During the pandemic, more staff will be homeworking or agile working than ever before. For some trusts, schools and individuals, this will be a new experience. It is important to remember that data protection rules do not prevent homeworking or stop staff from working from their personal devices. However, data protection law does require organisations to make sure that personal data remains protected when it is being handled away from the building or on personal devices. For those organisations which are new to agile working, the data security implications could be a challenge.
Agile working and the use of personal devices increases the security risks around personal data. The trust / school remains responsible for ensuring that any personal data that is handled away from school is processed in accordance with GDPR. In particular, Principle 6 of the GDPR requires the trust / school to take appropriate technical and organisational measures to protect personal data.
Your trust / school should have a documented policy that deals with data protection / GDPR compliance when working remotely. School staff should be reminded of the policy, and that they remain responsible for handling personal data securely even when working away from school. The ICO would expect any device used to process personal data (whether school issued or personal) to be encrypted with a password. Family members and friends should not be able to see or access any personal data held electronically or manually.
Will we be given extra time to deal with a Freedom of Information request or a Data Subject Access Request?
The Information Commissioner’s Office (ICO) has published a statement acknowledging that resources (finances and people) may be diverted away from dealing with information requests work during the pandemic and whilst it cannot extend statutory timescales, it will not be penalising public authorities for prioritising other areas or adapting their usual approach during this extraordinary period.
Those schools that are continuing to receive information requests in spite of the pandemic should therefore take comfort from this.
However, our advice is not to use the pandemic as a blanket excuse for not dealing with information requests but where you genuinely cannot process a request due to lack of staff, this should be documented and communicated as quickly as possible to the requestor.
Remember, the usual statutory timescale under GDPR for dealing with a Data Subject Access Request is without undue delay and at the latest within one month of receipt although that can be extended up to 3 months if the request is complex or you have received a number of requests from the individual.
If you are a public authority that receives a freedom of information request, you usually have 20 school days or 60 working days following the date of receipt to comply with the request, whichever falls soonest.
A ‘school’ day will be any day on which there is a session and the pupils are in attendance.