Bursars Review | Summer 2018 | Sample

Feature Summer 2018 www.theisba.org.uk 12 Remember, that under the DPA, if you are carrying out any wealth profiling of alumni you will need to include that information in your privacy notice. If you are relying on consent as the basis for marketing to alumni, having obtained that consent prior to 25th May or during their time at the school, then email them to confirm what processing they have consented to. This is known as the ‘double opt in’ and is best practice. It is also a good idea to allow alumni to update their contact details by clicking on a link at the foot your emails. In this way, you are demonstrating your intention to keep the data current. Opt in requests are more successful where the recipient obtains value in exchange. The school being in a position to confirm that the former pupil/offspring did in fact attend, being kept informed of school reunions, invitations to prestigious events and eligibility for fee discounts available only to children of alumni might all be examples of the benefits of opt in. Under PECR you need to have consent to market using electronic means. This includes email and some telephone contact. The DPA may discourage reliance upon consent where other lawful bases are available but PECR will need you to obtain it. This may well result in you relying on different bases for the two sets of legislation. 4. Contract disputes The complexity of modern family relationships often leads to those with ‘parental responsibility’ failing to work in harmony. It is critical to the child’s wellbeing that school remains a neutral and safe space. It is also critically important that the school observes the DPA to the letter when dealing with these highly contentious situations. Usually, both parents sign a contract with the school agreeing to joint and several liability for payment of fees. In practice, payment is often made by only one of them. If those parents separate then the habitually paying parent often calls upon the other parent for a contribution. So far as the DPA is concerned, the contract should refer to a privacy notice, which explains that both parties’ data will be stored and processed for the purposes of performing the contract. That would include debt recovery measures should they prove necessary. This means that any request by a parent for removal of their data under the ‘right to be forgotten’ would undermine the parent contract. The school can consider refusal of that right while the child is a pupil there. Those rights have to be balanced against the school’s contractual needs. Warring parents and their extended families have difficulty attending events where the other parent is also present. There is sometimes a misconception that if the event falls on a day when the pupil has contact with one parent then only that parent can attend the event. This is not the case. Unless the school has taken measures to withdraw consent for a parent to enter school premises, any individual with parental responsibility can attend a school event regardless of whether it is their day for a contact visit with the pupil. The lawful basis for processing and communicating data regarding extra-curricular activities is derived from the parent contract and is not dependent upon the consent of both parents. Schools may be asked by one parent for the address details of the other. The address is the personal data of the parent living there and it is not for the school to pass on that information to any other party without the data subject’s consent. There may also be a court order in place protecting the address of one parent. If the school discloses the address it could find itself in contempt of court. The answer is to emphasise the school’s neutrality and to explain that the school requires the data subject’s consent to disclose that information. Without that consent, the enquiring parent will need to take legal advice on their need for that information. 5. Amendment of employment documentation to achieve DPA compliance Common practice with contracts of employment and data protection law has been to include a clause stating that the employee consents to the use of their personal data for purposes connected with their employment. Under the DPA, these clauses are no longer compliant. The Information Commissioner has made it clear that reliance on consent for the purposes of employment contracts is nonsense – consent has to be freely given and to be able to be withdrawn, this is not the case with the usually unequal bargaining position of the employment relationship. Instead, schools need to inform staff about how their personal data will be processed via an appropriate privacy notice. To ensure staff are aware of, and compliant with, the DPA, thereby protecting the school from a breach, a clause should be inserted into employment contracts requiring staff to comply with the school’s rules on data protection. Those rules should then be set out in various policies including privacy notices and staff policies relating to IT and data security, homeworking, subject access requests and breach reporting. It is good practice to have an overarching data protection policy which pulls all of these different rules together. As well as amending and preparing documentation, it is essential that schools provide training to their staff about the changes. ISBA GUIDE TO GDPR ISBA has published a comprehensive guide to GDPR, together with many template documents including updated employment contracts, in its reference library at: https:// members.theisba. org.uk/reference- library.aspx Author Emma Banister Dean Royds Withy King emma.banisterdean@roydswithyking.com