Bursars Review | Summer 2018 | Sample

Following the implementation of the new Data Protection Act on 25th May, Emma Banister Dean , data protection expert at law firm, Royds Withy King, sets out the relevant law on the five most common data-related issues faced by independent schools. The Data Protection Act 1998 – common issues Feature GDPR compliance Keep a note of what data you discard and why Adopt ‘double opt in’ as best practice Inform staff how their personal data will be processed via an appropriate privacy notice There is a pattern to the expert advice sought by schools in the independent sector on data protection law. There are core tricky issues which come up regularly and which, while quickly resolved by a solicitor, cause delay and expense. What are those issues and what are the solutions? Summer 2018 www.theisba.org.uk 8 1. Age of data consent The pre-GDPR position on the age at which an individual can control their own data was determined on a case-by-case basis dependent upon that individual’s capability to grasp the concepts involved. The starting point was the age of 12, but there have been cases where a child of 11 was held able to make the relevant decisions. The GDPR allowed its signatory countries to determine the age of ability to consent to a service being offered directly online at anywhere between 13 and 16 years. The new Data Protection Act (DPA), which deals with some detail on implementation of the GDPR, specifies a minimum age of 13 for agreeing to be provided with an online service in the United Kingdom. The level of explanation required at the point that the child provides the data will depend upon the nature of the contract. Marketing involves complex concepts, which are difficult for young people to grasp. If your school wants to reach an agreement with a young person to use their personal data for marketing purposes, you will need to provide an even clearer explanation. DPA compliant privacy notices for use with young people should use diagrams such as flow charts to explain the processing involved. You may also need a Data Privacy Impact Assessment. ISBA provides templates for this in its reference library. The DPA only deals with data awareness for agreement to online services. The previous test applies to other situations. There are occasions where a pupil does not consent to the sharing of their examination results. Whether the school accedes to a pupil’s request will depend upon an