Bywater Kent April/May GDPR Newsletter Blog Version

I attended a conference for data protection professionals on Tuesday 28 April. Amongst the speakers were Owen Rowland, Deputy Director of the Science, Innovation and Technology Department and Head of Data Protection and Emily Keaney, the Deputy Information Commissioner at the ICO. The main topic of particular interest was the Data (Use and Access) legislation. This is currently in Committee stage in the House of Commons and will then have a third reading before it goes back to the Lords for final amendments and Royal Assent.

There are a significant number of changes to the Data Protection Act 2018 but in all honesty these will affect organisations wanting to use data for commercial purposes and there is a commitment that formal data protection will continue in order to maintain adequacy with the European Union. Nevertheless, the legislation will provide the ICO (to be renamed the Information Commission) additional regulatory powers.

As they say, the devil will be in the detail and so I shall of course be keeping a close eye on it. Owen Rowland informed us that it was expected that there will be a 2 month period after Royal Assent for minor and technical changes and an implementation period of 6 months for the substantive provisions and 12 months for full implementation.

As the importance of data protection continues to grow, it's crucial that we manage the personal data of our pupils effectively and in compliance with the GDPR. There has been an important update regarding the Arbor management information system and how it impacts our data retention practices for pupil leavers.

Historically, primary schools using the Arbor system faced challenges when it came to deleting the records of pupils who had left the school. This limitation raised significant concerns regarding compliance with the GDPR. Under Article 5 of the GDPR, personal data should only be kept for as long as necessary for the purposes for which it was processed. Additionally, the Education (Pupil Information) (Engalnd) Regulations 2005 stipulates that educational records must be transferred to a child's new school, making it essential to remove the data of pupils who have left after this transition.

I am pleased that Arbor has recently introduced an update that now allows for the bulk removal of pupil leavers. This enhancement is a significant step forward in our compliance efforts, and I encourage all schools to take action.

Action Steps:

1. Run the Delete Report: Schools should prioritize running the delete report on the Arbor system to permanently remove the data of pupils who have recently left. This is a vital step not only for GDPR compliance but also for maintaining the integrity of our school records.
2. Establish an Annual Review Process: To maintain ongoing compliance, I recommend that each school implements an annual rolling programme to review and delete the records of pupils who left three years prior. For example, this means that pupils who left in 2021 should be removed once they reach the age of 14, provided that their Common Transfer File (CTF) has been successfully completed.

By taking these steps, we can ensure that we are not retaining unnecessary personal data and that we are safeguarding the privacy of our pupils in alignment with regulatory requirements.

If you have any questions or require assistance in running the delete report or establishing your annual review process, your IT Support Technician will be able to assist. Together, we can ensure that our data protection practices are robust and compliant, offering peace of mind to both schools and families.