School suppliers

SCHOOL SUPPLIERS What schools will need from you!

Supplier GDPR requirement for schools

School supplier compliance The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will be applied into UK law via the updated Data Protection Act. A significant change the GDPR brings for school suppliers is that it places on them direct obligations and legal responsibilities. Alongside these, data subjects may enforce their rights directly against data processors. Schools will be required to include information about their data processing activities in their data audit which in turn, will require suppliers to provide them with detailed information about how data is processed and their GDPR compliance status. IT WILL BE ILLEGAL FOR SCHOOLS TO USE ANY SUPPLIER WHICH IS NOT COMPLIANT. THE DfE HAS ALREADY ADVISED SCHOOLS THAT THEY MUST STOP USING ANY ORANISATION WHICH CANNOT DEMONSTRATE THEIR COMPLIANCE. ICO advises that: "Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected."

Which suppliers process personal data? Confusion is arising regarding which of the 100s of suppliers to schools are data processors and thus should become part of their data audit. Every business must adopt and apply the GDPR, but those that process data on behalf of schools must provide significantly more details of their processing mechanisms. Here are some examples: 1. A book supplier asks the member of school staff who is ordering the books for their name, phone number and email address. The book supplier needs this data to process the order and is the data controller. They are responsible to keep all personal data safe and individuals have rights to ensure it is safe and correctly managed. THIS SUPPLIER WOULD NOT BE PART OF A SCHOOL DATA AUDIT 2. The same book supplier has an area online where teachers test students on the content of the books. Teachers upload student names and students login to take the tests. The supplier is processing data for the data controller (the school). THIS SUPPLIER WOULD BE PART OF A SCHOOL DATA AUDIT AND MUST PROVIDE INFORMATION TO SCHOOLS TO COMPLETE THIS 3. The school runs library software within the school that contains information about staff and students, including what books and resources they have accessed. ALTHOUGH THE SUPPLIER IS NOT A DATA PROCESSOR THEY NEED TO SUPPORT SCHOOLS IN UNDERSTANDING WHAT DATA IS BEING PROCESSED. THIS SUPPLIER WOULD BE PART OF A SCHOOL DATA AUDIT AND MUST PROVIDE INFORMATION TO SCHOOLS TO COMPLETE THIS

What is Article 30 in the GDPR and why is it so important? The GDPR is a huge piece of legislation which builds on existing practices and embraces change throughout the mechanisms we use to protect personal data. However, it is Article 30 which epitomises the extent of those changes and how it is necessary to review every part of your data protection processes. It is now mandatory to keep written evidence that everything you say you are doing to protect data is in fact true.

Copyright ©2018 GDPR in Schools Limited

1

Supplier GDPR requirement for schools A school is entitled to ask for written assurances or even evidence of you properly, lawfully and securely processing data. Every data controller and processor must keep records of processing activities. See below the text directly from the GDPR Article 30. ARTICLE 30

Records of processing activities 1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: a. the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; b. the purposes of the processing; c. a description of the categories of data subjects and of the categories of personal data; d. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; e. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; f. where possible, the envisaged time limits for erasure of the different categories of data; g. where possible, a general description of the technical and organisational security measures referred to in Article 32(1) 2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing: a. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer; b. the categories of processing carried out on behalf of each controller; c. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; d. where possible, a general description of the technical and organisational security measures referred to in Article 32(1). 3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form. 4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request. 5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.


2


What will schools ask from data processor suppliers? a) Contract Schools as data controllers may only appoint data processors which provide sufficient guarantees that their processing meets the requirements of the GDPR. As a processor, suppliers will be required to process personal data in accordance with the controller's instructions. Thus, a relevant school/supplier contract should be in place which specifies the interest of both controllers and processors and ensures that obligations are set out in a clear and easy to understand manner. This will usually involve a Data Sharing Agreement. b) Restrictions on sub-contracting Data processors may only sub-contract processing with the prior written consent of the school – the data controller. If a new sub-processor is engaged, then the school must be given time to object. The lead processor must ensure that the same contractual obligations it has with the controller in a contract still holds within any sub-processors mechanisms. An example would be a data integrator which a supplier uses to extract data from the MIS and publish it to the data processor. The data integrator is usually a sub-processor. c) Demonstrating compliance Suppliers MUST demonstrate GDPR compliance. Processors are under an obligation to maintain a record of all categories of processing activities. There is a carve out to these obligations, where the processor has fewer than 250 employees provided the processing does not pose a risk to the rights and freedoms of individuals, is not more than occasional and does not include special category data. Very few suppliers to schools will be able to use this carve out. Few schools will buy systems that use personal data which is only used occasionally and many use special category data or data considered to require sensitive handling, such as SEN, FSM and ESL. d) Security Processors are required to implement appropriate security measures. These measures might include pseudonymisation and encryption. Regular testing of the effectiveness of any security measures is also required where appropriate. Information on Cyber Essentials is available from the National Cyber Security Centre. e) Breach notification The enhanced breach notification requirements will be in place for both data controllers and data processors. This is an area which might benefit from being dealt with in more detail in school/supplier contracts. f)

Data Protection Officers

Both controllers and processors are required to appoint DPOs in certain situations. Please take professional advice to see if you this applies to you. g) Transfers to third countries A data processor has to a degree of independence from the controller when deciding whether or not it can transfer personal data to a third country. However they are required to follow the relevant data controller's Copyright ©2018 GDPR in Schools Limited

3

Supplier GDPR requirement for schools instructions and they may only transfer personal data to a third country if there are appropriate safeguards and on condition that data subjects have enforceable rights in that country h) Codes of Conduct The GDPR refers to approved Codes of Conduct as a means both to impose additional obligations on processors and for them to demonstrate compliance. If you are a member of an associations or bodies please refer to their guidance.

Supplier data mapping To demonstrate suppliers’ systems used by schools for data processing are GDPR compliant, a data mapping exercise will need to be carried out. In this you will be required to establish the Data Processing Activity you are carrying out as specified in section 30 of the new regulations. To do this the fields where personal data is stored must be known and a series of properties must then be assigned to complete the mapping process. EVERY SCHOOL WHICH USES YOUR SYSTEM FOR DATA PROCESSING ARE OBLIGED TO FIND OUT THIS INFORMATION TO COMPLETE FULL DPIAs. YOU MUST PROVIDE IT. Here’s what they will ask you.

Data Fields or Elements? Data processing suppliers will be using a number of data fields within their systems. It is acceptable to identify each field individually or group them together as ‘data elements’. A data element is a group of fields that carry identical data processing properties and rights, eg: • • • •

Individual fields: Title, Forename, Middle name, Surname Data element: Name Individual fields, Year, Class, Registration group Data element: Academic identification

Processing activities and purpose of collection A simple description on processing activities and why the data is being processed together with the legal grounds for collection is assigned.

Data source It is important to know where the data was sourced to reflect its integrity and what and where it needs changing if it is incorrect.

Data controller/Processor No one can process data until it is clearly defined who is the controller and who is the processor. In some instances this is shared.

Sensitivity It is important to know where special category data is being processed as extra care and diligence must be given. Data controllers and processors must be able to demonstrate this.


4


Retention It is essential to define how long personal data is retained.

The rights of the individual No data controller or processor may process data unless they have considered the legal rights of individuals. Confirming rights are met must be recorded as well as rights which cannot be given or are not applicable.

Data Sharing Data may be shared by other suppliers during data processing. This must be known and recorded.

Data Location Where data is processed and stored is an essential part of the mapping process.

Consequences of non-compliance Under current law, data processors are liable if they fail to comply with their contractual obligations to their controllers. However, previously no direct action by regulators or data subjects would be possible. Everything changes under the GDPR. Data subjects and data controllers will be able to take action and claim damages where they have "suffered material or immaterial damage" if the processor fails with their obligations under the GDPR. As well as data subjects claiming damages from data controllers and data subjects, non-compliant data processors can be investigated and actions taken by the regulator, ICO. These range from access and audit rights, to administrative orders and, ultimately, to fines of up to 4% of annual global turnover for certain breaches.

What next? Schools must greatly increase accountability of their supplier data processors under the GDPR and it means that the school/supplier contract becomes even more important. Suppliers have as much of an interest in making sure obligations are precisely defined because they will become so much more exposed. Here’s what you need to have started to do • • • • • • • • •

review existing contracts with schools; review processing activities; map how the data is processed and used review use of sub-contractors; reviewing data export/import arrangements; consider the appointment of a DPO; review data security; set up compliance accountability procedures; and conduct risk assessments to establish what form appropriate and organisational technical measures will take.


5

Supplier GDPR requirement for schools How can GDPRiS help? GDPRiS guides both schools and suppliers through the process of adopting the applied GDPR. Our platform is a central repository to store all information relating to GDPR compliance. It allows complete transparency and demonstrates auditable accountability, all of which is recorded in one place. To support schools and suppliers we have created a ‘Supplier Product Directory’ from which a school can access all the information it needs to complete their data audit. A supplier may complete their section of the ‘Directory’ free of charge. There are many benefits to suppliers that engage in this way. 1. Our templates provide a focus to complete the information that schools will need from you 2. Our templates take you through a thought invoking process along your GDPR journey 3. Your data sharing agreement and privacy policy can be accessed by all your schools 4. Instead of completing and sending these many times to your customers, you have just one place to maintain the information 5. You may export the information and use outside the GDPRiS platform 6. Schools may bespoke your information if they use your system in a different way from other schools 7. If you need to change any part of your data map, schools will be informed automatically 8. Your data will be sitting alongside some of the biggest data processors in the schools’ market 9. Our experts will be monitoring all aspects of data protection and if new changed are introduced you will be informed immediately 10. There is NO CHARGE to use this service. GDPRiS wants to make schools’ GDPR journey as easy and as smooth as possible.

Screenshot from GDPRiS

Disclaimer: We do not warrant that using the GDPRiS platform will make you GDPR compliant. The information provided in this document is for general guidance on your rights and responsibilities and does not constitute legal advice. If you require further information on your rights or advice about what action to take, you should obtain independent legal advice.


6


Contact GDPRiS: Call: 0203 286 2018 Email: [email protected] Follow: @GDPRinSchools


7