GDPR: Public authority status - what does this mean for academy trusts

What do schools need to look out for and do differently to other organisations? No matter what type of organisation you are there are some key steps you should be taking to prepare for the General Data Protection Regulations (GDPR) including data mapping, analysis of the lawful basis for processing data and implementation of changes to policies and procedures. In this article we highlight particular issues arising for academy trusts.

Public Authority status

Those familiar with academies will know, academy trusts are already designated as public authorities for the purposes of Freedom of Information Act queries. There is no separate definition of a "public authority" in the GDPR and whilst the government has power to redefine particular organisations and remove public authority status for the purposes of GDPR it has expressed no intention to do so for academies.

What does this definition mean for academy trusts?

Appointment of a data protection officer (DPO)

All academy trusts must appoint a DPO whose tasks include;

  • advising the academy trust with regard to its data protection obligations;
  • monitoring the academy trust's compliance with GDPR; and
  • first point of contact for ICO and data subjects.

The DPO should report at Board level but should operate independently and will have statutory protection against dismissed or being penalised for performing the role. The DPO maybe an employee providing there is no conflict with their existing professional duties or the position may be contracted out.

"Legitimate interest" basis for processing data will not apply

Generic advice on GDPR states that all organisations processing personal data must do so within one of the six prescribed legal bases; these are:

  1. consent;
  2. performance of a contract with the data subject;
  3. to comply with a legal obligation;
  4. to protect the vital interests of the data subject;
  5. legitimate interest pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject; or
  6. performance of a task carried out in the public interest or in exercise of official authority.

Academy trusts, will have additional hurdles to overcome if seeking to rely on (1) consent and in any event can not rely on (5), legitimate interests.

Consent as a basis for processing data may not be appropriate

Academy trusts will not necessarily be able to rely upon the legal basis of consent to justify processing personal data either. In draft guidance published earlier this year the Information Commissioner's Office (ICO) confirmed it considers public authorities' use of consent to be unfair where there is an imbalance of power. It says:

Consent will not usually be appropriate if there is a clear imbalance of power between you and the individual. This is because those who depend on your services, or fear adverse consequences, might feel they have no choice but to agree – so consent is not considered freely given. This will be a particular issue for public authorities and employers.

In the context of an academy trust this will be most relevant when processing the personal data of employees, parents and pupils.

The draft ICO Guidance also states consent will not be a fair basis for processing where you would still process the personal data on a different lawful basis even if consent were refused or withdrawn. In such circumstances the ICO considers seeking consent from the data subject to be misleading and inherently unfair, presenting the individual with a false choice and only the illusion of control. Therefore it may not be lawful to rely on consent as a type of "catch-all" where there is some other more relevant basis for processing.

To view the full article, please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.