Yesterday, the government confirmed that its Data Protection Bill will bring the GDPR into UK law. Unlike the Data Protection Act, there is very little that member states can adapt within the GDPR to meet their own circumstances, this is because it is a law and not an act. One point that can be adapted is the age at which individuals (data subjects) can consent to their personal data being processed. Member states can choose any age between 13 and 16 and the UK has chosen 13.
What does this mean for young people?
A central point of the GDPR is to place the data subject at the heart of and in control of their personal data. Bringing the age of consent to 13 helps young people to understand and recognise the value of their personal data, the ways they share it as part of their online lives and the risks this poses to them. Indeed, we will all be much more conscious of the personal data trail we leave. Recognising this at a young age can only help pupils to be more in control of their personal data.
What does this mean for schools?
Under the GDPR, the first data principle states that personal data must be processed fairly and lawfully. Meaning that you must have a lawful purpose for processing the data, ie don't just collect it because you want to. There are six basis and consent is only one of these, meaning that you don't need to ask permission for every piece of data you process. Indeed, there are very few circumstances where consent will be the lawful basis for the data you collect. One case would be photographs that aren't required for teaching purposes, such as for a school brochure or website.
Here are the six lawful basis.
The data subject has given their explicit consent for you to process their data. For children under the age of 13, this consent must be given by their parents. Consent may also be withdrawn.
Such as employment contracts for staff.
- Legal obligation
Such as collecting attendance data for statutory returns.
- Protecting vital interests
Such as disclosing medical information to health professionals or information for references.
- Public interest
This applies to data collected for statutory purposes.
- Legitimate interest
Such as for marketing purposes, not relevant for most schools. If you do use email marketing, consent is the most appropriate basis for processing this data.
Teaching data protection
The Information Commissioner's Office includes resources for schools including lesson plans. Click here
Auditing your data
Our previous blog outlines how to audit the personal data you process.