As schools, academies and trusts, you will be processing special category* (see below) personal data for a number of reasons.
Guidance from the Information Commissioner
In its updated guidance on the processing of special category data, the Information Commissioner’s Office (ICO) sets out the need to meet certain conditions under the UK’s Data Protection Action 2018 (UK DPA), when the processing has a basis in law or is required by law.
GDPR Lawful Basis
This is on top of the need to identify a lawful basis under Article 6 of the General Data Protection Regulation (GDPR) and an additional lawful condition under Article 9 when processing special category data.
*Special category data is data that is considered more sensitive, and is given extra protection under the GDPR.
The GDPR defines special category data as:
Additional Conditions under the UK DPA
The additional conditions under the UK DPA are set out in Schedule 1, Parts 1 and 2, and the ones schools are most likely to be relying on are:
- Employment, social security and social protection (if authorised in law) (Part 1)
- Reasons of substantial public interest (with a basis in law) (Part 2)
Employment, social security and social protection (if authorised by law)
This condition is particularly relevant to the employment of staff, e.g.
- checking if individuals are entitled to work in the UK
- ensuring health, safety and welfare of employees
- maintaining records of statutory sick pay and maternity pay.
Reasons of substantial public interest (with a basis in law)
There are 23 specific substantial public interest conditions set out in Part 2, Schedule 1 of the UK DPA. They are narrowly drawn and the ones most likely to be relevant for schools are:
- Equality of opportunity or treatment (para 8)
- Safeguarding of children and of individuals at risk (para 18).
The UK DPA says that for each of the above there must be an Appropriate Policy Document in place as a specific accountability and documentation measure.
One document can cover all of the special category data processing your school or trust carries out, there is no need to have separate ones.
What is an Appropriate Policy Document?
An appropriate policy document just needs to be a short document outlining your compliance measures and retention policies for special category data.
It doesn’t have to take any particular form, as long as it briefly outlines:
- the Schedule 1 condition (or conditions) being relied on
- procedures for complying with each of the (GDPR) principles
- retention and deletion policies
- an indication of the retention period for the specific data.
The Information Commissioner’s Office (ICO) has a template for an Appropriate Policy Document available, which helpfully takes you through the areas to consider.
Alternatively, I have produced a model Appropriate Policy Document for schools, academies and trusts, which is based on the ICO’s template, and can be easily adopted or adapted. It has been well-received by the schools I am supporting as Data Protection Officer.
If you would be interested in knowing more about this, please don’t hesitate to contact me. My contact details are at the bottom of the page or there’s my contact form as well.