One of the areas of the General Data Protection Regulation (GDPR) which most exercised medium-sized organisations during consultation, and notably the schools sector, was the question of whether they would be caught by the new requirement for a mandatory Data Protection Officer (DPO).
As a point of best practice – or frequently an organisational necessity – many schools already have a DPO (sometimes erroneously called a “data controller”), who more often than not is the bursar. However, although this role can already add considerably to the administrative burden of the individual (overseeing policy and training, dealing with subject access requests and breaches as they occur, etc.), the more formalised notion of the DPO set out in the GDPR pushes the role to a higher operational level – and brings with it HR headaches.
For clarity: while we are still awaiting secondary supporting legislation and statutory guidance on various issues (which is no doubt well down the list of priorities in the build-up to Brexit), the GDPR will almost certainly come into effect here on 25 May 2018 regardless of the referendum result. It is then likely to remain on the statute books even after the formalities of leaving the European Union, or be replaced in time by something of a similar standard.
First, then, what are the expectations of the new DPO role?
• The DPO must be “properly involved”, and indeed promptly involved, in all issues at the school related to the protection of personal data – from policy to dealing with requests from individuals.
• There is a requirement for “expert knowledge of data protection law”. This, notably, is not a requirement of IT expertise (although that might help!) but refers to a legal and practical understanding of how the law protects the privacy rights of individuals. As a compliance requirement, a DPO must be appointed “on the basis of professional qualities” and not simply appointed within the organisation based on who is willing to take on the role.
• The DPO can however be an existing member of staff, or appointed to take on more than one role (legal, admin, governance, IT etc.) – data protection must be a particular area of expertise, but provided the DPO’s ability to function as such is not compromised (or indeed conflicted) it does not have to be his/her sole responsibility. Alternatively, a DPO can be contracted in – “outsourced”, in effect.
• The DPO must have clout in their organisation. They need to report to the highest level of management – the head, bursar and governors – and organisations are legally obliged to give them support, training and resources.
• When appointed, the DPO’s details must be published and notified to the Information Commissioner (ICO).
• The final, most controversial, facet is that a DPO must have a degree of independence from his/her employer. Ultimately the DPO’s duties are as much to the ICO and to the public (the school’s “data subjects”) as they are to the school. While we cannot say if DPOs will have the same robust, whistleblower-style job protections they already enjoy in Germany, it is clear that DPOs “shall not be dismissed or penalised… for performing his [or her] tasks” and should not “receive any instructions” in how to carry them out. In practice that definition of “instructions” may need to be explored, but it does raise worrying questions about how DPOs must be left to respond to requests for information (subject access) and what would be the practical consequences for a data controller (school) if it chose to ignore the DPO’s advice.
Secondly, will your school legally require one? The better news, perhaps, is that this is by no means certain.
• Public authorities do require a DPO, although it seems likely that (in the case of the ‘traditional’ state sector) one or more DPOs may work on behalf of a local authority rather than be appointed for every school, depending on the size of the task they face. The position for free schools and academies may require guidance: they are treated as state schools currently for certain requirements of information law (e.g. the parent’s right to see the pupil file), but assigning a DPO role to the local authority may be inappropriate or impractical.
• For independent schools, it is a relief that the draft GDPR requirement for a DPO for organisations of more than 250 people has not made it into the final regulation. Instead, the test is one of purpose and circumstance; either
(i) do your “core activities” consist of either large-scale, systematic or regular monitoring of individuals? (You could very much argue this for a school, but equally you can debate whether the language is intended to cover an organisation whose “core activity” is education, and on a relatively small or medium scale); or
(ii) do your “core activities” relate to large-scale processing of sensitive personal data? (e.g. health, sexual life, ethnicity, religion). Schools do typically handle a good deal of sensitive personal information of pupils and staff, but again it is hardly their core activity.
• This is an area where we will hope for some useful guidance: and if it is found to be true for one school, the principle is likely to apply widely across the sector.
• For groups, multi-academy trusts and foundation structures, a single DPO may be able to cover the activities of the whole group of schools and any related foundations, charities, enterprises etc.
Thirdly: if the school wishes to have a designated DPO, or maintain a DPO-style role, as a matter of discretion even if it is not clear whether the school strictly requires one by law – is the school still going to be held to the higher standard of the GDPR?
To set the scene: there is scope for what you might call discretionary DPOs, and within this sector it is likely that schools are going to continue to want to appoint someone to take on data protection responsibilities. Indeed, for best practice purposes we would certainly recommend it. However, given the stiff standards of professional qualification and independence set out above for DPOs, a school may be forgiven for asking: would we want to risk exposing ourselves to that level of potential grief and admin, if it is not a strict legal requirement? Or can we simply call him/her something else (e.g. “Data Admin” or “Compliance Officer”) and not notify the appointment to the ICO?
Until we receive ICO Guidance, this must be a matter of speculation. But we can say the following based on existing legal and regulatory principles:
(i) the DPO is intended to safeguard and monitor those organisations involved in a higher threshold of core, large-scale “data processing” activity. If your school does not, as a matter of law, meet the statutory definition of requiring a DPO, it would be illogical and inequitable to hold the school to that strict legal standard;
(ii) however, if the school wishes to enjoy the regulatory protections accorded by a DPO (e.g. in case of investigation or enforcement) and promote an outward-facing “best practice” standard of data privacy compliance, it cannot expect to be able to point to its appointment of a DPO as an example of good governance if in practice that person does not have the support, expertise, protection and independence of a “real” DPO; and
(iii) the appointment of such a “quasi-DPO”, particularly if within one’s own workforce, will lead to many practical employment and HR questions in terms of what access, support and job protection that person can expect. Therefore the role and its limitations will have to be clearly defined to manage the individual’s expectations as well as for legal / regulatory clarity.
Where, then, does this leave the sector? Eagerly awaiting ICO guidance, for one thing (there will be centralised EU guidance to follow also, but given the diversity of school systems across the EEA in seems likely that this will be an area where the domestic regime is allowed flexibility – even before Brexit). It may be that the regulator will acknowledge that organisations such as schools, with important and sensitive “non-core” data processing activities, have a legitimate interest in appointing such a person, but not a legal obligation; and this may lead to a more “light touch” regime of compliance officers whose duties and skills are set out as a matter of good practice, rather than by strict requirement. But a hope for common sense to prevail is often a vain one.
The threat of imminent higher regulatory and employment standards should not deter schools from delegating a competent and appropriate person at their organisation from handling data protection responsibilities, nor from giving them proper training and support. Even in the current regime, that should be a best practice consideration and will be a considerable practical boon whenever an incident happens (a difficult person requiring information, or a breach which leads to an investigation, say). However, it would seem sensible to hold fire on making any additional appointments until we have guidance on what is expected come the morning of 25 May 2018.
If you require further information on anything covered in this briefing please contact Owen O’Rorke (firstname.lastname@example.org; or 020 3375 7348) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Data Protection page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, October 2016