How does the DPO role work? How can we make it easier for our DPOs to do the job?
GDPR sets out many tasks for the DPO. There is a need to check the integrity of the role itself as well as the compliance of the organisation. To help us understand the different aspects of the role that different sectors would require we did a series of case studies to look at the role might work in practice.
We considered Rowena, a Business Manager at a school who has to manage her responsibilities as DPO and fit it into her busy work timetable. Rowena uses the annual calendar of suggested checks in the Data Protection Consulting DPO Support Package to plan her compliance year around the peaks and troughs of her other work.
Rowena can take advantage of quieter times, for example when school is on holiday. With this measured approach Rowena is able to fit in data protection compliance checks. By using the mini audit forms in the DPO Support Package, she can ensure that she does not waste any time thinking how to approach the checks needed and they provide a ready-made record of the key aspects of the checks carried out to help towards establishing evidence of Accountability.
The mini audit forms also facilitate delegation of some of the compliance checks to student teachers and teaching assistants to help with time management and to improve their awareness of data protection issues. This is one of the tips for managing the DPO role suggested in the DPO Support Package. Several colleagues have an interest in data protection and volunteer to support Rowena provided that their responsibilities can be planned around peaks and troughs in their teaching responsibilities. Again, the flexibility of the DPO Support Package means that Rowena can schedule audit tasks to fit colleagues’ availability. To meet accountability requirements under GDPR, Rowena documents the reasons for delaying some tasks and explain the need for flexibility in her DPO records.
We imagine the findings when a Teaching Assistant is asked to check how photographs are obtained, managed and stored at the school.
Taking photos with own mobiles
Ofsted requires evidence of student development through the year and teaching staff regularly take photographs of the students on trips and their work to help build the evidence required. Teachers regularly use their personal mobile phones to take the photographs. There is only one school camera and it tends to be forgotten when teaching staff take students on field trips and visits to places of interest. So teachers improvise by using their mobiles.
Taking photographs of students on a personal mobile is strictly prohibited under school policies and procedures because:
- It is inappropriate for staff to have photos of students
- To get the photos into school records they are emailed, usually unprotected, another breach of internal policies and procedures
- Teachers may not delete the photos after sending them to the school and retain a copy
- While photos are held on personal mobiles the school must include a search of mobile phones when responding to the exercise of subject rights such as subject access, requests for erasure of data, restricting data processing etc
- Photos on mobile phones may not be backed up and could be lost
- Unless there is a policy in place to regulate use of own devices (a Bring Your Own Device Policy and Procedures) then mobile phones might not have any protection, putting the photos at risk of unauthorised access or deletion
Forms of consent to the use of photographs
Parents are asked for consent to photos of their children being taken and used for a number of purposes including displays in classrooms, evidencing learning journeys and records of achievement. The consent form also covers the standard school photo taken by a commercial photographer for sale to parents.
Rowena is concerned that the wide use of photos by the school to illustrate publications such as the School Prospectus is probably not clear from the wording of the consent form. There is also concern that the huge increase in the use of photos on social media and the school website raises issues around the longevity of the photos and the lack of control once they are published to the internet.
Rowena needs to review the wording of the consent forms and restrict the use of photos of the students until an appropriately detailed consent form is available.
The Data Protection Consulting DPO Support Package recommends that the DPO review complaints to identify any that involve a data protection issue. Further issues with photographs and consent forms are highlighted when Rowena reviews the complaints file:
- Particularly good photos of students may be held and used for longer than stated on the consent form without seeking further consent from the parents, for example on video loop in the reception area to illustrate and promote the typical activities of the school
- Staff are not aware that students who object to the use of their image are in fact exercising their legal right to object to the use of their personal data. Children have data protection rights and may exercise them without input from their parents in some circumstances
- There are circumstances when the intended use of the photo requires further explanation and context in addition to the generality of the consent form. Imagine a parent agrees to the use of a student’s image in the School Prospectus thinking that it will be a small cameo on the inside pages but when the prospectus is published the image is used on the front cover, A4 size. For processing to be fair it is important to clearly explain exactly how personal data will be used. If the standard consent form is inadequate either provide supplementary information to give it context or seek the consent of the individual if the proposed use of the personal data changes.
Photographs of children in wheelchairs
Rowena’s investigation would probably find that staff steer well clear of photos of students with disabilities, bearing in mind that a physical disability is personal data relating to health and therefore “special category data” requiring additional conditions for lawful processing.
We would suggest that Rowena develop an appropriate policy and procedure for use of photos which may include special category data and give clear guidelines to colleagues for their safe and compliant use.