Data Protection for Schools

Data Protection for Schools th 29 September 2014 – Dublin th 8 October 2014 – Cork nd 22 October 2014 – Athlone Presented by: Marianne Matthews & Br...
Author: Godwin Chandler
2 downloads 2 Views 606KB Size
Report
Download PDF
Data Protection for Schools th

29 September 2014 – Dublin th 8 October 2014 – Cork nd 22 October 2014 – Athlone

Presented by: Marianne Matthews & Brian M. Matthews

© Millett & Matthews Solicitors 2014 DocNo:1071810

Brian D. Matthews BA M. Econ Sc. Brian is the Managing Partner of the firm, with over 35 years’ experience in legal practice. Brian has extensive experience in trust and charity law, complex litigation, corporate and commercial law, dispute resolution, insolvency and company restructuring, employment law, and complex residential and commercial property transactions. He has been involved in landmark decisions of both the High Court and Supreme Court on a variety of issues including judicial review cases and employer-liability issues. Brian has also been involved with advising clients involved with government tribunals and commissions of investigation. He is also a leading practitioner in the area of child protection, and has lectured on this issue in conferences organised by education specialists and charitable organisations. Carol A. Matthews BCL Carol is senior partner of Millett & Matthews Solicitors. Having taken over the firm Thomas F. Millett & Co. Solicitors from her father, Carol and Brian established their own firm Millett & Matthews Solicitors in 1976. With over 35 years of experience, Carol advises on a wide range of private client services with specific focus on the areas of complex property transactions, the administration of estates and trusts, and the laws relating to trusts and charitable organisations. Carol has particular experience in the area of charities and charitable trusts, regularly advising on the sale and acquisition of property by charitable organisations, and on the tax implications arising from bequests and donations which they receive. Brian M. Matthews BA, MA, BCL, Dip. Employment Law Brian is a solicitor in the firm, working primarily in litigation and dispute resolution. Brian acts for charities, schools and educational trusts, and provides advice, training and support in relation to education law, employment law, school governance, child protection and risk management. Brian represents clients in the High Court, the Equality Tribunal, the Employment Appeals Tribunal, the Labour Relations Commission and most recently advised an international human rights organisation in relation to a high profile preliminary reference from the Irish High Court to the European Court of Justice. He has also advised extensively in relation to a number of Government Tribunals and Commissions of Investigation. Marianne B. Matthews LLB, Dip Finance Law, TEP Marianne is a solicitor who joined the firm from the asset management and investment funds department of Dublin firm, Matheson Ormsby Prentice Solicitors (now “Matheson”). Marianne is a graduate of the Law School of Trinity College Dublin, has earned a Diploma in Finance Law from the Law Society of Ireland, and is a member of STEP (Society of Trust and Estate Practitioners, the worldwide professional body for trust and estate practitioners). Marianne advises schools, charitable bodies, religious congregations, and school management bodies. She advises on charitable trust structuring issues, corporate governance, and complex property transactions. She has a special interest in data protection and regularly advises on data protection issues in the workplace, and investigations by the Office of the Data Protection Commissioner.

Data protection training Table of contents

1.

What is data protection and why does it apply to schools?

2.

Overview of the website materials

3.

Getting Policies in place. 3.1.

Data Protection Policy

3.2.

CCTV Policy

3.3.

Records Retention Schedule

3.4.

Data Breach Protocol

4.

Data protection infrastructures and framework

5.

Training Staff

6.

Data access requests.

7.

Common Scenarios: 7.1.

Transfer of information about pupils between schools

7.2.

Teachers’ Notes

7.3.

Unmarried parent requesting information about their child (who does not live with them)

7.4.

An Garda Siochana requesting information from the School

7.5.

Releasing personal data to third parties (Officials/State Agencies)

7.6.

Taking Photos of children at School Events

1.

What is data protection – what does it apply to, and when is it relevant? 1.1 At its heart, data protection is about protecting an individual’s right to privacy. The right to privacy has long been recognised as an unenumerated, fundamental Constitutional right under Irish law1. The law of data protection forms a fundamental part of the law of privacy, and introduced important rights for individuals. It regulates the flow of information between individuals and organisations and also regulates what those organisations can do with the data they have collected. Data protection law empowers individuals to obtain certain information about themselves held by organisations, and can also be used to prevent organisations from doing certain things with that information. Data protection law legitimises the processing of data by providing a framework for organisations to process data in a fair way. It provides a legitimate, legal basis for collecting, using and storing personal data. 1.2 Schools collect a huge amount of personal information about their staff and students. The law regulating the use of such personal information is the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 together with the numerous Statutory Instruments amending or extending same (collectively referred to herein as the “Data Protection Acts”). 1.3 What does it apply to? 1.3.1 It is important to understand some of the key terms used within the Data Protection Acts. Under the Data Protection Acts, an organisation holding data is referred to as a “data controller” and the person to whom that data relates is a “data subject”. “Personal Data” is that which relates to a living individual, and is defined as including “Automated data” (eg. information on computer or information recorded with the intention that it is processed by computer) and “Manual data” (information that is kept/recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system). 1.3.2 A “relevant filing system” means any set of information that, while not computerised, is structured by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible. Examples might include student or personnel files stored in alphabetical order. 1.3.3 Personal data may also constitute “Sensitive Personal Data” (data relating to a person’s racial or ethnic origin, political opinions or religious or other beliefs, physical or mental health or condition, sexual life, criminal convictions or the alleged commission of an offence, trade union membership), and more rigorous requirements apply to the fair processing of such Sensitive Personal Data. 1.3.4 Occasionally, a data controller will contract with another organisation to process data on its behalf (a “data processor”). The appointment of a data processor must be done in accordance with the Data Protection Act.

1

Particularly under Article 40 of the Constitution of Ireland, 1937; see McGee v Attorney General [1974] 1 IR 284. Page 1 of 23

1.4

When is it relevant? 1.4.1 Schools hold large amounts of personal data and, notwithstanding the fact that Schools are not commercial organisations, they are deemed to be data controllers under the Data Protection Acts and the law of data protection applies to Schools. Data protection applies whenever the School collects, handles, processes, transfers or does any thing with an individual’s data. 1.4.2 Data protection issues arise on a day-to-day basis however they usually only become contentious in the event of a crisis situation such as a data breach, employment-law related disputes (particularly during the course of disciplinary procedures), and in litigation.

2.

New Data Protection Website 2.1. The school management bodies have worked with the Department of Education and Skills and the ODPC to develop a data protection website for schools: www.dataprotectionschools.ie. It is an invaluable source of information, templates, and draft policies. 2.2. We often hear grumbles that data protection legislation imposes undue burdens on the not-for-profit sector, and does not address with “real world” issues. For example, it does not distinguish between adults and children, so there is no legislative guidance on how to obtain the informed consent of a child when seeking consent to process personal data. Furthermore, it gives data subjects powerful tools (such as the power to request information about themselves, or the power to require an organisation to amend or delete personal records) but does not stipulate how these rights could be exercised by a child, or whether a parent has any right to exercise the rights on the child’s behalf. While it cannot be taken to be legal advice, the website aims to give general, “real world”, practical advice to schools on these complex issues.

3.

Getting Policies in place 3.1. Data Protection Policy 3.1.1. There is a template data protection policy for schools available for download from the website. It is important for each School to consider its data protection policy and consider whether it is a comprehensive guide for how personal data and sensitive personal data will be treated within the School. Where a School is conducting a review of its existing data protection policy for schools, this template document is a good place to start. 3.1.2. It is to be noted that these are “templates” only, and the Board of Management will still need to examine the school’s practices and procedures and tailor the template Policy accordingly before adopting it. For example, if the school has particular procedures relating to particularly sensitive personal data, this should be detailed in the Policy. For example, the school may have established procedures setting out who is entitled to view court orders relating to custody arrangement relating to a student, or which members of staff are entitled to have access to medical reports of students, and where such arrangements Page 2 of 23

exist, the template Policy should be modified to incorporate reference to these. 3.1.3. The template policy considers the type of data which may be gathered, and states the rationale and justification for holding this data (eg. payroll, timetabling, emergency contacts etc). This precipitates an examination of the rationale for collecting each type of data, and allows the School to make an informed assessment of whether excessive data is being collected. If the collection is necessary and proportionate, it enables the organisation to justify the collection and retention of that data on a compelling and legitimate basis. 3.1.4. The template Policy sets out guidance on how data should be processed, including that of students, parents/guardians, staff, and all other individuals who come into contact with the school. It attempts to give a complete picture of all the data collected, the uses to which this data will be put, and the types of organisations it will be shared with (DES, TUSLA, An Garda Siochana etc). Not only does such a policy manage the expectations of parents/guardians and students as to what they can expect from a school, but in addition, it also acts as a “prompt” for staff to remind them how they are expected to treat the data which they process. 3.1.5. It is important that Schools review their policies on a holistic basis and ensure that the Data Protection Policy in place within the School dovetails neatly with all its other policies, including the IT Acceptance Usage Policy, the Code of Behaviour, the Disciplinary Policy etc. For example, the Disciplinary Policy must make it clear that if there is any breach or divergence from the accepted and expected standards set out in various school policies, including but not limited to the Data Protection Policy, that this may be treated as a disciplinary matter and may expose the employee or student concerned to disciplinary action. 3.2. CCTV Policy 3.2.1. Many schools utilise CCTV systems to monitor and protect their property. Where the CCTV records individuals or is capable of capturing recognisable images then the data captured by the CCTV system will be considered “personal data” and the provisions of the Data Protection Acts will apply. As CCTV recording can be intrusive, the use of CCTV must be justifiable, necessary, proportionate and reasonable in all the circumstances. It is therefore important for organisations utilising CCTV systems to have a CCTV policy in place and to review the use of the CCTV system periodically to ensure that its use is still justifiable and proportionate. Where CCTV is being introduced for the first time, it is advised that the first step should involve a privacy impact assessment and consultation with staff, students and parents. 3.2.2. In terms of schools, the ODPC has advised that while it may be justifiable for CCTV to be used to secure the perimeter of school property, it may not be justifiable for day-to-day monitoring of staff and students, and in any event CCTV should not enter the classroom itself.

Page 3 of 23

3.2.3. In his Annual Report of 2013, the Data Protection Commissioner commented on the issue of CCTV systems in crèches. Those comments were precipitated by the RTE Primetime investigation into the practices of certain crèches in Ireland. His comments were triggered by requests from a number of crèches who wanted to install live-streaming of CCTV to parents in order to reassure parents of the quality of care their children were receiving in the crèches. The Commissioner stated: “The Commissioner is satisfied that CCTV may be used legitimately under the Data Protection Acts for security related purposes at the perimeter of such a facility but that any use beyond this would need to be fully justifiable and evidence based with a very high threshold for such evidence. This is particularly the case in a crèche environment as the majority of the personal data processed will relate to minors….. it may be the case that employers are tempted to use technologies such as continual streaming of CCTV as a substitute for on-the-ground supervision by supervisory or managerial staff. However, such situations are difficult to reconcile with the requirements of the Data Protection Acts and we cannot see any legal basis to justify the monitoring of individuals in the course of their normal activities by such means. …. This Office considers that CCTV is not the answer to the fundamental issues of the quality of staff and their supervision by management in a child-care facility”. 3.2.4. The location of CCTV cameras must be selected with great care and a privacy-impact assessment should be conducted to ensure that they do not capture images in spaces where an individual would have a legitimate expectation of privacy such as bathrooms and changing rooms. Where images are captured in areas where an employee would have a reasonable expectation of privacy (such as a bathroom), and those images capture wrongdoing on the part of the employee, the employer could have a difficult time trying to use the CCTV recordings as evidence during any subsequent disciplinary procedure. This is because the employee (and/or his legal advisor and/or union) will claim that the images were captured in breach of the employee’s right to privacy and consequentially cannot be used against him. 3.2.5. In addition, the template CCTV policy reminds Boards of Management not to engage in covert surveillance as it would be likely to be considered to be a breach of an individual’s right of privacy. In most cases, the school is usually better served by disclosing the presence of CCTV locations and clearly bringing the employer’s CCTV Policy to the attention of all staff, students and other permitted users who may access the school property. 3.2.6. Schools need to be aware that where they utilise a CCTV system, they will have to be in a position to furnish data subjects with copies of that data subject’s images captured by the CCTV system. This may require an upgrade of the software/hardware in place but many CCTV systems store footage on hard disks in a file format which can be read on Windows based PCs. Page 4 of 23

3.2.7. Consideration also needs to be given to the retention periods for CCTV recordings. The ODPC guidance is that “it would be difficult to justify retention beyond a month, except where the images identify an issue – such as a break-in or theft – and is retained specifically in the context of an investigation of that issue”. So in most cases, the retention period should be 28 days. 3.2.8. When reviewing the School CCTV policy, consideration needs to be given as to whether and in what circumstances CCTV recordings will be furnished to An Garda Siochana. School staff will need to have clear guidelines to follow in the event of being asked to furnish recordings to An Garda Siochana. For example, the policy should give them guidance on whether they should require the production of a warrant, or whether the mere “say so” of a member of An Garda Siochana will be sufficient for furnishing such recordings. Having all these details clearly provided for in the CCTV policy means that consistent decisions are reached, and no member of staff is left in a situation where they have no guidance on what they are supposed to do. Considering these issues in advance ensures that ill-judged decisions are not made in a crisis. 3.3. Record Retention Schedule 3.3.1. The Data Protection Acts establish some general principles relating to how personal data is to be treated. One important principle is that the data must be retained for no longer than is necessary. Retention periods have received much media coverage in recent months following the (now infamous) “right to be forgotten” ruling of the European Court of Justice2. This case has forced many organisations to scrutinise the data they hold and the periods for which they hold the data within the context of the legal obligation3 not to keep the data for longer than is necessary for the purpose for which they were collected. 3.3.2. It is important to understand that in many circumstances, the School will have a legitimate reason to retain the data for certain period for a particular purpose. The time period may be tied to a statutory provision requiring an employer to keep certain information for a minimum period (eg. time-sheets etc), or may be tied to protecting the legitimate interests of the school (eg. to defend litigation). This general principle has not been abrogated as a result of the recent ECJ “right to be forgotten” ruling, which explicitly clarified that the right to be forgotten is not absolute. A case-by-case assessment is required to consider

2

th

C-131/12 issued by the ECJ on 13 May 2014. The case was a preliminary reference to the ECJ from a domestic Spanish court on point of law relating to the interpretation of the 1995 Data Protection Directive. The case arose when a Spanish lawyer, Mario Costeja González, lodged a complaint to the national Spanish data protection regulator against a number of parties, including Google. In March 1998, a Spanish newspaper ran an article about financial problems which he had suffered, and one of the first Google results which was returned following a search against his name in the Google search engine returned an auction notice of the repossession of his home. Mr González claimed that it was an infringement of his personal privacy as the proceedings had been finished for many years. He sought relief from the court to compel Google to take down the personal data relating to him so that it no longer appeared in the search results of a Google search. It did not require the data to be deleted, but simply means that it is less easy to find. The ECJ ruled that where information is inaccurate, inadequate, irrelevant or excessive for the purposes of data processing, then individuals have the right – under certain conditions – to ask for the organisation to remove that information about them. 3 Section 2(1)(d) Data Protection Acts. Page 5 of 23

the type of information, its sensitivity, and the reasons the organisation may have for retaining the data. 3.3.3. The website provides a helpful guide for Schools when deciding what retention periods should be in place for various types of data. Some periods will be relatively short (e.g. 28 days for CCTV recordings, 12 months for Garda vetting outcomes). 3.3.4. While it is neither practical nor desirable for all data to be retained forever, there is some data which may be held by Schools which Schools are advised not to destroy. This may include child protection records. This is because the Statute of Limitations (Amendment) Act 2000 has special provisions relating to the limitation periods in which claims for child sexual abuse may be brought. That legislation states that the normal time-frame in which claims for personal injuries or claims in negligence must be brought is disapplied in cases of child sexual abuse. This is because the victim may be considered to be “under a disability” while he/she is suffering from any psychological injury that is caused by the sexual abuse which is of such significance that his/her will or his/her ability to make a reasoned decision to bring such a decision is substantially impaired. As a result of this, it is not unusual for cases relating to child sexual abuse to be initiated many decades after the alleged abuse has taken place. 3.3.5. We generally advise that these records should be retained securely with the highest possible level of data security to ensure that they are adequately protected against accidental disclosure or loss. Such documentation is often crucial in defending the actions taken by a school when their behaviour is called into question many decades after the fact. Such documentation can be of huge evidential value in proving that the school acted promptly and appropriately in dealing with a child protection situation. 3.3.6. In our experience, it is not uncommon for claims relating to child sexual abuse to be brought many decades after the events complained of. There was a recent High Court decision4 where the claimant was successful in his claim for damages arising due to child sexual abuse which occurred approximately 45 years before he initiated his claim. The plaintiff claimed he was abused by a teaching religious Brother while he was a student in a national school. The plaintiff was awarded €315,000 when he sued the Congregation which ran the national school. Accordingly, when determining retention periods, Schools must bear in mind that the limitation periods in which claims must be brought can be difficult to discern (or may never start to run, and therefore the limitations period never expire) as it is not necessarily tied to the date upon which the incident occurred.

4

th

Hickey v McGowan and another [2014] IEHC 19 delivered on 24 January 2014 by Mr Justice Iarlaith O’Neill. See coverage published www.irishtimes.com/news/crime-and-law/courts/man-awarded-315000-over-sex-abuse-by-marist-brother-1.1667219 Page 6 of 23

3.4. Data Breach Protocol 3.4.1. The Data Protection Acts state at section 2(1)(d) that data controllers are obliged to have appropriate measures in place to prevent “unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction”. Where data breaches occur in the workplace, they can generate stressful conditions where difficult decisions need to be taken quickly. One of the first questions which needs to be addressed is whether the person (or people) whose data has been breached need to be notified of the breach, and whether a report should be made to the ODPC. 3.4.2. During 2013, almost 1,600 personal data security breach notifications were made to the ODPC5. While there are EU Regulations relating to mandatory notifications of data security breaches by telecommunications and internet service providers6 which requires notification within 24 hours of a data security breach being identified, these Regulations do not extend beyond telecommunications companies and ISPs. There are certain sector specific Codes of Practice which advise mandatory notification of all data breaches, and the ODPC advises notifications to be made to his office, but in our experience not all breaches are notified to the ODPC. 3.4.3. Where a decision is taken not to notify the ODPC and/or not to notify the individual concerned, if the data breach is brought to their attention by someone other than the School, there can be a loss of trust and confidence in the school, and it is undoubtedly reputationally damaging. In addition, there is the potential for an individual to bring a claim for damages against the School under section 7 of the Data Protection Acts on the basis that the School breached the duty of care which it owed to the data subject. 3.4.4. For this reason, the Personal Data Security Breach Code of Practice has been developed. The template Code of Practice sets out practical steps to be taken immediately upon the data breach coming to the attention of the School (for example, practical steps on containing the breach and mitigating further data loss such as quarantine arrangements). It is hoped that by having a clear Code of Practice, difficult decisions do not have to be taken under crisis conditions. 4.

Data Protection infrastructure and frameworks 4.1. As well as induction training, and regular refresher training, it is important that the systems and procedures within the workplace are conducive to all employees fulfilling their data protection duties. For example, the School must consider infrastructural issues which are privacy compliant. Consideration should be given to the level of IT security, logging and audit trail capability on software, access permission levels, fire-wall software, encryption software, physical and boundary security for offices and file storage areas (including CCTV systems), and the safe and secure destruction of data and data-storage devices.

5

See Page 16 of the Annual Report 2013. EU Commission Regulation 611 of 2013 of 24 June 2013 “on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications”. Page 7 of 23 6

4.2. Physical security: When considering data protection, we can sometimes focus on the protection of electronic data and overlook the mundane arrangements used to protect manual data such as locked doors and filing cabinets. When undertaking a privacy assessment of the School as part of a review, it is important not to forget issues like doors, locks, filing cabinets, alarms, security lighting, and the confidential shredding of waste paper. 4.3. It’s the little things: small steps can go a long way to ensuring privacy in the workplace. For example positioning reception-area computer screens so they cannot be viewed by visitors to the School office. Waste paper baskets should be emptied regularly and waste materials shredded on-site weekly either by the School itself or by an external, reputable data protection shredding service (retained pursuant to a data processing agreement which complies with the legislation). 4.4. Taking Work Home? If School employees take work home with them or take data off-site (eg. for TUSLA child care case conferences), the School will need to have a system in place to ensure that electronic files (including files removed on memory stick/USB stick) have an adequate level of password protection and encryption software to protect them while the employee is working from home or removing them from the School. The School needs to ensure that employees are fully trained on how to use such devices securely. Where employees take work home or off-site in the form of manual files, (which is more vulnerable to loss) consideration needs to be given as to whether manual data should be converted to electronic data to avoid the need to take manual data off-site. 4.5. Shredding: Due care must be taken when disposing of manual data. It is imperative that confidential information is not inadvertently put in the general waste where it could be vulnerable to inadvertent disclosure. For this reason, Schools should consider whether they should have a policy to shred all documents generated by their employees (whether confidential or not). This mitigates the risk inherent in a system where an employee decides whether information is confidential or not (or perhaps makes a mistake by putting a confidential document in the general waste rather than disposing it by shredding). If an external company is being retained to shred paper waste, a written Data Processing Agreement must be in place and it is advisable that the shredding is witnessed/overseen by a School employee. 4.6. Secure Destruction: Where hardware has become outdated and is being replaced (eg. servers and personal computers), due consideration needs to be given as to how the personal data stored on those units can be securely destroyed. Where a third party company is being retained to arrange for the secure destruction of personal data or hardware on which personal data is stored, the School is legally required to put a Data Processing Agreement in place which meets the minimum standards set down by the legislation. There is guidance available on the website as to what provisions a data processing agreement should contain. If the School engages a third party to carry out work (eg. shredding waste paper, or destroying old computer hardware), the School as data controller remains legally responsible for protecting the data. The Data Processing Agreement protects the School by setting down certain Page 8 of 23

minimum standards with which the data processor will be required to comply. However, the School’s duty is not discharged simply by putting a Data Processing Agreement in place; where a data processor is carrying out work the data controller should monitor their work to ensure that they are complying with the guarantees given under the data processing agreement (eg. that they destroy all material on-site and that nothing is removed off-site until it has been securely destroyed). In most cases, monitoring will be a straightforward matter – for example, in the case of shredding it is advisable that one member of School staff should witness the paper waste being shredded. 4.7. Certification: It is important to note that where certain hardware (eg. PCs) are being destroyed, a separate Certificate of Destruction should be furnished for each item destroyed (eg. a hard-drive) and these Certificates of Destruction should be stored safely on file by the School. All data processors who are engaged by an organisation to dispose of materials containing personal data should be fully accredited to ISO 270017 standards (or whatever the currently recognised international standard is at the relevant time), and should provide the data controller with guarantees that the data will be handled in compliance with the Data Protection Acts. 4.8. Privacy by design: only authorised personnel should be capable of having access to certain sensitive information, and their access must be on a “need to know” basis. Accordingly, to prevent curiosity getting the better of an employee, and to prevent an inadvertent data breach, it is advisable to have “privacy by design” features within the procedures and software utilised by the School. For example, access to confidential files (such as the HR and payroll systems, copies of court orders submitted by families relating to students, medical reports relating to students) should be locked-down to only those specific employees who have been authorised to have access to that data. Where the records are manual, it may be appropriate to insist that certain particularly sensitive material can only be viewed in a particular room and not removed under any circumstances. Where the sensitive records are electronic, access to the files needs to be locked down to certain authorised users only. Schools will need to consider whether their electronic systems should have alerts flagging potentially improper accessing of data, and audit logs to ascertain who accessed the data, at what time, whether they printed it, or whether they changed anything etc. Checks should be made and logged periodically by line managers to ensure that employees are accessing confidential data for legitimate purposes relating directly to their duties. Where an employee is found to be accessing confidential information for reasons unconnected their core work duties, advice should be sought and it may be necessary to initiate disciplinary action. 4.9. Dovetail with Disciplinary Policy: It is important that all School staff understand that breach of the workplace data protection practices and procedures will result in disciplinary procedures which could result in an employee losing their job. In a recent case study8 where a Department of 7

An internationally recognised standard (published in 2013 by the International Organisation for Standardisation) for managing the security of information. 8 Case study 3 of 2013: “Government Department admits inappropriate access to records by an official”. Page 9 of 23

Social Protection employee was suspected to be snooping on the social welfare records of his colleagues and ex-wife, the ODPC commented that “straying beyond the boundaries of [the public servant’]s official duties in terms of accessing personal records amounts to unlawful activity by the individuals concerned. For that reason, it is critical that data controllers, such as a Government Department in this case, have robust disciplinary policies in place to deal with any breaches. Taking no action against individuals caught engaging in such activity is not acceptable. Instead, it should be clear to all users that there are serious, negative consequences for unauthorised access to personal information for unofficial purposes. Furthermore, as this case demonstrates, it is vital that data controllers have an audit trail in place on computer systems to capture both “read-only” and “edit” accesses to official records. Obviously, the monitoring of such audit trails and follow-up action are critical elements in ensuring the effective protection of records which are stored on a data controller’s computer systems”. 5.

Training Staff Staff training is a vital part of data protection compliance. In most cases, data breaches do not arise due to deliberate actions or malicious attacks, but arise due to inadvertence, inattention, human error or poor workplace practices. 5.1. Training Receptionists/Front line staff 5.1.1. In any organisation, the individuals who need most support and training are front line staff who regularly meet and deal with the public. Receptionists and other front-line staff must be trained to know what is expected of them. They are the individuals most susceptible to blagging and phishing attempts (i.e. obtaining personal information about third parties without that party’s knowledge and without their consent, through the use of impersonation, trickery, or deception). 5.1.2. Front-line staff can also be vulnerable to intimidation and harassment, so all efforts should be made to provide them with appropriate training, support and protection. This could include alarm buttons, CCTV in public areas, signs reminding visitors to treat all staff with respect and that abusive conduct will not be accepted, appropriate office space etc. 5.2. Data Protection issues for all staff. 5.2.1. As well as regular training, there also needs to be systematic, random inspection throughout the workplace to ensure that staff are adhering to the approved systems. One must never underestimate an employee’s ability to deviate from a simple system, thereby leaving the whole organisation exposed to sanction. Even when robust systems have been put in place, they need to be monitored and audited regularly to ensure compliance. 5.2.2. The School should establish simple procedures that staff can understand and follow easily. For example, front-line staff should be trained to seek proof of identity so that they can verify the identity of the person with whom they are dealing before they release information to that person. 5.2.3. Some basic tips for all staff dealing with members of the public:

Page 10 of 23

 





6.

Always be suspicious: ask for proof of identity before disclosing any information. Do not provide information unless you are certain of the person’s identity and can show proof that you have taken steps to verify that identity. Always take steps to ensure that the person to whom you are providing the information has a valid, legal entitlement to receive that information. If in doubt, ask them to furnish their request in writing and take that written request to their line manager for their direction. The normal rigours should not be relaxed just because the person making the request for information works for a Government Department, or is a State official (eg. TUSLA, the Department of Social Protection, An Garda Siochana). All staff must be trained to ask for the legal basis upon which the requester is entitled to receive the information and the legal basis upon which the School is required to provide that information. There have been cases where officials have requested information to which they were not entitled to receive.

Data Access Requests 6.1. Access to one’s personal data is a cornerstone of the data protection regime. Subject to certain exemptions and exceptions, by law an individual is entitled to be told what information the organisation holds about them, and to be furnished with copies of same. This is a powerful right given to individuals. For a small fee (which cannot exceed €6.35) the individual can request the data controller to provide them with a copy of any information (either in electronic or manual form) which the data controller holds about that individual. This is referred to as a “data access request” (“DAR”). 6.2. Under section 4 of the Data Protection Acts, upon making a DAR, the data subject is entitled inter alia to the following:  The categories of data being processed by or on behalf of the data controller,  The personal data constituting the data of which that individual is the data subject,  The purpose or purposes of the processing,  The recipients or categories of recipients to whom the data are or may be disclosed,  Any information known or available to the data controller as to the source of those data unless the communication of that information is contrary to the public interest. 6.3. The data controller then has 40 days in which to comply with the DAR. Schools will need to give consideration to what will happen in the event of a DAR being submitted to the School during the summer holidays. There is no method to extend the 40 day deadline, and the legislation gives no leeway, so forward planning will be essential to ensure that there is an established protocol for how the School will handle the DAR received out of term-time. Page 11 of 23

6.4. DARs must be treated very carefully as they are a very powerful tool in the hands of a litigant or a disgruntled employee, as they can lead to the disclosure of certain information which the data controller may not have anticipated having to reveal to the individual concerned. 6.5. There is an increased awareness among individuals of this right of access. In his 2013 Annual Report, the Data Protection Commissioner noted that complaints regarding access requests accounted for 56.8% of the overall total of data protection-related complaints in 2013. 6.6. There are a number of important points to note when training staff as to how they handle DARs: 6.6.1. Firstly: it is important that staff are trained to recognise what a Data Access Request looks like and to understand that even where a request for information does not specifically mention the DPAs (or perhaps mistakenly cites the Freedom of Information legislation), that the request should be treated as a DAR. It is most likely that the first recipient of the DAR may be a member of front-line staff such as a Receptionist, so it is most important that everyone in the School understands what role they have in dealing with the DAR. 6.6.2. Secondly: staff should be aware of the time limits for dealing with DARs, and have a system in place to ensure that the information is provided within that period. Staff must understand that time of the essence, and that the DAR should be given to the appropriate person as soon as possible so that they school can comply with the 40 day deadline (for a section 4 request) or the 21 day deadline (for dealing with a section 3 request). This is to ensure that deadlines are not inadvertently missed, resulting in the School being held to be in breach of the law. 6.6.3. Thirdly: we would advise that consideration should be given to having one designated person within the organisation who deals with DARs, or who can assist other members of staff in dealing with DARs. Their role could include monitoring all DARs made to the School and ensuring that they are dealt with correctly and within the appropriate time. 6.7. DARs are common-place in employment-related disputes including disciplinary procedures, competence procedures, grievance procedures, and employmentrelated litigation. In addition to this, DARs are increasingly being utilised by parents to obtain data held by the school during proceedings relating to breaches of the Code of Behaviour, section 29 appeals, and appeals of decisions relating to acceptance for transition year. 6.8. The ODPC has advised that a DAR must be dealt with “no matter how inconvenient or disagreeable9” it may be to a data controller, unless a statutory restriction or exemption applies in the circumstances. So a data controller cannot argue that by making a DAR the individual is abusing the normal litigation process by which disclosure is generally made pursuant to a Court Order of discovery.

9

See case study 3/97. Page 12 of 23

6.9. As stated above, once a DAR made under section 4 is received10, the organisation has 40 days in which to comply, and to furnish the relevant data to the data subject. There is no way to extend this deadline. If a data controller does not comply with a DAR or does not comply with the DAR in time, the data subject may make a complaint to the ODPC who may initiate an investigation into the matter. Such investigations are becoming increasingly commonplace. The Commissioner has wide powers to investigate complaints made to the ODPC and will take appropriate action against any organisations that are not complying with the provisions of the Data Protection Acts. However, this regime is due to change very soon, so Schools should take this opportunity to get their internal procedures in order so that they are prepared for the changes which will be introduced when the new European Data Protection regime comes into force. 6.10. As currently drafted, the new European Data Protection Regulations (which are anticipated to be brought into force in 2015/2016) propose that the current period of 40 days shall be shortened to one month (subject to the possibility that the one-month period may be prolonged for a further month “if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller”). In addition, the current charge of €6.35 for a DAR will be dropped, and it is proposed that in future access requests must be dealt with “free of charge”11. In addition, the proposals for the future EU Regulations state that the sanctions anticipated for the intentional or negligent failure to respond promptly to DARs will be a fine of up to €250,000, or up to €500,000 for failure to provide the DAR information (or to provide incomplete information, or to fail to “provide the information in a sufficiently transparent manner”). 6.11. At present, the right to receive all your data pursuant to a DAR is not an absolute right, and certain exemptions and exceptions apply. For example, section 4(9) states that the controller must supply the information unless it is not possible or would involve “disproportionate effort”. In the case of schools the ODPC has indicated that it would expect to see all personal data which is filed in a retrievable format for review as part of an access request. Accordingly, the ODPC has cautioned that it is not acceptable for personal data to be retrievable by a school for its own use but not to be released pursuant to an access request for the reason that it did not rest on the student’s file. 6.12. If a DAR is received, the data controller should give consideration to whether any statutory exemptions or exceptions apply: 6.12.1. Third party’s data: If data is being released, consideration must be given to whether redacting (i.e. blacking out words/sections to render them unreadable) is necessary to remove references identifying third parties. This is because the right of access of a data subject is limited to the information relating to that individual. Therefore, where a DAR is 10

Please note that there is a separate right under section 3 to be given inter alia “a description of the data and the purposes for which they are kept”. A request made under section 3 must be dealt with within 21 days. However, under section 3, the individual is not entitled to a copy of the data itself. 11 See current draft of “Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) available at www.ec.europa.eu/justice/dataprotection/document/review2012/com_2012_11_en.pdf Page 13 of 23

received from a data subject and the documentation held by the data controller refers to, names or identifies other persons (students, employees, service providers etc.), such material will need to be redacted or anonymised as appropriate unless the third parties give their consent to their data being released to the data subject. 6.12.2. Medical Information: Some information may only be furnished following consultation with the individual’s medical practitioner12 (where such data would be likely to cause serious harm to the physical or mental health of a data subject). 6.12.3. Legally Professionally Privileged: Where the data consists of correspondence or advices from the data controller’s legal advisors prepared in contemplation of or during the course of litigation, these will generally be considered to enjoy legal professional privilege and they should not be handed over on foot of a DAR. This exemption applies only to privilege which could be successfully maintained in court proceedings. 6.12.4. Expression of Opinion given in Confidence: Whether the information constitutes or comprises of an expression of opinion given in confidence on the understanding that it would be treated as confidential. It is to be noted that the ODPC states that such opinions must satisfy a high threshold of “confidentiality” to enjoy this exception. The ODPC has issued guidance on the matter, and advises that: “An opinion given in confidence on the understanding that it will be kept confidential must satisfy a high threshold of confidentiality. Simply placing the word “Confidential” at the top of a page will not automatically render the data confidential. The Commissioner will look at the data and its context and will need to be satisfied that the data would not otherwise have been given but for this understanding. Supervisors and managers will not normally be able to rely on this provision as it is an expected part of their role to give opinions on staff which they should be capable of standing over. On the other hand, a colleague who reports a matter relating to an individual in confidence to a supervisor could be expected to be protected by the confidentiality provision”. This ground was recently considered in an ODPC case study13 where a media organisation received a DAR from one of its employees and held back some data (an email from another employee within the organisation) from the disclosed materials. When a complaint was made by the employee and the ODPC was brought in to investigate the matter, the ODPC made enquiries as to the nature of the working relationship between the author of the email and the employee who had made the DAR. The ODPC held that the author of the email which had been withheld was not a peer of the data subject but “while not considered by the organisation to be the data subject’s manager, they were in a position of some authority in relation to the data subject”. Accordingly, the ODPC determined that “we were satisfied that the content of the 12 13

See SI 82/1989. Case Study 11 of 2013. Page 14 of 23

email was supplied in the context of a position of authority. Acting on our advice, the organisation proceeded then to release the previously withheld personal data”. 6.12.5. Estimates of Liability. Any notes containing estimates of liability which may be payable on foot of a claim of damages or compensation should be excluded from a DAR. 6.13. It is our experience that DARs can be particularly difficult where they are received from a person who has already initiated legal proceedings against the School, or who is expected to shortly do so (such as a dismissed employee or a disgruntled parent). The ODPC has issued guidelines regarding an employer’s obligations when a DAR is submitted by an employee who is in dispute or in litigation with his/her employer. The guidance states that where a DAR is made by an employee in the course of any on-going disciplinary, grievance or dismissal proceedings, the employer is still obliged to comply with the DAR notwithstanding that there is an on-going disciplinary procedure or ongoing legal proceedings. This may often involve handing over materials which are vital to the disciplinary process, however in reality it is likely that these documents would have already been disclosed as part of the School’s compliance with fair procedures and natural justice. 6.14. How to deal with refusals: Where the School refuses to hand over documentation pursuant to a DAR, or withholds some part of the documentation from a DAR, it is obliged by law to inform the data subject of the reason for the refusal and of the data subject’s right to make a complaint to the ODPC14. The data subject is entitled to make a complaint to the ODPC and ask for the matter to be investigated. As noted above, the ODPC can overrule the data controller’s decision to withhold information from a DAR, and can advise the controller to release the relevant information to the data subject. 7.

Common Data Protection Related Scenarios in Schools 7.1. Transfers of Students between Schools 7.1.1. When students transfer from one school to another, both schools generally believe that they should share certain important (and often confidential) information between the parties. It is important to understand that there is no specific, blanket legal requirement to transfer all student records to a new school when a student is moving. 7.1.2. There is a statutory obligation (sections 20 and 28 of the Education (Welfare) Act 2000) on the Principal of the sending school to notify the receiving school of certain information. Specifically, the Principal of the sending school is obliged to notify the Principal of the receiving school of the following matters: (a) Any problems relating to school attendance that the child concerned had while attending the sending school, and (b) Such other matters relating to the child’s educational progress as he or she considers appropriate. 7.1.3. In the first instance, if a school intends to transfer any student information, careful attention should be paid to the accuracy of the 14

Section 4(7) Data Protection Acts 1988 and 2003. Page 15 of 23

7.1.4.

7.1.5.

7.1.6.

7.1.7.

15

information. In most cases, where actual hard copy or soft-copy records are to be transferred (eg. medical reports, IEPs, etc), it is prudent that any transfer should only be made after obtaining the informed consent and approval of the student and the student’s parent/guardian. In addition, the school’s policy should state what information will be sought from or passed to other schools when the student is transferring. This policy should be on the school’s website and should be given to parents in advance of any transfer. Where the transferring student has special educational needs, the Education for Persons with Special Educational Needs Act, 2004, intended to provide for consultation between the Principals of the sending school and the receiving school for the purpose of ensuring that the Principal of the receiving school is informed of the content of the IEP (see section 9(8)). However, this section has not yet been commenced, and accordingly, as stated above, the school should obtain the informed consent and approval of the student and the student’s parent/guardian before any such transmission of documentation. Child protection records need special consideration when a student is transferring from one school to another. The DES Child Protection Procedures for Primary and Post-Primary Schools states: “Where a child transfers from or leaves a school (including transfers from primary to post-primary) and where the DLP is aware that a child protection report relating to that child has been made to the HSE in the past, the DLP should inform the HSE of the child’s transfer/move” 15. Pursuant to the Child and Family Agency Act 2013, with effect from 1st January 2014 the duties of the HSE in relation to child protection have now transferred to TUSLA (the Child and Family Agency), so TUSLA should be contacted in the event of a student who has been or is currently the subject of a child protection report is transferring school. It is important for all schools to understand that they are not the appropriate conduit for sharing safeguarding information with other schools – the statutory agency charged with child protection is now TUSLA and it is for TUSLA to share relevant child safeguarding information on a need to know basis. If an individual employee of the School takes it upon themselves to disclose child protection information to a receiving school, they may be exposing themselves and their employer to claims of defamation and/or breach of privacy. Where a sending school believes that the receiving school should be put on notice of certain child protection information, the sending school should put their concerns in writing and send them to TUSLA and request that TUSLA confirms in writing that they have shared all pertinent childsafeguarding information with the receiving school.

See paragraph 4.2.7. of the DES Child Protection Procedures. Page 16 of 23

7.2. Data Protection considerations in relation to teachers’ notes 7.2.1. Many teachers keep handwritten notes in relation to their students or certain class groups. We are often asked whether these notes, insofar as they relate to individual students, could be amenable to a DAR. It is often thought that manual data within a relevant filing system16 (as defined in the Acts) means solely that information which is stored on the individual’s file, and that the definition does not extend to teachers’ handwritten notes for the reason that the notes are not stored on the student’s file. However, the ODPC has indicated that he would expect to see a school furnish to a data subject all personal data which is filed in a retrievable format. The Commissioner has cautioned that it is not acceptable for personal data to be retrievable by a school for its own use but not to be released pursuant to an access request for the reason that it did not rest on the student’s file. Determining whether entries contained in a teachers’ handwritten notebook should be amenable to a data access request would always have to be determined on a case by case basis, to see whether the data is “retrievable”, is within a “relevant filing system” and/or whether exemptions apply. 7.3. Unmarried parents requesting information about their child (in the context of family breakdown) 7.3.1. In many cases, the most difficult and confrontational circumstance in which front-line staff are asked for confidential information arises in the context of parental requests for information. At present, approximately one-in-three births in Ireland now occur outside of the institution of marriage, so it is very common for schools to be dealing with nonmarital families. Where there is family break-down in the non-marital context, and the parents cannot agree, the school may be stuck in the middle trying to deal with both the mother (who is automatically the child’s guardian) and the non-marital father (who may not have been appointed the child’s guardian). The situation can become fraught. 7.3.2. Under Article 41.1 of the Irish Constitution, it is enshrined that “The State recognises the family as the natural primary and fundamental unit group of society”, and furthermore, in Article 42.1 the State acknowledges “that the primary and natural educator of the child is the Family and guarantees to respect the inalienable right and duty of parents to provide, according to their means, for the religious and moral, intellectual, physical and social education of their children”. 7.3.3. At present, the Constitutional protection and recognition of the family unit is based on marriage which does not reflect the modern composition of many families. The Government’s Special Rapporteur on Child Protection, Dr Geoffrey Shannon, has noted as follows:

16

A relevant filing system means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible. Page 17 of 23

7.3.4.

7.3.5.

7.3.6.

7.3.7.

7.3.8.

17

“The constitutional protection afforded to married parents does not extend to the non-marital father, whether that family is based on cohabitation, civil partnership or is a lone parent family17”. The Report of the Constitutional Review Group review published in 1996 recommended that Article 41 should be amended to encompass non-marital family units, and to give Constitutional protection to unmarried fathers, but to date this has not yet happened. The Government had announced a General Scheme of a Children and Family Relationships Bill 2014 which is intended to extend guardianship rights to non-marital fathers, however this has not yet been brought into law. It is often the case that the unmarried father may not have sole custody of his natural children, where there has been family breakdown. He may request the school to furnish certain information to him about the lives of his children. Schools are advised to be as accommodating and conciliatory as possible when considering sharing information relating to the child’s educational progress, such as reports, invitations to school events, parent teacher meetings etc as a non-marital parent would be entitled to this information pursuant to section 9(g) Education Act 1998. However, when it comes to furnishing a student’s data where that data does not fall within the categories outlined in section 9(g), the school will have to bear in mind that in those circumstances, the data subject is the child, not the child’s parent. Accordingly, the school owes a duty of confidentiality and privacy to the child. Where non-marital, non-custodial parents are separated or estranged, it can be difficult for one parent to accept that they may have less involvement in their child’s life. They may feel that they do not have all the information in relation to their child’s life in school. Accordingly, the parent may wish to make a section 4 DAR, and use this as an opportunity to “look into the life of the child”. Where a data access request is made by a parent on behalf of their child requesting personal data relating to their child, it is advised that this should be interpreted as the parent/guardian making the request on behalf of the child where the child is too young to exercise his rights to access his/her own data. In such a case, it is suggested that the access materials should be sent to the child, not to the parent who requested them. This means that the documentation should be sent to the address at which the child is registered on the school’s records, and should be addressed to the child. As access materials are sent to the child themselves (not to the parent who made the request) the non-custodial parent may feel frustrated by the lack of information. In such circumstances, the school may invite the parent to make an application under Section 11 of the Guardianship of Infants Act 1964 which enables the court (on application by a guardian)

See page 116 of the Sixth Report of the Special Rapporteur on Child Protection a Report Submitted to the Oireachtas by Dr Geoffrey Shannon on January 2013 available at www.dcya.gov.ie/documents/Publications/SixthRapporrteurReport.pdf See also the statements made by Mr Justice Walsh in the Supreme Court in State (Nicolaou) v An Bord Uchtála [1966] IR 567. Page 18 of 23

to make a direction on any question affecting the welfare of the child. Where a court issues an order stating that a school should make certain information available to a parent, the school will have a legal basis to release the data on foot of the court order. 7.4. An Garda Siochana requesting information from the School (Section 8(b)) 7.4.1. The query as to what information the school is permitted to give to An Garda Siochana often arises in the context of the Gardai requesting certain information from the School as part of a Garda investigation into a criminal matter. Section 8 of the Data Protection Acts states that the restrictions on data processing do not apply in certain circumstances. One of those circumstances relates to the work of the Gardaí in detecting and prosecuting crime: “Any restrictions in this Act on the processing of personal data do not apply if the processing is: […] Required for the purposes of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restriction would be likely to prejudice any of the matters aforesaid.” 7.4.2. Where the School receives a request for information from the Gardaí, the ODPC advises the following: “If a data controller is approached by a law enforcement authority or by a tax collecting authority, which seeks to have personal data disclosed to it under this section of the Data Protection Act, it is a matter for the data controller: a) to satisfy itself that the provisions of this section are met, for example by establishing the bona fides of the authority and by obtaining assurances that the disclosure is actually necessary, and not merely of side interest, for the investigation of an offence; and b) to decide whether or not to comply with the request for disclosure. While this section of the Data Protection Act lifts the restrictions on disclosure by a data controller to a law enforcement authority or to a tax collecting authority, this section does not impose any obligation on a data controller to comply with the request for disclosure18”. 7.4.3. It is our opinion that in some circumstances, a School may not be able to ascertain whether the disclosure is actually necessary and not merely of side interest for the investigation of an offence. It is therefore important to note that in certain circumstances, a warrant may be required, and the School should take advice on what information may be disclosed to An Garda Siochana without a warrant, or whether An Garda Siochana should be invited to produce a warrant for the information to be furnished.

18

See “Disclosures permitted under section 8 of the Data Protection Act” available on: www.dataprotection.ie/docs/Disclosures_Permitted_under_section_8_of_the_Data_Protection/237.htm Page 19 of 23

7.5. Releasing personal data to third parties – Officials/State Agencies 7.5.1. In his 2013 Report, the ODPC stated that 6.9% of all complaints investigated by the ODPC related to disclosure of personal data19. So when a third party comes to the School seeking information, the School must satisfy itself that the requesting party is entitled to the information and that there is a legal basis for disclosing the information. 7.5.2. Schools often receive requests for confidential information from official sources, such as the Department of Education, the Department of Social Protection, TUSLA and An Garda Siochana. Simply because the requester is from a government department or an official source does not mean that the School’s Data Protection regime can be relaxed. The School must still ascertain whether the School is legally permitted to disclose the requested information, and the following steps should be taken at a minimum: a) The requester must be asked to verify their identity, b) The requester should be required to put their request in writing, citing the legal basis upon which they are requesting the information, and c) The requester should be asked to clarify the legal basis for requiring the School to disclose the information. 7.5.3. As stated above, there are some circumstances in which the restrictions placed on data controllers will not apply. The Data Protection Acts recognise that the individual’s right to privacy is not unlimited, and there will be some circumstances in which the right must yield to the needs of a civilised society. Section 8 of the Data Protection Acts sets out certain circumstances under which the restrictions in the Data Protection Acts on the processing of personal data do not apply. One such circumstance is where the data is “Required by or under any enactment or by a rule of law or order of a court” (section 8(e)). In relation to that ground, the ODPC has drawn a distinction between situations where you are under a legal obligation to disclose personal data (which would take precedence over the individual’s right to privacy under the Data Protection Acts) and situations where you have a statutory discretion as to whether or not to make the information available. In the past, the ODPC has found that “a statutory discretion to make information available did not come within the scope of section 8(e)…and that… the restriction on disclosure of personal data remained in force”. 7.5.4. That advice arose in the context of a complaint made against a local authority wherein the ODPC noted: “all data controllers, and in particular those in the public sector, should note that a statutory discretion to make personal data publicly available is not the same as a statutory requirement to do so. It is only the latter that takes precedence over the normal application of data protection principles”. Accordingly, it is advisable always to proceed cautiously, and ensure that the relevant 19

This low figure belies the complications revealed by the Edward Snowden disclosures which exposed the issue of international disclosure of personal data being made by major internet and telecommunications companies to US and European intelligence agencies. Page 20 of 23

situation really does come within an exemption before seeking to rely on the exemption as the basis for releasing personal data to a third party. 7.5.5. As stated above, staff cannot assume that simply because the request comes from an official source that the enquirer is legally entitled to receive this information. Indeed, there will be many circumstances in which official sources request information but the School has no legal entitlement to furnish the requested data. 7.5.6. The usual State bodies which seek information about students include the DES, the HSE, local authorities, the Child and Family Agency, the Department of Social Protection, and the Gardaí. In some cases, the information sought may be sought in order for the statutory agency to carry out a statutory function. However, sometimes the statutory agency may be taking a short-cut and thinks the school is the easiest way to obtain the information. In a lot of cases we come across, the request for personal information is made by a state agency that does not have any legal grounds to be provided with the information. For example, we have also come across cases of State agencies requesting information and citing a non-existent piece of legislation as the basis for their request. The rule of thumb should be that if an employee is in any doubt, they should not release the information and should alert their line-manager immediately. 7.6. Taking Photos of children at School Events We are often asked for legal advice on the data protection implications of taking photos of children at school events. We need to consider the two separate circumstances in which this issue can arise: 7.6.1. Where the school takes the photos (eg. for putting up on the school notice board or on the school website): The guidance issued by the ODPC20 is that the clear and informed consent of the parents or guardians of the pupils must be obtained before any use is made of the child’s data, which would include photos taken of the child. That guidance was given during the course of a case study related to a complaint made by a parent of a school child who objected to the fact that the School had taken photos of pupils to put up on the School website without the knowledge of the parents. The ODPC’s view is similar to that given by the UK Commissioner who states: “The Data Protection Act does not prevent parents and teachers from taking photos of events such as the Christmas play or sports day - asking permission to take photos is normally enough to ensure compliance21”. We advise schools that at enrolment they should explain to parents the occasions during which photographs may be taken of their children (eg. sports day, school concerts, etc) and the uses to which their child’s photograph will be put (eg. uploaded to the school website, printed in the school newsletter or yearbook etc). If the school intends to transfer the photos to a third party (eg. a local newspaper) then that will need to 20 21

Case Study 10/1998 www.ico.gov.uk/for_organisations/sector_guides/education.aspx Page 21 of 23

be explicitly disclosed to the parents and their permission obtained in order for the consent to be deemed to be free, fair and informed. The school should obtain the specific informed consent of parents for the taking of photographs. It is recommended that schools seek consent at the time of enrolment to cover the entire period that the pupil will spend at the school. If parents/guardians wish to withdraw consent for their child’s photograph to be taken, the onus should be put on the parent/guardian to notify the school in writing of this fact. 7.6.2. Where parents or family friends take photographs or record images at school events (eg. for family photo albums): Taking photos or videos for purely personal, family, or recreational purposes does not come within the remit of the Data Protection Acts: Section 1(4) of the Act specifically states: “This Act does not apply to…(c) personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.” Accordingly, the Data Protection Acts do not apply. However, while on the school grounds at the invitation of the school, parents and friends must adhere to the ground rules imposed by the school. Therefore, it is up to the school to decide if it wishes to allow videos or photographs to be taken by parents/friends during the event. Aside from Data Protection implications, individuals have Constitutional rights to privacy, therefore if the school decides that they do not want to permit parents or family friends to take photographs or use recording devices at such occasions it would be prudent to state this in promotional material advertising the school event (such as a school newsletter telling parents about the event) and also remind everyone of this decision at the beginning of the school event. Alternatively, the school may decide that parents/guardians/invitees are permitted to take photographs or videos for private, personal use only, but request that they must not be uploaded to any website to be viewed by others (e.g. on Facebook/Twitter etc.).

Page 22 of 23

DISCLAIMER

This paper is intended as a brief summary of the principal points and contains general information only. While care has been taken in preparing these notes to ensure their accuracy, they cannot be exhaustive and are no substitute for detailed examination of the relevant statutes, cases and other materials when advising clients on particular matters. The materials do not constitute legal advice on any particular or general matter and are provided for general information purposes only. Millett & Matthews Solicitors have used all reasonable endeavours to ensure that the information contained in this paper is as accurate as possible at the time of publication, however Millett & Matthews Solicitors makes no representations or warranties of any kind whatsoever, express or implied, in relation to the accuracy, completeness, quality or suitability thereof. No responsibility is taken by Millett & Matthews Solicitors or the author for any errors or omissions. You should always obtain specific legal or other professional advice in relation to Irish law for each specific matter. You should not act or refrain from acting on the basis of any material contained on or within this paper. DocNo:1071810

Page 23 of 23

Suggest Documents

SAFEGUARDING and CHILD PROTECTION POLICY FOR SCHOOLS

SAFEGUARDING and CHILD PROTECTION POLICY FOR SCHOOLS
Read more
Tenby Schools, Malaysia Personal Data Protection Policy: January 2014

Tenby Schools, Malaysia Personal Data Protection Policy: January 2014
Read more
THE COOMBE SECONDARY SCHOOLS ACADEMY TRUST DATA PROTECTION POLICY

THE COOMBE SECONDARY SCHOOLS ACADEMY TRUST DATA PROTECTION POLICY
Read more
DATA PROTECTION REGISTER DATA PROTECTION REGISTER

DATA PROTECTION REGISTER DATA PROTECTION REGISTER
Read more
The European Handbook for Teaching Privacy and Data Protection at Schools

The European Handbook for Teaching Privacy and Data Protection at Schools
Read more
Data Protection for Microsoft Exchange Server Nachrichten

Data Protection for Microsoft Exchange Server Nachrichten
Read more
The Case for Big Data DDoS Protection

The Case for Big Data DDoS Protection
Read more
vsphere Data Protection Administration Guide vsphere Data Protection 5.5.5

vsphere Data Protection Administration Guide vsphere Data Protection 5.5.5
Read more
IBM Software Data protection for big data environments

IBM Software Data protection for big data environments
Read more
Dell Data Protection. Erste Schritte mit Dell Data Protection v9.4.1

Dell Data Protection. Erste Schritte mit Dell Data Protection v9.4.1
Read more
MODEL SAFEGUARDING and CHILD PROTECTION POLICY FOR SCHOOLS

MODEL SAFEGUARDING and CHILD PROTECTION POLICY FOR SCHOOLS
Read more
MLT Data Protection Policy

MLT Data Protection Policy
Read more
EUROPEAN DATA PROTECTION SUPERVISOR

EUROPEAN DATA PROTECTION SUPERVISOR
Read more
Data Protection & Privacy

Data Protection & Privacy
Read more
PERSONAL DATA PROTECTION NOTICE

PERSONAL DATA PROTECTION NOTICE
Read more
DATA PROTECTION GUIDELINES

DATA PROTECTION GUIDELINES
Read more
DATA PROTECTION POLICY

DATA PROTECTION POLICY
Read more
WEBSITE DATA PROTECTION NOTICE

WEBSITE DATA PROTECTION NOTICE
Read more
DATA PROTECTION POLICY

DATA PROTECTION POLICY
Read more
Elisa's data protection principles

Elisa's data protection principles
Read more
Encryption and Data Protection

Encryption and Data Protection
Read more
Data Protection Policy

Data Protection Policy
Read more
Safend Data Protection Suite

Safend Data Protection Suite
Read more
DATA PROTECTION OFFICER

DATA PROTECTION OFFICER
Read more