Colleges need to make sure that their data protection systems and procedures are fit for purpose, with a major change in the law just weeks away, according to Victoria Cetinkaya, senior policy officer at the Information Commissioner’s Office.
The Data Protection Act, which has been in force for 20 years, will be replaced by the General Data Protection Regulation (GDPR) next month. The new EU regulations will give individuals more rights over their data than ever before and place additional responsibilities on organisations which collect and store information.
Organisations will have to demonstrate compliance with the new regulations and justify why they collect and hold data on individuals. The new EU guidelines will continue to be used after Brexit and will be enforced by the Information Commissioner’s Office.
Speaking at the Capita Further Education Conference this week, Ms Cetinkaya told delegates that colleges need to have privacy notices that are “concise, clear and accessible”.
Legal basis
Organisations need to demonstrate the legal basis on which they gather and keep data on individuals. Justifications can vary from consent having been given to a legal obligation or being necessary for a task carried out in the public interest.
She recommended taking a “layered approach” in providing information about how data is used. “What you need to do is to focus on what people really need to know in the top layer and then have layers that they can go through where they can find the more detailed information that you also need to give”.
Organisations have to respond to requests about the data they hold on people within a month, rather than the 40 days they have at present. Ms Cetinkaya commented: “That means you really need to have your processes and procedures up to scratch”.
Rights over data
Under the GDPR, individuals have a range of rights regarding the data that is held about them. These include things like the right to be informed about what data is held and to object to it, have data amended or erased (in certain circumstances), and for the processing of their data to be restricted. What an individual can ask for will depend on what basis their data is being used.
In a keynote address to delegates at the conference on Tuesday, Ms Cetinkaya said: “While the rights are beefed up they are not absurd, so you’re not going to get a student being able to come to you and say I’d like you to delete the whole of my college record please, under my right to erasure”.
Complying with the law
Personal data should be processed ‘fairly, lawfully and in a transparent manner’, used for ‘specified, explicit and legitimate purposes’ and in a way that is ‘adequate, relevant and limited’, under the new regulations. It should be also be accurate and up to date, kept no longer than is necessary, and processed in a manner that ensures ‘appropriate security’ of the data.
FE institutions need to demonstrate their “compliance with the law” by making sure they document their policies, keep records on what they do, doing risk assessments on data protection for things like CCTV surveillance and web monitoring, and having a data protection officer, she said.
Colleges should ensure they protect personal data by having files encrypted, testing the “resilience” of their IT systems and having defensive measures in place to guard against cyber-attacks, according to the ICO official.
Want to keep up with the latest education news and opinion? Follow Tes FE News on Twitter, like us on Facebook and follow us on LinkedIn