DPO Case Files – The Confidentiality Conundrum
Each month, we will feature a data protection issue raised by a school. We will not identify the school, but share their dilemma and how it was resolved, so that other schools can consider their response in the same circumstances.
It’s a well-worn phrase, but your school’s data protection will only be as good as your weakest staff member. Data breaches occur when people don’t follow your procedures, either intentionally or unintentionally.
But what if you become aware that a member of staff has been discussing sensitive personal information of pupils and adults with a third party? Over the last year, we have had a number of reported data breaches involving staff sharing or accessing confidential information. For obvious reasons, we won’t be more specific!
These incidents will be dealt with as HR issues and appropriate disciplinary action will be taken. However, they are also data breaches and the school should assess the risk to individuals and record / report the breach in line with advice from their DPO.
If there is a high risk of harm to the rights of individuals, the school will need to inform the Information Commissioner’s Office. The school will need to prove that data protection is included in compulsory induction training, and that it regularly provides compulsory updates to all staff. It will also need to prove that staff agree to comply with the school’s data protection-related policies (e.g. data protection / signed code of conduct / signed staff acceptable use policy)
If data controller can demonstrate that they have robust policies and procedures in place, and that they have taken the breach seriously and acted appropriately then the ICO response should be proportionate.
|