We have put together a brief overview of GDPR and how it will affect your health and safety.
What is GDPR?
GDPR stands for The General Data Protection Regulations, which are coming into effect on the 25th May. These regulations are replacing the Data Protection Act 1998, and apply to all organisations who collect or use personal data of individuals who live in the EU.
The GDPR will still be applicable post-Brexit.
‘Personal data’ refers to any data which can identify an individual including names, addresses, grades, medical information etc.
A breach of the regulations can result in large fines, and individuals can also ask for compensation if organisations don’t comply.
Does GDPR affect our school?
The GDPR applies to all organisations that process personal data, and schools handle a large amount of personal data. However, schools are in a much better position to comply with the GDPR changes than most private organisations as most schools already have robust policies and procedures in place for data protection.
The GDPR defines two roles:
1. Data Controller – determines the purposes and means of processing personal data.
2. Data Processor – responsible for processing personal data on behalf of a controller.
As a public body schools fall under the role of Data Controller. As the Data Controller, the school holds full liability for all data handling issues including breaches and non-compliance.
Any third party supplier you use to process data within your school with be Data Processors. Data Controllers and Data Processors are jointly liable for any breaches or non-compliance.
How will GDPR affect Health and Safety?
Health and safety systems in schools contain a large amount of personal data about pupils, parents, employees, contractors etc.
As well as names, addresses and phone numbers, health and safety systems may contain personal data such as:
Your health and safety data should be integrated into the changes and control measures you put in place across your school to manage personal data.
These changes should include:
Gaining a better understanding of the GDPR and your duties under the legislation. For more information visit the Information Commissioner’s Office (ICO) Education page.
Understanding and documenting your current data processes in order to demonstrate that they meet compliance requirements.
Creating a register which identifies what types of personal data are being held, where it is stored and how long you need to retain / store the data for.
Identifying which third party companies you store / distribute data on (such as online storage sites, CRMs etc.) and ensure they are GDPR compliant.
Assessing the security of your data storage and whether additional control measures are required to detect and manage breaches.
Undertaking a data protection impact assessment to identify the most effective way to comply with your data protection obligations.
We hope this short overview has proved beneficial, and assured you that this daunting task is manageable with sufficient knowledge and resources.
There are also some great free GDPR resources for schools which you can find here.