Data Protection and the end of the Brexit transition period
Insight
Data Protection and the end of the Brexit transition period - Key steps to consider now for independent schools
With the end of the Brexit transition period approaching and the increasing likelihood of there being ‘no-deal’, among the many issues UK independent schools now have to consider is how the highly regulated area of personal data will be impacted by the UK’s exit from the European Union. In this article we explain the position and set out the steps that UK-based independent schools should look to take over the coming weeks.
The first point to note is that the UK will be adopting the EU’s General Data Protection Regulation (the EU GDPR) into its domestic law from 1 January 2021, and in any event the EU GDPR’s principles are already enshrined in UK domestic law via the UK Data Protection Act 2018 (the UK DPA). In that sense the day-to-day compliance standards – and obligations on schools – will not change materially.
The main issue concerns what are called restricted data transfers under the EU GDPR. There will be no immediate change with international transfers not involving the EEA (e.g. between the UK and the US): recent CJEU court cases that have shaken up the position with transfers to the United States will still impact how the EU GDPR is interpreted under UK law, for the time being at least. However, existing restrictions will extend after 1 January 2021 to transfers of personal data made from the EEA to the UK. A transfer includes permitting access to data to persons outside the EEA.
Headline points to understand about data transfers
Please note that it is not transfers out of the UK that will be restricted, because the UK DPA permits transfers to the EEA: but a situation could arise after 1 January 2021 whereby a school has lawfully transferred personal data to another organisation or supplier in the EEA – even a data processor (such as a cloud provider) – but is then not lawfully able to access its own data, because that would involve a transfer out of the EEA and back to the UK. We consider this (somewhat Kafka-esque) scenario below.
It is also worth noting the guidance issued by the UK Information Commissioner’s Office (ICO) that transfer restrictions only apply if you are sending personal data outside your organisation: including to a processor, such as an IT supplier, or another legal entity within a group of companies – but not to other employees or board members of the same entity. This means that from a UK law perspective, the sharing of personal data between any governors or direct employees of the school, wherever in the world such individuals are at the time, should be unaffected by post-Brexit rules. That said:
- if your email servers are hosted by a third party in the EEA, or if your school has outsourced any HR functions to a third party in the EEA, this still involves a transfer between two third parties (i.e. you and your supplier) and may therefore require action;
- if your school has an international structure of different entities in both the UK and EU, then in-group transfers between such entities are regulated, per ICO Guidance and EU law; and
- this is only the UK ICO’s interpretation of the EU GDPR rule on transfers within an organisation: other regulators in the EU may take a less (or sometimes more) accommodating approach. Remember that, because the compliance difficulty occurs in the other direction (i.e. EEA to UK), it is the interpretation by EU Member States – and their courts, markets and regulators – that may cause schools difficulties with overseas activity in certain limited situations.
There is no easy way to explain this jargon-heavy area of law without getting into the detail and with specific examples. However, it is hoped that the explanation below will assuage any less founded concerns about what the effect of Brexit will be in data protection terms, whilst emphasising the areas that certainly will be affected. The key message is that if you have not already begun to think about this, then you should do so as soon as possible in order to minimise the potential disruption to your school.
Example 1: UK-based independent school with activities exclusively in the UK
Let’s start with an independent school which is established in the UK, and assume its sites, staff and above all its customers (i.e. parents and pupils) are based in the UK (but see Example 2 concerning the initial collect of data of international students of EU origin and their parents[1]).
It is also assumed for these purposes that such a School does not routinely either collect data from the EEA, or transfer any personal data outside the UK, except potentially as part of e.g. its cloud storage facilities (on which see further below). To understand what we mean by routine collection and transfer (and applications by pupils from the EU are dealt with in Example 2):
- One-off or temporary transfers are rarely a concern: for example, if certain key stakeholders (and in any event, staff or governors as above) spend some of their time in the EEA for business or leisure, and while abroad they need to exchange limited personal data with the School back in the UK, such exchanges of data – subject to the usual data security and need-to-know access considerations – are unlikely to be problematic in either direction.
- For school trips to the EEA: some schools may have specific campuses or other permanent establishments abroad, and these will require formal arrangements in place that are dealt with in Example 3 below. Otherwise, ordinary reporting back by staff of employee or pupil data to the school (or parents) back in the UK over the course of a trip in the EEA, even if it did constitute a restricted transfer, is likely to fall within a derogation or exemption. For example, to the extent relevant here, there is a contractual derogation that is usually held to apply to sharing data necessary to make hotel and travel bookings conducted on behalf of the data subject.
- On the other hand, were remote provision of services to pupils based in the EU to become the norm, after 1 January 2021 this would likely involve routine transfer of data (see again below).
Subject to these considerations, then, this scenario is largely straightforward: because the UK will be adopting the EU GDPR into its domestic law from 1 January 2021a school with its activities and focus within the UK as above will not need to make any substantial changes to its existing compliance standards,. Any general changes that you will need to make will be minimal. For example, your privacy terms issued to parents and employees would ideally take out any references to the EU GDPR and simply refer to the applicable UK legislation, primarily the UK Data Protection Act 2018 (the UK DPA, which refers to and in effect incorporates the EU GDPR). The ISBA will be issuing updated template privacy notices for schools shortly.
The main area where such schools will need to review their position will be in terms of certain supplier contracts where any personal data of the school’s is stored on servers outside the UK but in the EU: notably cloud-based services; remote provision of education or virtual meetings; safeguarding and monitoring software; survey or marketing tools; or “wealth screening”. We deal with this further in the final section.
Note that the Privacy and Electronic Communications Regulations (PECR), which govern email and SMS marketing and fundraising (as well as the use of cookies and similar technology), will also continue to apply in the UK – and still do so by reference to the higher EU GDPR bar of “consent” that has been in place since 2018, and which caused so much concern for development and fundraising teams.
The UK status of the much-delayed draft EU e-Privacy Regulation, that was expected to replace PECR, is a question for the future. When it finally arrives after Brexit, being EU regulation it will not be directly applicable to the UK; but if the UK wants the EU adequacy decision which would render many of the questions in this piece academic (see further below), it may need to adopt the Regulation anyway.
Example 2: UK-based independent school accepting international pupils from the EU
Brexit of course will bring significant changes to immigration, Tier 4 status and international students from the EU, especially for new applicants. However this piece is limited to consideration of data issues.
The EU GDPR applies not only to those in EU Member States, but also to non-member countries to the extent they offer services to individuals in the EU.[2] That will include schools who market their services to pupils (and those who pay their school fees) in the EU. However, this will not impose material changes to your data governance and practices from 1 January 2021: neither will accepting new international pupils who are EU citizens, or indeed continuing to provide services to existing pupils and parents from the EU. Instead, the consistency of the EU GDPR and UK DPA will ensure that the rights of these individuals and their parents will be much the same as those in the UK.
One might strictly consider issues of whether a school offering such services to EU residents should, strictly, appoint an Article 27 GDPR Representative in an EU Member State (see below), but this feels disproportionate. There would be no great benefit to a parent or pupil who was an EU citizen seeking to bring a grievance about use of their data by the school to a local regulator in the EU, when the ICO is available as the primary relevant supervisory authority for the school (with standing to investigate complaints, breaches, etc.) and would be effectively enforcing the same law.
There is the issue of the school initially collecting personal data from pupils and parents based in the EU. From 1 January 2021 this will technically constitute a transfer of that personal data from the EU Member State (which is subject to the EU GDPR) to the UK (a “third country” likely to be without an adequacy decision). This means a suitable legal gateway is strictly required.
However, whilst the usual EU GDPR / UK DPA obligations apply to the school in terms of such processing – including transparency about where the data will be processed and why – the key legal obligations as regards the transfer of such data into the UK will not fall on the school. Even were that an issue, it is for the transferring party to establish the legal gateway. Moreover, exemptions or derogations from the EU GDPR may apply for families in the EU seeking to apply or register for a child’s admission to a UK school directly. For example:
- There is a derogation from the usual rule about not transferring data out of the EU where it is “necessary for the conclusion or performance of a contract between the data controller and another natural or legal person, in the interest of the data subject” (Article 49(1) (c) GDPR). This processing must be occasional, and necessary for the conclusion or performance of the contract (be it the parent contract, or contractual entry process); but it would seem clearly to apply to an initial enquiry or application to a school in the UK made by or on behalf of a pupil.
- In any event, a parent choosing to send their child’s data to the UK for the purposes of applying to a UK school is likely to fall within the EU GDPR’s definition of processing that is purely in the context of a personal or household activity, and hence not regulated by the EU GDPR (or indeed the UK DPA). To be clear, that goes only in terms of the family’s activities in what they choose to do with their data: the school will continue to be regulated under the UK DPA as a controller of the data it receives, with the usual obligations (transparency, having a lawful purpose, complying with data subject rights etc.) as to its collection and onward processing.
The point is that the school, in gathering the data, need not be much concerned with whether it was lawful for the parent and pupil data to have left the EU in the first place: simply that it is processed lawfully (i.e. in accordance with the UK DPA) once in its control. We do not consider that the school will need to impose, for example, additional EU model clauses around data transfers into the relevant parent contract for pupils from the EU in order to govern the ongoing exchange of personal data. However, it may be sensible to have notice wording in contractual forms applicable to EU-based parents reminding them of the obvious fact that their, and their child’s, data will be processed in the UK. Again, the ISBA will be issuing revised versions of these forms shortly.
It is worth noting that, where a school uses a third party consultant or provider in the EU to help source and recruit suitable pupils within the EU – or has a relationship or partnership with an EU-based school to facilitate EU pupil exchanges – then that EU-based provider or entity will need to consider its own legal gateway for providing pupil and parent data to the UK. Whatever the formal contractual basis of any such relationship prior to now, from 1 January 2021 the provider (as Data Exporter) may ask the UK school (as Data Importer) to sign Standard Contractual Clauses (see below)[3].
Example 3: UK-based independent school with international branches established in the EEA
An increasing number of UK independent schools now have at least some connections with the rest of Europe that goes beyond accepting international pupils and organising school trips. Increasingly, even if private exchange schemes with EU schools are increasingly rare, schools are expanding their international reach by opening new or sister schools or campuses overseas – typically perhaps outside the EEA, but not always. In such cases, the position could be more complex when it comes to handling and transferring the personal data of staff, parents and pupils.
This will not be a “one size fits all” question. Some established international schools groups will be closely linked, structurally and culturally, and may share databases and staff resources; others will operate under service agreements that may include some exchange of staff and pupil data between entities; in other cases, the entities or campuses may not be legally connected by much more than the name. Some schools may have strategic partnerships with legally distinct EU schools and campuses. Whatever the corporate structure, the action that needs to be taken ahead of 1 January 2021 will depend on what if any personal data will be shared between entities across EEA borders to the UK – whether of staff, parents, pupils, or other contacts such as alumni, supporters, and consultants / contractors.
a) Staff, parents and pupils
Where a UK school has a European campus or partner institution, staff, parents and pupils based in the EU will continue to benefit from the protection of the EU GDPR and the UK school must comply with the EU GDPR when dealing with them. Likewise, the EU GDPR will apply to UK based staff, parents and pupils whose data is being processed by the European campus or partner institution; whereas (self-evidently) the UK DPA will apply to UK based staff, parents and pupils dealing with the UK school.
As things stand, there is no practical distinction between the UK DPA and EU GDPR in terms of what schools need to tell their staff, parents and pupils, so (at present at least) there is no need for any changes to your relationships with such individuals – except to update your privacy policies to make it clear which legislative and regulatory regime will apply to them, based on where they are located and which entity within the school’s group (if applicable) will deal with them as the relevant data controller.
Remember that any centralised HR functions, or shared parent / pupil / alumni records and databases (whether for administrative or marketing purposes), that permit access to EEA-based data from the UK are likely to require Standard Contractual Clauses (see below).
b) Relationships with Regulators and appointment of an EU Representative
For an international group of schools with a UK head office, the UK ICO may be its lead supervisory authority currently for data protection across all of its activities, schools and campuses in Europe. This means that if any complaints are made or problems arise anywhere, they will be handled by the ICO.
After 31 December 2020, the ICO will continue to be the regulator of UK based independent schools; however, parents, pupils and employees based in the rest of Europe will be able to turn to their local data protection regulators to handle any complaints or issues that arise there. As mentioned above, this is unlikely to be of interest to EU-based parents whose children attend schools in the UK – for them, the ICO is the more obvious and helpful authority to refer to – but for international schools groups with campuses across the EU, Brexit could significantly complicate their relationships with regulators.
If you are dealing from the UK with staff, parents or pupils located elsewhere in the EU, strictly you will need to appoint an EU based representative (in one of the countries where your data subjects are located) to be a point of contact for those individuals and for EU based regulators, and explain who they are and how to contact them in the privacy notices issued to your staff, parents and pupils.
It is fair to say that in the first two and half years of the EU GDPR, the obligation for GDPR regulated organisations based outside the EU to appoint an EU Representative has been honoured far more in the breach than in its observance. For UK schools who merely sell their services to residents in the EU, i.e. via the international pupils market, such an appointment is probably disproportionate at this time – even if it is strictly required (and the area recently singled out for attention by the EU Commission).
However, with concerns generally about regulatory clampdowns as against the UK post-Brexit, larger international schools groups with offices across the EU and UK will want to give due attention to getting their EU regulatory position onto a formal footing once the UK ICO is out of the fold from 2021.
Lawful means of sharing and transferring Personal Data between the EU and UK
As if it needs repeating, the UK becomes a “third country” in EU GDPR terms from 1 January 2021. How, then, can sharing of personal data under “restricted transfers” to the UK be done lawfully?
Again, Brexit will not affect your ability to transfer data into the EU or EEA (because the UK Government recognises such countries as providing adequate protection). However, any group entities, contractors, or partner organisations based in the EU will need to put in place an EU approved “gateway” allowing transfers from the EU to the UK, starting from 1 January 2021 – unless further transitional provisions are agreed (currently not looking likely).
If they do not, then an EU based regulator might block those transfers and apply other sanctions such as fines. Whilst such measures would be currently unprecedented in terms of UK ICO enforcement, again this might be an early post-Brexit regulatory focus for some EU regulators, potentially affecting your suppliers (or any linked organisations) in the EEA.
a) Adequacy in the UK?
At the moment, the UK is seeking what is known as an “Adequacy Decision” from the EU Commission which will act as an automatic gateway for any transfers from the EU to the UK. It might be thought that the UK will readily fulfil the necessary criteria of having “essentially equivalent” data protection laws to the EU in light of its past membership of the EU and the wholesale adoption of EU GDPR into domestic law from 1 January 2021. However, this is not proving straightforward partly because it is tied up with the overall negotiations of the EU/UK trade deal and because of recent decisions of the Court of Justice of the EU (CJEU) about cross-border data transfers.
The bottom line is that it is no longer safe to assume that an Adequacy Decision will be granted to the UK by 31 December 2020 or indeed at all. Without it, transfers of personal data from the EU to the UK will be at risk immediately as from 1 January 2021. We therefore recommend that any schools who believe, on the basis of the above, that they may be affected should adopt another gateway mechanism – and get it ready to apply from the beginning of next year.
b) Standard contractual clauses (SCCs)
Sometimes called EU Model Clauses, SCCs are the likeliest alternative gateway. These are template clauses drafted by the EU Commission that are entered into between the transferring party (the Exporter) and the receiving party (the Importer) designed to ensure EU data protection standards are maintained to broadly equivalent levels once the data is transferred. They can be used both in-group, as part of formalised data sharing arrangements, or in contractual terms with third party suppliers.
However, the position regarding the use of the SCCs has been made slightly more complex recently by the decision of the CJEU in Schrems II, which may cast doubt on the UK’s suitability for receiving EU data after Brexit even with SCCs in place[4]. The additional levels of due diligence and recorded risk and suitability assessments required are strictly not the UK entity’s problem – rather it is an issue for the Data Exporter seeking to transfer the data – but it will require the school’s input and assistance, and so may be a point of negotiation or compliance checks when contracting with third party suppliers.
The EU Commission has indicated that it intends to bring out new versions of the SCCs in due course: however, the timing for this is not clear and may well have been put back by the complexities introduced by the Schrems II ruling. Accordingly, we do not think it would be prudent to wait for new versions of the SCCs to be made available before putting in place a compliant gateway, where needed.
c) Binding Corporate Rules (BCRs)
An expensive option, it would only be worth considering BCRs – that would require approval by an EU regulator – if your school is part of a complex structure of corporately linked international schools across the UK, EEA and beyond. Even so, a private data sharing agreement may still be more practical.
d) Limited derogations
There are other, limited, derogations from the general rule under Article 49 of the GDPR, the most flexible of which is the “one-off” derogation. Broadly, this derogation applies where you are making a “one-off restricted transfer” and it is in your “compelling legitimate interests” to do so, subject to various other conditions – including, unhelpfully, notifying the regulator (although the ICO has not shown a great deal of interest to date in enforcing this). However, the derogation likely to be of most use for schools with international pupils from the EU is the contractual derogation, considered above.
Negotiations with your contractors
It is reasonably likely that some of your school’s contractors – including data processors – will currently be holding data on your behalf in the EU. As above, this may include all sorts of key services, particularly around IT: mail servers, virtual meetings facilities, safeguarding software, survey tools, and educational tools or plug-ins, as well as the world of prospect research and fundraising consultancy.
Historically, your school may have opted for contractors / data processors with servers in the EU (including e.g. Ireland) as a point of preference to those based in the US, to avoid issues of compliance with the EU GDPR. However, from 1 January 2021 this will now become an issue for UK schools who store data in the EU – again, not because it is unlawful to export to the EU, but because it may be unlawful for the processor to permit access or retrieval back into the UK.
This may of course place the contractor / processor in breach of their contract with you, and so they may be getting in touch with you anyway over coming weeks if they have not already: for example, to notify the school of their intended use of SCCs (if they are permitted to vary such terms unilaterally), or to seek permission to do so. It may be that the contractor / processor has a clause meaning they will not be in breach of contract refusing an instruction from the school that will place them at risk of breaching the law. Whilst the SCCs themselves cannot be materially amended, or therefore negotiated, it is permitted to limit liability under them. Therefore, as well as ensuring it is clear what data processing activities the clauses refer to, and obtaining suitable guarantees as to data security, schools should always consider whether the liability caps under the contract are adequate to cover their needs.
Ideally, whoever opens the dialogue – and whoever stands to suffer the greater loss or inconvenience – these conversations ought to have been had before the compliance and practical consequences materialise on 1 January 2021.
Record keeping
Apart from any necessary alterations to Privacy Notices, schools should update their records of processing to set out the new arrangements put in place to deal with the impact of the end of the Brexit transition period. A Data Protection Impact Assessment (DPIA) or other means to record the basis of your risk and compliance assessment made in respect of international transfers is advisable.
Further sources of information
We are aware this area is complex, and of marginal significance to many schools, while the measures may sometimes seem confusing and disproportionate. This guidance is detailed in order to cover the various unexpected ways that Brexit might affect data protection compliance, but it bears emphasis to state again that the UK DPA regime will to all intents and purposes mirror the EU GDPR regime.
Schools might consider the ICO’s Guidance here, albeit it is aimed mainly at business, and keep it under review to see if it is updated: particularly as the EU/UK trade negotiations continue as 2020 draws to a close and more regulatory guidance emerges on the impact of the Schrems II decision.
Of course, in particular at a time of economic and Covid uncertainty, schools should consider where the real risks to their reputation, business and/or charitable funds lie and prioritise their resourcing accordingly. At the same time, they cannot afford to let the implications of Brexit creep up on them without adequate risk assessment and preparation – including timely steps where necessary.
[1] This note is concerned with data issues only, not right to work or study issues for staff and pupils of EU origin.
[2] Article 3(2)(a) GDPR. Note that GDPR is more concerned with the location of data subjects in this context, i.e. data subjects residing in the EU, rather than their EU citizenship or nationality.
[3] That is unless they consider that the Article 49(1) (c) GDPR derogation around contracts (cited above) applies
[4] for similar reasons of governmental surveillance and data sharing concerns which were raised about the US
Please note this content was originally published in the Brexit 2020 edition of the Independent Schools’ Bursars Association (ISBA) termly magazine, “The Bursar’s Review”, issued December 2020, and is reproduced with the kind permission of ISBA.
If you require further information about anything covered in this briefing, please contact Owen O'Rorke, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2021