As the new school year gets underway, is it time to consider your protection of children’s data?
Children’s data has had several areas of potential vulnerability highlighted in recent years, and this is particularly relevant for the education sector. Proving that an education setting uses careful consideration when managing children’s data is more crucial than ever.
Children’s data, as with all other personal information, falls under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), the legislation ensuring there are adequate safeguards in place. As a result, all educational settings must identify at least one lawful basis to allow them to legally collect and use children’s data.
Consent is commonly used as the lawful basis and, as a result, schools and academies often send out forms to parents and guardians asking for consent for a wide range of activities.
The reasons for asking for consent will depend on the setting and, sometimes, this level of bureaucracy is too much. Children’s data processing can fall under the lawful basis of Public Task when covering a wide range of educational activities and again, this is dependent on the setting and the activity itself.
However, where schools and academies are using consent forms for certain activities, it is vital that they follow the process carefully.
As seen in recent reprimands by the Information Commissioner’s Office (ICO), there can be consequences otherwise, for example:
In 2020, Moulton School in Cheshire was reprimanded after the ICO stated the school did not comply with UK GDPR regulations. The school was found to have experienced a data breach where an image sent to the local newspaper included two children where their parents had refused consent for their images to be shared. The reprimand also states that the school did not act sufficiently when reporting this breach to the ICO and had not completed an adequate data audit prior to the investigation.
Following this reprimand, the school were prompted to enforce and update policies, procedures and staff training relating to data protection, as well as keeping records of staff training up to date to provide an adequate audit trail.
Introducing new technologies is another aspect of school life that can prove problematic, particularly when considering children’s data.
The introduction of any technology, particular one that relies on biometric data such as facial recognition or fingerprints to identify children, must be carefully considered and a full Data Protection Impact Assessment (DPIA) must be carried out prior to any project being introduced. Completing a DPIA means the potential risks to children’s data can be identified and mitigated against and also acts as due diligence prior to implementing the new technology.
Not completing a DPIA, and therefore evidencing such due diligence, can also lead to consequences. The ICO recently issued a formal reprimand to an Essex school after they introduced a new technology using biometric data – without first completing a DPIA.
In July 2024, Chelmer Valley High School in Essex was reprimanded following the introduction of a biometric facial recognition software to improve the process of cashless payments in the school catering department. This was implemented without a DPIA being completed. It was also noted that, between March and November 2023, the school had been relying on assumed consent for the processing of this data aside from those who had already opted out. UK GDPR states that clear consent requires an affirmative action – therefore assumed consent by an opt out option was found to be inadequate.
Failure to comply with any legislation relating to data protection, including children’s data, can result in penalties, including fines, from the ICO. Our team is well versed in protecting children’s data, having worked in education and with many of our longest standing clients in the education sector. If we can assist with your requirements, please do get in touch.