What Are the Changes Made to the School Data Protection Policy Schools are in a much better position to update their data protection policy compared to other businesses. The data they collect is most probably that of the students and teachers. Gaining consent is one of the primary principles of data protection policy that the schools have to follow. Consent has the highest priority here. Implied consent or pre-ticked boxes will not be considered to be consent as they are not exactly consent but working around principles to obtain consent by unseemly measures. This is the primary change that every school data protection policy has to include and implement. We’ll now see some other changes that have been implemented after the recent revision to the GDPR.
- After the data is collected by the schools the individual should be able to access that data within a month of the request. And the access to the data should be free, it shouldn’t cost the individual anything to access his/her own data.
- Privacy notices displayed on the school bulletin board need to be in detail. Children should be able to grasp the meaning of these privacy notices if consent is to be gained from them and not a guardian and they should also understand how and where their data is being used.
- An individual can ask the school to delete a data under certain circumstances. Data is only to be stored for as long as necessary. So, if an ex-employee wants the school to delete his/her record he/she should not face any obstacles.
- Prior to the revision schools were allowed to process data under legitimate interest justification. Even before the revision, the legitimate interest justification clarified that the children’s data rights had to adhere and only after assessing any risks was the data to be shared for processing.
- The information commissioner officer is to be notified of a breach within the time period of 72 hours after it occurs. If the breach poses a high risk to the individual whose data has been breached then he/she is to be notified.
- GDPR has defined two levels of fines to be imposed on those who fail to comply. The fine to the schools would be either 20 million euros or 4% of annual turnover, whichever happens, to be the greater.