Data Protection Bill [HL]

Written evidence submitted by John Gordon (DPB15)

Re: Data Protection Bill 2018 and Schools

Dear Committee Chair and Members

I would like to raise some views on the introduction of the Data Protection Bill 2018. I would like to understand why the bill is worded the way it is such that it causes so much impact on schools (and other small bodies). These are my opinions. I believe from detailed conversations with Head Teachers they are shared by many others across the land.

I would politely ask that you might review the observations below and perhaps consider the following amendment to the bill for the reasons I have set out or at least let the public have a clear understanding of why the bill is causing the situation described.

The simple challenge is why would we not add the clause below to the Data Protection Bill 2018

"Schools should not be considered as a public authority or body for the purposes of the Data Protection Bill"

My concern relates to schools being blanket classified as a Public Authority under the bill (caused by the Freedom of Information Bill reference and definition in the draft/ GDPR). This has a large and disproportionate impact on them (especially small village schools) compared to other organisations for no clearly or apparent gain.

Background

1) I am a consultant with three decades of experience and background in the likes of programme management, medical devices, handling healthcare data and the implementation of regulatory change which I feel gives me some perspective against which to comment.

2) As an Engineer, Project Manager and Chartered IT Professional I wholly welcome the General Data Protection Regulations, GDPR and support the introduction of the bill as long overdue and a welcome update to protect the people of the UK and Europe in the modern digital age.

3) There are substantial monies to be made working in the economic actively created by this bill. However, I also have two your children in school and my professional instinct says that there are aspects of the implementation that will have substantial impact on schools detracting from the education of children. They feel plainly wrong.

4) I have watched the bills progress through the Lords and the recent second reading debate in the House of Commons. Extensive though this debate was I felt it did not give due time or weight to some of the concerns raised.

5) I have already exchanged letters (attached) [1] via my MP (reply Robin Walker 22/1/2018) [2] with Ministers in the Department for Media and Culture and the Department for Education. I have also had some dialogue with the Office of the Information Commissioner. While useful, none of the replies to this correspondence has successfully addressed the issue of why the bill is worded as it is. The ICO clearly are not inclined to comment on matters political and the government appears set on one course of action with the bill as it is. It is not in their interests to answer the why I guess. This leaves your committee to consider if we should address this as the only way the public can achieve greater insight.

6) The data oversight role in schools, up until now (under the current 1998 bill) has been well executed in a flexible way to fit with the needs of protection as appropriate to each school. They did not need by statute to have a Data Protection Officer. Most schools would have someone overseeing data protection appropriate with the need. It is difficult to find anyone who would argue schools were anything but highly capable and compliant in all data protection areas.

7) Schools have been well inspected under the current 1998 Data Protection Bill with little high-level concern from the ICO. Their compliance is good. They have been keeping the data of children protected. I accept that the GDPR will continue to help them do that.

8) I am not looking in any way to reduce the level of data protection provided to our children in the school environment.

What am I questioning?

9) My concern relates to schools being blanket classified as a Public Authority under the bill (caused by the Freedom of Information Bill reference and definition in the draft/ GDPR).

10) This mandates them (under the Public Authority test) to have a Data Protection Officer (DPO) as a discrete role with a strict regulated set of responsibilities (as documented in the GDPR) and all that goes with that.

11) As defined in GDPR, these responsibilities, competency level and clearly targeted remit is very wide sweeping and clearly in my view aimed at the intended large data handlers where large risks to a person’s data are present (these would normally be large/ high risk data integrated organisations and the GDPR was clearly written with those in mind in implementing DPOs).

12) The GDPR defines the need to appoint a DPO in terms related to risk, complexity and scale of data and processing. Under GDPR any other business but a Public Authority is obliged to simply appraise these aspects and decide if they needed to appoint one.

13) In the draft bill private schools which are not public authorities (they would have been covered under the normal business definitions in the regulations) are not mandated to appoint a DPO unless the defined need is present based on risk (although I suspect the bill will likely be amended to include them). However, this might suggest that the GDPR rule was misinterpreted. It certainly creates a strange imbalance.

14) Schools range in size from a few pupils in a small village school to large secondary schools with thousands of pupils. The bill places an unrealistic pressure both organisationally and financially. This impacts disproportionately on small schools without the risks that justify it in terms of complexity of data processing or type of processing. It does this by calling them all Public Authorities.

15) Schools are therefore at a disadvantage to any other small or medium sized business only because of the Public Authority test. If this were not present then they would still be required under the GDPR articles more generally to comply but appraise the situation and appoint a Data Protection Offier (DPO) where appropriate.

The arguments for changing the bill

16) The Public Authority classification of schools for the purposes of the bill creates red tape for schools and additional cost/ complexity of process.

17) There has been much political talk of how the changes will be managed as drafted as suggested by the Ministers. Let us question if the draft bill is right in the first place by considering the alternatives

18) The suggested solution from Ministers of sharing a DPO or banding together as groups of schools to share a Data Protection Officer will consume large amounts of staff time away from running the school or teaching to set up and manage this, how will this work in practice what is the correct operational model for this?

19) There is great concern as to the cost of having to completely subcontract the DPO role and the impact of splitting the duties internal and external. Which may create opportunities for greater risk of data breach by issues falling between the internal and external role as has often been seen in other areas.

20) Sharing DPO role. A possible cost to our children. For example if 24,372 schools (data 2012) appoint a Data Protection Officer part time or contracted at an average cost to each of say £10,000 (part time head count or 3 schools share one at salary £30K/yr) per year it will remove approximately £244 Million from the education budget per year that could be spent directly educating our children. That’s almost a quarter of a billion pounds per year in an environment where school budgets are already stretched to breaking point. Is this the real intent of the Data Protection Bill being placed before parliament? This is likely a low estimate.

21) After all legislation should help move us forward rather than introduce red tape that creates no significant benefit and in fact causes a detrimental impact on already tight school budgets (especially smaller schools especially small village schools).

22) Outside of the Public Authority definition (only in terms of this bill) schools would still need to fully comply with the GDPR as any other business or small business but would be more able to proportionately do this to fit within their needs to protect data while balancing their budgets without fear of breaking overly burdening regulations.

23) The cost of doing the DPO role in house impacts stretched school budgets. To quote a local head teacher.

"I have been advised that for a Governor or staff member (that is if they are permitted to carry out the role) to be trained in the role as a Data Protection Officer it is approx £3000. This training is again, something Data Protection Companies offer. This additional cost is something school budgets could not withstand. How often is training refreshed by the DPO? It is important to keep up to date. Imagine if a staff member or Governor is trained but leaves/moves on, then ultimately the school would not have a DPO and the training process starts again. The costs for schools would be frightening".

24) There appears to be little guidance for school head teachers as to this new requirement for a Data Protection Officer and how it is best implemented to protect the public purse and ensure that monies are not redirected from the education of our children to functions that add little real value above the work currently being done by the schools under the wider current constructs of the DPA 1998 (soon GDPR).

25) Schools are unclear how to interpret the GDPR clauses relating to the DPO role as the wording is very generic, should 24,372 schools need to pay to take legal advice on this and at what cost to the public purse?

26) I believe the fear regime used by many consultants trying to gain business in this respect is reprehensible and will be an ongoing erosive approach forcing schools to adopt more onerous process than necessary and the cost of external advice to go with this detracting from monies desperately needed to educate our children.

27) Looking at the way the regulations are written it is hard to see how a small school or even a tiny village school were intended to fall within the formal need to have a Data Protection Officer (DPO). Small businesses, even some handling sensitive data would have no need to appoint a formal DPO as they are not classified as Public Authorities and would not exceed the risk and volume of processing levels in the regulations that would require them to appoint one. Why would we force this for a small school by making them a Public Authority under the act?

28) Schools have, by their nature a more tightly defined risk exposure based on the restricted data holding activity base of a school. They process a lower volume of data when they only have relatively small numbers of pupils. This is lower overall risk than many businesses that would have no need for a DPO yet the school is forced to have one.

29) Removing the public authority blanket frees each school to make proportionate provision and, in some cases, this will mean appointing a Data Protection Officer but under the same terms as other organisations using the needs-based risk/scale criteria set out in the regulations. This is fair and balanced.

30) Without compulsory need for a DPO. Schools would still need to have someone manage data protection matters but not under the same tight and formal definition in terms of the credentials and training requirements of a formal DPO. These definitions in the regulations are generic at best and not always appropriate for a small school, indeed they are more appropriate to large enterprise scale organisations. Schools would be free to sensibly determine the role and scope of these staff members managing data protection as has been the case to date but under the general provisions of the new regulations.

31) The Information Commissioners Office has inspected many schools over recent years and issued no warnings in public related to data protection risks, suggesting schools already do a good and appropriate job in this arena. So why add such a great burden on them compared to any other business handling data relating to children? I have far more concern about the likes of the Scout Association for example in terms of their data protection ownership and accountability in a distributed operating model of many local groups. There is clear evidence of issues here as opposed to schools but they have no need for a DPO!

32) The DoE had also promised a range of videos providing schools with advice but nothing more has been forthcoming since one in January. This is not helpful given the short time scales to the May deadline. The statements from the Minister in letters (attached) [3] about flexibility appear to be contrary to the strict descriptions in the General Data Protection Regulations relating to the role of a Data Protection Officer. It is unclear how without further direction in the UK Data Protection Bill that this could be legally delivered while a school remains a Public Authority for the purpose of the GDPR.

33) It is of surprise to me when government is trying to encourage more control within schools, untangle complex local hierarchies and promote school trusts that we treat them for the purposes of this act as Public Authorities. I think this may drive costs up and reduce the trend to local managed schools appropriately controlling their own budgets as a business would. We are not treating them as a business by classifying them as an authority.

The big questions

34) The risk in relation to data held by a school because of the small constrained use it gets is in comparative terms low. Has the bill failed to identify this and thereby inadvertently created a costly mistake by classifying a school as a "public authority"?

35) Does the inevitable expense of a Data Protection Officer provide any real improvement beyond what schools are doing now (assuming we accept the general provisions of GDPR as apply to all businesses) and if not why force one to be appointed?

I believe that the way the current draft is written (in combination with the GDPR wording) does a disservice to our schools and would urge further careful consideration of these matters.

The draft bill anticipated the need to resolve issues that arise from change. I assume this was to ensure a proportionate application that did not unduly impact some organisations with little real return in terms of improved protection of data

The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a "public authority" or "public body" for the purposes of the GDPR.

I would politely suggest strongly considering the application of this clause in respect of schools.

I hope that you can find it possible to provide some further support to be sure we have sufficient scrutiny of this bill so that we can be confident that we are doing the right thing by our schools and therefore our children.

Yours sincerely

March 2018