I’ve had a number of queries from schools about data protection and Brexit, or a possible no-deal Brexit, following Lord Agnew’s recent letter to local authorities and multi academy trusts: ‘Guidance for schools on leaving the EU’.
Having read Lord Agnew’s letter, plus the guide to data protection for education providers referenced in it, I still had some questions which I then set out to answer.
This is what I found.
If there is a no-deal Brexit:
- it won’t affect the flow of information from the UK to any EEA countries, because of steps the UK is taking.
- We will have a UK version of GDPR in place and the UK Data Protection Act will continue to apply to data transferred within or from the UK.
- but it will affect the flow of information in the other direction. This is because the UK will then be a third party under GDPR and the EEA countries will not have been able to get an Adequacy Agreement in place in time to allow a seamless transition.
(The EEA being EU countries, plus Iceland, Liechtenstein and Norway).
What does this mean for schools?
The DfE’s guidance says that any schools with an exchange trip coming to the UK should check with the EEA school to ensure that there are standard contractual clauses (SCCs) or Alternative Transfer Mechanisms in place to cover the sending of the pupils’ personal information to the UK. The ICO has guidance and templates to support organisations with SCCs. (see point 3).
However, there are some exceptions to the international transfer of data rules in GDPR which I think could be helpful in the event of an exchange trip from an EEA school. For example:
- Exception 1 – the individual gives their explicit consent to the transfer of their data.
- Exception 8 – you are making a one-off restricted transfer and it is in your compelling legitimate interests (there are a number of requirements the EEA school would need to be able to demonstrate it meets).
This seems a more straightforward approach for exchange trips in the circumstances.
In reality, I am sure that any schools in the EEA that might be affected in this way will be as keen to ensure that arrangements for any sharing of personal data are in place.
The other area that might affect schools is any services they are using that have cloud storage systems based in the EEA.
I recommend schools check with those companies to make sure that they have (or are getting) SCCs or Alternative Transfer Mechanisms in place to ensure continued access to their data (if they are using cloud storage systems based in the EEA).
The DfE’s guide suggests that schools should review their Privacy Notices and Data Protection Impact Assessments (DPIAs) in case they need updating to reflect any changes they make to their ways of working. At the moment, this feels premature and remains to be seen – something to come back to when we have greater clarity.
I hope this supports you in understanding the implications for your data protection responsibilities in the event of a no-deal Brexit.
This is an example of the advice and guidance I regularly provide through my DPO Service network. If you would like to know more about how I can support you in keeping your data safe, please get in contact.