While the individuals are still at your school your lawful basis for processing data is likely to be in order to enable the performance of a contract. There will then be a period in which you hold data as part of your legitimate interest in being able to defend the school against matters such as a personal injury claim, but you also want to use the data for marketing and fundraising. The lawful basis changes to reliance on categories such as performance of a legitimate interest (potential claims) or consent (marketing) depending on the data. You will need to record the relevant lawful basis at every stage. The new Data Protection Act specifies a minimum age of 13 for agreeing to be provided with an online service in the UK