3 Data Protection Myths Busted

Data protection law reinforces common sense rules of information handling, which most education settings try to follow anyway.

It is there to ensure schools manage the personal information they hold in a sensible way.

Organisations must keep the information accurate and up to date, they must only keep it for as long as they need it for a specified purpose and they must keep it secure.

Some schools understandably err on the side of caution and do not release information when they could do so.

Here are some common data protection myths and realities:

MYTH 1: The Data Protection Act stops parents from taking photos in schools

Photographs taken purely for personal use are exempt from the Data Protection Act.

This means that parents, friends and family members can take photographs for the family album of their children and friends participating in school activities and can film events at school.

The Data Protection Act does apply where photographs are taken for official use by schools and colleges, such as for identity passes, and these images are stored with personal details such as names. Where the Act does apply, it will usually be enough for the photographer to ask for permission to ensure compliance with the Act.

The Information Commissioner’s Office has also issued practical guidance on this subject.

MYTH 2 – A parent can request that you delete their child’s data at any time

Any request for data to be erased should only be honoured if there is no lawful basis for that pupil’s data to be held.

Secondary schools are legally obliged to retain a pupil’s records until they are aged 25. If such requests as these are made it is important to consult your school’s Data Protection policy or DPO.

MYTH 3 – All data breaches must be reported

A number of schools have been concerned about the new rules around data breaches – namely that data breaches have to be reported to the ICO within 72 hours.

There are a few misconceptions to clear up here. Firstly, the 72 hours only begins once you find out about the breach, not from when the breach happens.

The ICO clearly doesn’t expect you to report things you don’t know about but having a robust data protection system in place will mean that you should find out about any breaches quickly anyway.

Secondly, you don’t have to report ALL breaches to the ICO, just those that might result in a risk to a person’s rights and freedoms (causes harm to an individual).

This can be a tricky line to judge, however the ICO are more than happy for you to use their live chat function or give them a quick call to see if you need to make a formal report.

For an enforcement agency, the ICO are surprisingly helpful and understanding if you’re trying to do the right thing.