DPO Newsletter March 2025
Please press play on the video below for a summary of the key points for this months newsletter.
Well, this last half term has flown by as usual, Spring has sprung and Easter is almost upon us!
In this issue I have included:
- Publishing photos and the threat of artificial intelligence
- Latest on the new legislation
Photos and Artificial Intelligence (AI)
I'd like to take a moment to discuss an important issue that impacts our schools and, more importantly, the safety of our students. We're seeing a rise in cybercriminals who are using advanced AI tools to exploit schools.
They manipulate publicly available images of children from our websites and digital channels to create abusive or obscene content, including deep fake images. Some of these individuals are even resorting to blackmail and deploying ransomware against educational institutions.
Given these concerning developments, it's essential for all of us to take a good look at our policies on publishing student images on school websites and social media. When we obtain consent for photos from parents or students over the age of 13, we need to be explicit about what they're consenting to and how their images will be used.
For instance, are your consent forms clear about the possibility that an image taken at a sports event could be shared with a third party for publicity purposes?
If we ensure that our consent processes are transparent and straightforward, we can better demonstrate our commitment to safeguarding our students and adhering to child protection laws and data privacy regulations. Let's work together to keep our students safe and our schools secure.
The Data (Use and Access) Bill - Understanding Upcoming Changes in the UK GDPR: What Schools Need to Know
We know that navigating the maze of data protection regulations can feel like a formidable task, (that's why you employ me 😊). There will be updates brought about by the Data (Use and Access) (DUA) Bill which as of 13 March has entered the report stage before it has a third reading in the House of Commons.
Let's dive into what these changes mean for schools in the UK and how they align with the current expectations set out in the UK GDPR and the Data Protection Act (DPA) 2018.
What's New?
Subject Access Requests (SARs): The DUA Bill updates the rules for SARs by allowing data controllers (you) to seek more information from individuals when they submit access requests. This change might mean that schools could see longer response times, but we shall need to ensure we don't fall into the trap of "undue delays". We can still refuse requests deemed 'manifestly unfounded or excessive'.
Legitimate Interests: One of the most talked-about aspects of the DUA Bill is the clarity it brings to legitimate interests. For data controllers this means you might not have to conduct formal assessments for certain data uses, especially concerning internal administration. However, schools must tread carefully just because it's clearer doesn't mean it's a free pass. A solid understanding of these legitimate interests is crucial to maintain compliance.
Automated Decision-making: The new bill introduces provisions that alter individual rights regarding fully automated decisions. While safeguards are now in place allowing individuals to contest such decisions, I understand some schools are employing automated systems for decisions (like student assessments) so they must ensure that they remain compliant and transparent about these processes. Regular training and updates to policies will be more important than ever.
International Data Transfers: With new stipulations regarding international data transfers, schools will need to be aware of the 'data protection test' for transferring information outside the UK. If your school collaborates with international partners or utilises platforms based abroad, it's essential to ensure that their data protection measures align with UK standards. In reality, this is not much of a change to the current arrangements.
Privacy Notices: There's a significant shift regarding privacy notices, as the DUA Bill allows exemptions when providing this information is deemed impractical or disproportionate. For schools, this could raise transparency concerns. It's crucial to develop clear strategies to keep your students and parents informed about how their data is used, even if you aim for compliance under this new guidance. Again, since we have a suite of privacy notices available to you there will be no real change to practice for you to be concerned about.
The Bottom Line: What Changes Can Schools Expect?
While the DUA Bill introduces more flexibility in data management for schools, it's important to remember that students' and parents' rights remain a top priority. The updates continue to challenge schools to balance effective data use with stringent privacy protections.
Realistically, I don't believe that the changes are likely to affect schools to any significant degree, but rest assured together we can review and possibly update compliance procedures to reflect these changes. I can't emphasis enough that ongoing training for staff and engaging in continuous dialogue about data rights will undoubtedly help in navigating the evolving landscape of data protection.
Remember, staying compliant is a journey, not a destination! Once the Bill is enacted we can consider these updates and adjust policies.
Finally, thank you for taking the time to read this newsletter and Happy Easter!
I hope you find this newsletter useful. If you have any questions at all about anything I've included in this edition please do not hesitate to contact me.
Richard Lewis-Ogden
