Part 5: GDPR Rights and Obligations

This part of the SWGfL GDPR guidance focusses on the rights of Data Subjects and the obligations of Data Controllers (which schools are).

Important GDPR Definitions

The following definitions are used throughout the GDPR, and throughout the SWGfL GDPR guidance:

  1. Processing is any operation (including collection, recording, organising, storing, altering, using, and transmitting) performed on Personal Data.
  2. Personal Data is any information relating to a natural person (called a Data Subject) who can be (directly or indirectly) identified using that information.
  3. A Data Controller is a person, authority, agency or other body which determines the purposes and the means of Processing.
  4. A Data Processor is a person, authority, agency or other body which undertakes Processing on behalf of a Data Controller.

The Rights of Data Subjects

The rights of Data Subjects have expanded under the GDPR (when compared to the Data Protection Act 1998). Data Subjects now have the right:

  1. to transparency (Article 12): Data Controllers are required to provide information (such as that set out in points 2 and 2.a), and 3 and 7 below) in a transparent and easily accessible form, using plain and clear language.
  2. for information to be provided:
    1. (Article 13) when collecting Personal Data from the Data Subject, Data Controllers are required to provide Data Subjects with information as set out in the table below; and
    2. (Article 14) when collecting Personal Data from a source other than the Data Subject, Data Controllers are required to provide Data Subjects with information as set out in the table below.

Collecting Personal Data from Data Subject (Article 13)

Collecting Personal Data from another source (Article 14)

The name and contact details of the Data Controller and the Data Controller’s representative

ü

ü

The contact details of the Data Protection Officer

ü

ü

The purposes of the Processing and the lawful basis for the Processing

ü

ü

The categories of Personal Data to be collected

ü

The legitimate interests pursued (where the Processing is based on legitimate interests)

ü

ü

The recipients (or categories of recipients) of the Personal Data

ü

ü

Details of any intended transfers of the Personal Data outside the EU

ü

ü

The retention period for the Personal Data

ü

ü

The Data Subject’s rights

ü

ü

The Data Subject’s right to withdraw their consent (where the Processing is based on consent)

ü

ü

The right to complain to the ICO (or another supervisory authority)

ü

ü

The source of the Personal Data

ü

Whether the Data Subject is required to provide the Personal Data under a statutory or contractual obligation

ü

The details of any automated decision-making (including profiling)

ü

ü

  1. of access (Article 15): a Data Subject can require a Data Controller to:
    1. confirm whether their Personal Data is being Processed (and where it is);
    2. provide them with access to the Personal Data; and
    3. explain the purpose of the Processing, confirm any organisations with whom the Personal Data has or will be shared, and various other items of information.
  2. to rectification (Article 16): a Data Subject can require a Data Controller to correct any inaccuracies in their Personal Data.
  3. to erasure (Article 17): also referred to as the ‘right to be forgotten’, a Data Subject can require a Data Controller to erase Personal Data where:
    1. it is no longer required for the original purpose(s);
    2. the Data Subject withdraws consent and there is no other lawful basis for Processing;
    3. the Data Subject objects to the Processing (as per point 9 below); or
    4. there is no lawful basis for the Processing.

This right does not apply, however, where the Processing is necessary for compliance with the Data Controller’s legal obligations, or for performance of tasks which the Data Controller is required to in the public interest or in the exercise of official authority vested in it.

  1. to restriction of Processing (Article 18): a Data Subject can require a Data Controller to restrict Processing where:
    1. the Data Subject contests the accuracy of the Personal Data;
    2. there is no lawful basis for the Processing, but the Data Subject prefers to restrict Processing (as opposed to requiring erasure of the Personal Data);
    3. the Personal Data is no longer required for the original purpose(s), but the Data Subject requires the Personal Data for legal reasons; or
    4. the legitimacy of the Processing is in question pursuant to the Data Subject’s right to object (Article 21).
  2. to notification (Article 19): where any rectification (Article 16), erasure (Article 17) or restriction (Article 18) of Personal Data is performed by the Data Controller, the Data Subject shall be advised of it.
  3. to data portability (Article 20): a Data Subject can require a Data Controller to provide their Personal Data to them in a structured, commonly-used and machine-readable format, where:
    1. the Processing is based on the consent or contract lawful bases; and
    2. the Processing is carried out by automated means.
  4. to object (Article 21): a Data Subject can object to Processing based on the public interest and/or legitimate interest lawful bases, and the Data Controller must comply unless compelling legitimate grounds exist to continue Processing.

An additional right relates to automated processing and profiling (Article 22): a Data Subject can require that, where a decision made as a result of Processing can significantly affect them, such decisions are not based on solely automated Processing. This means that Data Subjects can require that humans are involved in these decision-making processes. 

Schools should consider these rights carefully. Failing to observe the rights of Data Subjects carry the higher levels of investigative, corrective, and authorisation and advisory action (including administrative fines) the ICO can take or issue.

Schools must observe the rights of Data Subjects, to:

  1. transparency (and clear and simple language);
  2. have information provided to them;
  3. access their Personal Data;
  4. rectification of inaccuracies in their Personal Data;
  5. erasure of their Personal Data;
  6. restrict Processing of their Personal Data;
  7. notification that 4, 5, or 6 above have been undertaken;
  8. have their Personal Data provided to them in the right format; and
  9. object to Processing of their Personal Data.

Data Controller Obligations and Responsibilities

In addition to those set out in previous parts of this guidance, including:

  1. Data protection fee: have in place the appropriate registration with the ICO and pay the data protection fee;
  2. Comply with the principles (Article 5): for Processing (including storage of Personal Data) to (a) be lawful, fairly and transparent; (b) be for limited purposes only; (c) be minimised (such that Personal Data is adequate, relevant and limited to what is necessary); (d) be performed on accurate up to date Personal Data; (e) be performed for no longer than necessary; and (f) be undertaken securely (using appropriate organisational and technical measures);
  3. Demonstrate compliance (Article 5.2): the GDPR requires that Data Controllers are responsible for compliance, and for being able to demonstrate compliance;
  4. Only perform lawful Processing (Article 6): for Processing to be performed only where (1) explicit consent has been provided by the Data Subject; (2) where it is necessary for performance of a contract; (3) where it is necessary for the Data Controller to comply with a legal obligation; (4) where it is necessary to protect someone’s vital interests; (5) where it is necessary for performance of a public task; or (6) where is it necessary for the purposes of legitimate interests pursued; and
  5. Observe Data Subject rights: Data Controllers are required to observe the rights of Data Subjects (Articles 12 to 22) as set out above, including responding to Subject Access Requests,

Data Controllers are also required by the GDPR to:

  1. Take appropriate measures (Article 24): implement appropriate technical and organisational measures to ensure and demonstrate compliance with the GDPR, including appropriate data protection polices;
  2. Data protection by design and default (Article 25): implement appropriate technical and organisational measures to implement data protection principles, and (by default) ensure that only Personal Data that is necessary (including the amount, the extent, and the retention period) for each purpose is Processed; and
  3. Records of Processing (Article 30): maintain records of Processing activities, including:
    1. the name and contact details of the Data Controller, the Data Controller’s representative and the Data Protection Officer;
    2. the purposes of the Processing and the lawful basis for the Processing;
    3. the categories of Data Subjects and categories of Personal Data;
    4. the recipients (or categories of recipients) of the Personal Data;
    5. details of any intended transfers of the Personal Data outside the EU;
    6. the retention period for the Personal Data; and
    7. the general technical and organisational security measures employed.

As schools are Data Controllers, schools need to meet these obligations.

Note that point h) above (in relation to Article 30) applies only to Data Controllers with more than 250 employees, or the Processing is (a) considered high risk; (b) is regular and ongoing; or (c) the Processing includes Special Category Personal Data.

Schools, as Data Controllers, must meet the requirements of the GDPR, including:

  1. payment of the data protection fee;
  2. for all Processing to satisfy the six ‘principles’ in Article 5 of the GDPR (summarised in Part 3 of the SWGfL GDPR guidance);
  3. demonstrating compliance with the GDPR;
  4. for all Processing to have consent or necessary grounds, and comply with Article 6 of the GDPR (summarised in Part 3 of the SWGfL GDPR guidance);
  5. observing the rights of Data Subjects;
  6. ensuring compliance through appropriate steps;
  7. designing data protection in to systems, procedures and practices; and
  8. keeping records of Processing.

Data Processors

A Data Processor is a person, authority, agency or other body which undertakes Processing on behalf of a Data Controller.

Data Controllers also have responsibilities in respect of Data Processors that they appoint:

  1. A Data Controller may only use a Data Processor that guarantees to implement the technical and organisational measures required to be compliant with the GDPR.
  2. A Data Processor may only engage another Data Processor with the written authorisation of the Data Controller.
  3. The Processing shall be governed by a contract between the Data Controller and Data Processor (often called a Data Processing Agreement).

Data Processors must also:

  1. Records of Processing (Article 30): maintain records of Processing activities, including:
    1. the name and contact details of each Data Processor, and of the Data Controller, the Data Controller’s representative and the Data Protection Officer;
    2. the categories of Processing;
    3. details of any intended transfers of the Personal Data outside the EU; and
    4. the general technical and organisational security measures employed.

Note that point a) above (in relation to Article 30) applies only to Data Processors with more than 250 employees, or the Processing is (a) considered high risk; (b) is regular and ongoing; or (c) the Processing includes Special Category Personal Data.

Schools using Data Processors must ensure that::

  1. the Data Processor implements measures to ensure their compliance with the GDPR;
  2. no further Data Processor will be engaged without the schools’ authorisation;
  3. a suitable Data Processing Agreement is in place; and
  4. the Data Processor will maintain appropriate records.

Data Processing Agreements

A Data Processing Agreement (Article 28) must be binding on the Data Processor and set out the Processing in some detail, including the subject matter, duration, nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects, and the obligations and rights of the Data Controller, and should set out:

  1. that Processing shall only be undertaken in accordance with written instructions from the Data Controller (restated in Article 29);
  2. that Data Processor staff are obligated to confidentiality;
  3. that the Data Processor shall implement appropriate technical and organisational measures to ensure an appropriate level of security (including encryption, backup and restore, and security testing processes);
  4. the requirements for appointing another Data Processor;
  5. the support the Data Controller may require in meeting Data Subject requests;
  6. the support the Data Controller may require in ensuring an appropriate level of security, managing any data breaches, and conducting data protection impact assessments;
  7. that the Data Controller may require the Data Processor to delete or return all Personal Data at the cessation of Processing;
  8. the support the Data Controller may require in demonstrating compliance with the GDPR and to contribute to any audits and inspections performed by the Data Controller; and
  9. that the Data Processor must immediately inform the Data Controller if it considers an instruction infringes the GDPR.