The end of the Brexit transition period (31 December 2020) may understandably not have been at the forefront of most schools’ and trusts’ minds as this term started.
However, I’ve had a few queries more recently so thought it could be useful to summarise the situation, how it applies to schools and what schools need to do, from a data protection perspective.
The UK officially left the EU on 31 January 2020 and entered a transition period until 31 December 2020, during which time it was business as usual for data protection. The EU-UK Trade and Co-operation Agreement was reached on 24 December 2020 and signed on 30 December 2020.
What does this mean from a data protection perspective?
End of Brexit Transition period
When the transition period ended, the EU General Data Protection Regulation (GDPR) ceased to apply in the UK. However, the Government incorporated it into UK law, as the UK GDPR, and this sits alongside the UK’s Data Protection Act 2018.
Flow of personal data from the UK to EEA countries
The UK GDPR restricts transfers of personal data outside of the UK, or the protection of the UK GDPR, unless the rights of individuals in respect of their personal data are protected under an adequacy agreement, or there are certain safeguards in place, or one of a limited number of exceptions applies.
The UK Government has deemed that EEA (European Economic Area) States have adequate arrangements in place to allow for data flows from the UK.
(The EEA being EU countries, plus Iceland, Liechtenstein and Norway).
Flow of personal data to the UK from EEA countries
Like the UK GDPR, the EU GDPR restricts transfers of personal data outside of the EEA unless the rights of individuals in respect of their personal data are protected under an adequacy agreement, or there are certain safeguards in place, or one of a limited number of exceptions applies.
No adequacy decision had been reached with the EU at the end of the transition period. However, the Agreement with the EU allows personal data to flow freely from the EEA to the UK, until adequacy decisions have been adopted, for no more than six months.
What does this mean for schools and trusts?
In normal circumstances, this would be good news for any school trips/exchanges taking place between the UK and the EEA where pupils’ and teachers’ personal data may be shared in advance of the visit. The adequacy agreements on both sides allow for this transfer of personal data.
This is also good news for schools. Any educational services, third party software solutions etc they may be using, that transfer school personal data to servers in the EEA, are covered by these adequacy agreements.
This is important because schools (as data controllers) have a responsibility to ensure the processors they use are compliant with the UK GDPR and that any transfers of personal data internationally meet its requirements.
What do schools need to do a result of Brexit?
Good news again! From a UK GDPR perspective, very little at this point:
- Amend any references to the EU GDPR to the UK GDPR in their Data Protection Policy, Privacy Notices etc as appropriate.
- If international transfers of personal data are referenced in their Data Protection Policy, amend this from ‘outside of the EU’ to ‘outside of the UK’.
If you would like advice on the use of services/processors who are transferring personal data from the UK to countries beyond the EEA, or anything else data protection related, please get in touch; I would be pleased to support you.