1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Hi Guest, welcome to the TES Community!

    Connect with like-minded education professionals and have your say on the issues that matter to you.

    Don't forget to look at the how to guide.

    Dismiss Notice

Data Protection Question : Data Protection Notice

Discussion in 'Governors' started by geekydad0, Mar 8, 2016.

  1. geekydad0

    geekydad0 New commenter

    My son's school sends out an annual 'Data Protection Notice' to parents/guardians of all pupils. This must be signed and returned to the school to grant permission to process pupil data.

    The data protection notice states that information may be shared with a range of partners, several of whom are explicitly named such as the DofE, QCA & NHS.

    The full list covering all of the organisations with whom the school shares pupil data is somewhat different. A total of nearly 50 external bodies receive non-anonymised pupil data, despite only 5 being named in the data protection notice issed to parents/guardians.

    No explicit permission has been sought for this level of data sharing. The school does not disclose to pupils, parents or guardians that this level of data sharing takes place. There appears to be no legal requirement for most of this pupil data sharing to take place.

    I would welcome any comments on this level of non-anonymised pupil data sharing and the need for explicit permission to be sought from pupils, parents or guardians.
  2. Skeoch

    Skeoch Star commenter

    Some will be requirements of running external exams - so all exam boards will need to be on the list; this might extend to registering top sportsmen with the national authority, or the Duke of Edinburgh's Award, or Associated Board for music qualifications. UCAS, Careers service....
    Some software providers, too: if, for instance, the school uses Google Docs or a VLE provider, will need a minimal amount of personal data to allow logins.
    While there may be no legal requirement for this, without the data sharing many things would be impossible.
    There will be a few where there is a legal requirement, for example local and central government, police, social services.

    You could look on the Information Commissioner's website for the registration details of the school. This will include a statement of the organisations concerned. They are likely to be listed as groups or types of organisation rather than by name.

    I would argue that in practice it would be an absolute nightmare to contact parents about every organisation with which data might be shared. A practical approach is to state the kinds of organisations that might be involved, and the reasons.

    If you have specific concerns about an organisation, the best thing to do would be to contact the Data Controller at the school - this is the person with legal responsibility and may well be the Head Teacher.
    wanet likes this.
  3. geekydad0

    geekydad0 New commenter

    There is no doubt that "without the data sharing many things would be impossible." However, does this bypass the need for data sharing consent, especially in cases where there is no legal requirement for the activity that led to the need to share data?

    Like most schools, the ICO registration in this case gives no detail whatsoever relating to data sharing, either as groups, types or individual organisations.

    Some might reasonably argue that "it would be an absolute nightmare to contact parents about every organisation with which data might be shared". On the other hand, the need to obtain such permission may help a school decide if it really needs to send data such as name, date of birth & address to external organisations where there is no legal requirement to do so?

    In most cases the data is shared by the school on a 'nice to have' basis, not because of a legal requirement, or because it is 'necessary', as outlined in the DPA: https://ico.org.uk/for-organisations/guide-to-data-protection/conditions-for-processing/

    I must stress that the data sharing of concern consists of full name, date of birth and address - not things like VLE login details. In most cases ethnicity is also shared, even though this is defined as 'sensitive personal data' by the ICO and must be subject to extra care: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/

    The over-riding concern is that there is too much elective sharing of personally identifiable information by the school with no knowledge or permission from either the data subject (pupil) or the parent/guardian.

    I would expect this level of data sharing to be made apparent either through the ICO registration, the data protection notice sent to parents/guardians or on a case by case basis as a new 'need' to share this level of personal data externally is considered.
  4. wanet

    wanet Star commenter

    But there was an interesting case where data from a company that went bankrupt was allowed to sell data because it was a company asset, even though the data subjects had specifically said that the didn't want it shared.
  5. geekydad0

    geekydad0 New commenter

    I think that's specifically the kind of issue that schools are unaware of, and certainly not something that many, if any, will seek to protect themselves against when reviewing service supply agreements with external suppliers.

    Don't suppose you happen to know the company involved?
  6. neddyfonk

    neddyfonk Lead commenter

    Things are done in the name of Data Protection (1984) but very few actually abide by the registration process or associated rules.
    I had a DWP sanction so I requested my details that were on file, including internal e-mails and correspondence. I got back all the notices, official letters and dross they kept but nothing I could use to prove they had stitched me up - but there was a bank statement they had illegally obtained from my bank !! without my knowledge or consent.
    If a parent used the act to request data about their child, few schools would sift through internal informal records about behaviour or attitude that might be exactly what the parent needs to inspect to confirm allegations of bullying ( or worse ).
    Reading official document (.gov) they make a point of saying the Unique Pupil Identifier should only be used when processing data because it could be used to trace the whereabouts of children by estranged parents etc but that is stupid because the school should be using it to ensure data is not associated with the wrong child.
    You can find people and loads about them if you pay 192.com or credit checking or car registration etc and anyone can publish anything ( other than slander) about anyone via twitter / facebook etc - not a lot of data protection being applied there either.

Share This Page