UK schools, businesses and charities are now subject to new laws surrounding personal data. On 25 May the EU General Data Protection Regulation (or GDPR) replaced the Data Protection Act 1998. The new regulations give people more control over what information is kept about them and why it is being kept. They will also have the right to erase that data or ‘the right to be forgotten.’ For schools this means they’ll need to review how they collect, keep and erase data about their pupils.
One of the key pillars of the new regulations surrounds consent. Pupils – and, depending on their age, parents – will be required to give consent to their data being used, and held, in any way. Failure to obtain this will have consequences.
Here’s what you need to know.
You’ll need to be specific
Under GDPR consent may have to be obtained several times, even for issues that seem similar. For example, if a parent gives consent for their child’s photo to be used on the school’s website that doesn’t necessarily mean they’re happy for that photo to be used in the school prospectus. Likewise, if a parent is happy for you to add their email address to the school newsletter distribution list, you’d still need to get additional consent if you wanted to add that email address to the school’s fundraising database.
You should always be specific about why you want the data and what you’ll be doing it so the parent or pupil know what they are agreeing to.
You must make sure consent is clear
There is no room for ambiguity under GDPR. That means things like pre-ticked consent boxes will need to be a thing of the past. Basically, it shouldn’t be possible for someone to accidentally give consent. They should be clear what you are asking for consent for and there should be no room for error.
Pupils may be responsible for giving consent
Interestingly GDPR does not give an age in which consent can be given but it does state that the person giving consent must be competent to do so. With that it mind we can take it as a given that younger children are not able to give consent and therefore their parents must do so (or not!) or their behalf. Older pupils however, particularly in sixth form, should be able to. It’ll be important to identify who you should be seeking consent from.
Consent can be withdrawn
This is a big one. Consent is not final. It can be withdrawn. That means parents – and pupils – have a right to change their mind. Once consent is withdrawn you should act quickly to remove the data and stop using it for whatever purpose it was being used for. It’s also important that the person withdrawing consent – or, indeed, refusing it in the first place – should not be treated any differently for doing so.
Consent may not always be needed
While consent is a vital part of the new rules there are some circumstances in which consent will not need to be obtained. These are generally instances when laws dictate that the information should be collected. As an example if you are providing information to the Department for Education – a legal obligation – you won’t need to obtain consent. However, if you’re collecting contact information so that you can send out a school newsletter, for example, you will need to get consent. This is not a legal requirement.
Furthermore, if you’re already sending out newsletters or emails, you will likely need to gain consent to keep the contact details after May.