Please note this content was originally published in the Spring 2022 edition of the Independent Schools’ Bursars Association (ISBA) termly magazine, “The Bursar’s Review”, and is reproduced with the kind permission of ISBA.
The start of the autumn term no doubt feels a long time ago for schools, but it brought with it a notable announcement from the Government about its proposals to reform data protection law. The consultation paper - Data: A new direction - builds on the National Data Strategy which the Department for Digital, Culture, Media and Sport published last year. In his Ministerial foreword, the then Secretary of State Oliver Dowden emphasised the importance of data in the modern world, while at the same time criticising aspects of the current data protection regime as “unnecessarily complex or vague”. Consistent with this sentiment, the consultation paper outlined various proposed reforms to UK data protection laws, which would distinguish this country’s regime from the EU GDPR, following Brexit.
In headline terms, many of the proposals are intended to reduce the burdens of compliance on data controller organisations, which count among their number independent schools. These include the stripping back or removal of certain GDPR “accountability” requirements, including the circumstances when organisations must appoint data protection officers, carry out data protection impact assessments, and maintain data processing records. The paper proposes instead the use of “privacy management programmes” to manage data protection risks in a more risk-based (and less “one-size-fits-all”) manner. It also outlines ideas for making the “legitimate interests” basis for data processing simpler to navigate in some areas. Perhaps of most practical interest for the independent schools sector are likely to be the following proposals to lighten the compliance load.
1. Stemming the flow of subject access requests
Acknowledging the potential for subject access requests (SARs) to be time-consuming and resource intensive for organisations, the paper proposes a number of pro-data controller changes. These are the re-introduction of a fee regime for requests, potentially including an upper limit on the costs an organisation has to spend in responding to a SAR. In addition, the Government wants to amend the threshold for data controllers to be able to refuse to respond to SARs where they are vexatious and / or where access to personal data or concerns about the processing are not the purpose of the request (for example, and as seen often in contentious situations, as a fishing exercise in potential litigation).
2. Raising the bar for reporting data breaches
The paper acknowledges that the low legal threshold under the GDPR for reporting data breaches to the Information Commissioner’s Office (ICO) (whereby reporting is required if there is any risk to data subjects’ rights) has led to a pattern of over reporting by organisations. This, the paper says, is “costly in terms of time, effort and money for organisations as well as causing a significant workload for the ICO.” The Government is therefore consulting on whether to change the threshold so that only material risks need to be notified to the regulator. This would require the ICO to produce guidance and examples of what constitutes a “non material” risk, and examples of what is and is not reportable, to assist organisations.
3. Extend the “soft opt-in” for marketing emails
The so-called “soft opt-in” is a kind of “opt-out” based alternative to consent, currently only available to commercial businesses, to enable them to send emails and other electronic “direct marketing” messages to individuals who have previously been in touch during a sale or transaction. There is currently no equivalent provision for charities and other not for profit organisations which engage in direct marketing and the paper proposes to change the rules accordingly.
This would be significant for charitable schools, which are currently required to obtain clear opt-in consent from anyone they wish to contact by electronic means for promotional purposes. Importantly, in its response to the Government’s paper, the ICO is not averse to this expansion of the “soft opt-in” to charities, and even asks whether it ought to cover fundraising communications specifically – given that this was an area of intense ICO enforcement activity from 2015 to 2017.
At this stage, the Government’s paper is subject to consultation so it remains to be seen exactly what actual changes to the law are enacted and under what timetable, particularly given the ongoing prioritisation of the Covid response.
In its own response to the paper, the ICO has welcomed the opportunity to review the UK’s data protection legal framework given that the current GDPR framework has now been in place for nearly four years. But it also pushes back on some of the Government’s proposals (particularly those that limit individuals’ rights) so there is clearly further debate ahead.
It is also important to note that the Government is not proposing root and branch rewriting of the law. The proposed reforms are explicitly stated to build on the key elements of the UK GDPR. So the picture is likely to be one of evolution not revolution – not least because any dramatic legislative changes by the Government would be likely to jeopardise the status quo with the European Union, whereby data can flow freely to the UK from the EU based on an “adequacy decision” from the European Commission.
So, overall, while the day to day legal obligations on data controllers remain the same, at least for the time being, it will be helpful for schools to have a sense of the possible direction of travel that the Government has indicated in this area.
If you require further information about anything covered in this insight, please contact Sam Talbot Rice or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2022