Date updated: Wednesday 3rd April 2024

What is the change?

One of the most notable changes proposed by The Data Protection and Digital Information Bill (the “Bill”) is the proposed change to the definition of personal data. At present, personal data covers any information that relates to an identified or identifiable living individual. The Bill proposes to redefine and potentially reduce the parameters of what ‘personal data’ is by changing the circumstances in which an individual can be considered ‘identifiable’. Under the Bill, personal data will only be processed if individuals are identifiable by ‘reasonable means’ at the time of processing. 

What could it mean?

Before sharing information with a third party provider, it will be necessary for controllers to establish whether the information will comprise personal data. This means the disclosing party must first determine whether the individuals will be identifiable by the ‘reasonable means’ the third party provider has in place. The change could mean that the Bill reduces the range of circumstances where personal data is being processed by a third party. For example, if an Edtech provider does not match data with any relevant identifiers (even if the identifiers are held by the Edtech provider), then its activities may fall outside the scope of the Bill.

What do you need to do?

The Bill may yet be amended and so too the changes to the definition of personal data. Education providers should make sure they understand the processing that is being undertaken on their behalf by Edtech processors, so that they are in a position to understand the effect of changes to the definition of personal data introduced by new legislation. Stone King has extensive experience of advising on Edtech implementation and use, and can advise on due diligence prior to engaging Edtech providers and data sharing arrangements.

Please contact the Information Law Team for further guidance on implementing Edtech solutions.