ICO receives hundreds of unnecessary school referrals as leaders struggle with GDPR

The information watchdog dealt with hundreds of unnecessary referrals relating to schools in the year after tough new data protection rules were introduced.

Of 1,385 school cases handled by the Information Commissioner’s Office (ICO) in the first year of the general data protection regulations (GDPR), just 208 (15 per cent) resulted in orders to take action.

It does reflect a misunderstanding of what the GDPR actually means for schools

It follows reports last year of a surge in the number of data security incidents reported by the education sector in the wake of the changes.

The rules, which came into effect in May, require schools to be clearer about the data they hold and respond more quickly to requests for copies of personal data. They must also appoint a data protection officer to supervise the way data is handled.

The introduction of the GDPR was marred by accusations that the Department for Education failed to prepare schools for change. Data obtained by Schools Week under the freedom of information act suggests they are still struggling to interpret their role.

Almost half the ICO’s GDPR school cases were self-reported, while the rest came from third parties. Of the 665 self-referrals from schools, about 80 per cent required no action.

“It does reflect a misunderstanding of what the GDPR actually means for schools,” said Mark Orchison, the managing director of 9ine Consulting, who believes the number of reports to the ICO will increase.

“It may be that the schools that are self-reporting just don’t understand what they’re doing,” he said, as he called for more schools to “upskill” their staff.

“If you don’t know whether it’s a breach, you’re likely to report it because you don’t want to get told off. But until you upskill the profession to understand the difference between a breach and a near-miss, you’re going to continue to see a high level of reporting of potential breaches.”

However, he said it was better to be safe than sorry. “It means schools are actively trying to protect the data they have.”

Of the schools cases handled by the ICO in the first year of the GDPR, 38 per cent related to disclosures of data, 29 per cent to subject access requests and 24 per cent to data security.

The handling of subject access requests was the biggest reason for complaints by third parties, followed by disclosure and then security. Whereas disclosure was the biggest reason for school self-referrals, followed by security.

The prevalence of complaints relating to subject access requests (SAR) – which give anyone the right to request all the information an organisation holds on them – has prompted warnings that they could be used for the wrong reasons.

“The high number . . . demonstrates that people are seeking to use this as a way to get schools to act in the interest of the individual, whether or not a SAR is the right mechanism to use,” Orchison said.

Some institutions were the subject of multiple referrals. For example, the ICO dealt with five cases relating to the Aspire Academy Trust in Cornwall. Only one referral resulted in the trust being told to take action.

Aspire said all five cases related to a complaint from one member of staff and that there had been no data security breaches.

“As a trust, we have taken the new regulations extremely seriously,” said a spokesperson.

“We reviewed policies, updated systems and initiated regular training sessions well before the regulations came into force.

Overall, 82 per cent of cases handled by the watchdog in the first year of the GDPR from all sectors required no action.

Elizabeth Denham, the information commissioner, said in a blog that although the data showed organisations were “taking the requirements of the GDPR seriously”, she accepted that it “remains a challenge for organisations and data protection officers to assess and report breaches within the statutory timescales”.