A Prolific Month for DfE Updates

It doesn't seem that long ago that a well-placed contact was advising me that those of us in education administration would be waiting much longer than normal for responses from the Department for Education (DfE). This, she told me, was because so many staff there were being transferred to Brexit-related duties elsewhere in government. Soon after that delay in response time began indeed to be noticeable, there was a long period when the delays could (probably legitimately) be ascribed to Covid-related furloughing.

Even allowing for my profession's tendency to expect unrealistically speedy answers to complex questions, there were times over the past three years or so when many of my colleagues opined that getting blood out of a stone would be a breeze compared to getting a response from the DfE. That was, of course, unfair but the DfE have certainly made up for any perceived lack of responsiveness since the start of this year. January and February 2023 have seen a raft of documents coming from the department, and a lot of them fall into a category a Head of School once described to me as "We pay you to read this stuff so we don't have to!"

(I think he was only half-joking).

I'll summarise some of the key content here but if you want to go to source, the DfE website is the place to look for the original documents. For ISC-member schools the ISI's website and portal is another useful site to bookmark.

Let's start with a document published on 23rd January called Guidance on Applying for Approval to Change the Registered Details of an Independent School (commonly known as a Material Change Application).

This non-statutory guidance applies to all independent schools including boarding schools, and it puts everything an independent school needs to know in one place for the first time.?The guidance states that independent schools must make a request for material changes to registered details for the following:

·??????proprietor details

·??????school address details

·??????age range of pupils

·??????school capacity

·??????gender of entry

·??????boarding provision

·??????special educational needs

You probably already knew that an independent school must not make a material change without having applied for and obtained the Secretary of State’s approval for it. This is mainly because material changes may impact on an independent school’s ability to meet the independent school standards.

Material changes are not common, but they occur in the life cycles of schools every few years or so and they include matters such as the appointment of a new chair of trustees, an increase or decrease in a school's boarding capacity or the extension of school into a new year group (for example the introduction of a sixth form or an early childhood centre). It's unlikely a material change would be overlooked by a school compliance officer, but the DfE has at least clarified where such changes must be reported (and where they should not be reported).

All schools, including independent schools, are required to update their record on GIAS (Get Information about Schools). Schools are prompted every sixty days to update routinely, but they should also update as the change occurs, unless the change constitutes a material change, in which case the process outlined in the new guidance should be followed.?

Examples of changes that can be made by an independent school on GIAS include a change of headteacher or change of contact details such as email address.

The DfE clarified in January that some fields cannot be edited on GIAS and where this is the case (for example changes in enrolment numbers within registered capacity), reporting of the change can be delayed until the next annual census - when it should be recorded on the school’s?School Level Annual School Census (SLASC) return. The DfE also clarified that the SLASC is not to be used to report material changes.?

This clarification is welcome as it follows an extended time during which changes could not be reported on the GIAS portal, and repeated requests for assistance went unanswered from the DfE.

On 3rd February a number of documents were updated and reissued by the DfE that will be of interest to data protection officers in schools. At many schools, staff will have spent a considerable amount of time trawling through these to ensure that they remained compliant with the requirements. It is also highly possible that some of the content will inform the lists ISI inspectors are given to refer to when visiting schools on Regulatory Compliance Inspections.?

I picked out a few items of interest from this collection of documents to comment on below. My bold text indicates the general area of focus the guidance is addressing. I've chosen to concentrate on content related to school policies and data privacy responsibilities because those areas happen to be priorities in my current work. You may have different priorities but this link will take you to the page where the DfE publishes its latest updates. I hope that will save you some legwork.

Part of the workload of all data protection officers is dealing with subject access requests. I've written on this subject before, and I find I hold a different view of these requests from many data protection specialists, believing as I do in the value of promoting data subjects' rights. Basically, I think most data controllers need to do a much better job in this area. Yes, some people have learned to weaponise subject access requests and use them as vehicles for causing mischief and bother. But there are relatively easy escapes from those traps. On the whole data controllers can help themselves by getting better and smarter at recognising their responsibilities when they process other people's data.

For most subject access requests the data controller has 30 days to meet the request. However, under the DfE guidance when schools in the maintained sector receive a subject access request for a child’s educational record*, they are now advised to ensure access to that is provided within 15 days. We are left to assume that the same timeline applies to the independent sector because the DfE defers to the guidance published by the Information Commissioner's Office (the ICO) on education data - and the ICO applies the same standards to maintained schools, independent schools and academies.

Having only half the amount of time the ICO normally allows for compliance with a subject access request may seem challenging. However, a school record is seldom a difficult document to locate and send on (unless it has been archived for some reason or unless the record is associated with an exempt category such as a police file or a child protection order). It is therefore not unreasonable to expect schools to comply swiftly with such requests, and I do not foresee this being a problem for most schools.

Related to this, the DfE specifically requires schools to check that any parent requesting the data of a pupil aged 13 or over has the pupil’s consent to do so.?

I know from my meetings with other data protection officers over the years that I am far from alone in having had an issue with this situation before now. Although I have advised Heads, Principals etc. to use the age of 13 as a rule of thumb, unlike Scotland (where the age is 12) England and Wales do not define the age where a child can legally take responsibility for giving their own consent for their personal data to be?processed.?

Instead, the ICO indicates that the age of the child may not be the key consideration and that the decision should be based on the child’s maturity. While we can all agree this is sensible advice, it risks placing schools in a difficult position – potentially becoming the ball in a game of piggy-in-the-middle between parents and children who want different things (for example, a 13-year-old giving consent to the use of their image where the parents do not want the image published, or vice versa).?

The publication of this guidance from the DfE now allows schools to cite the department’s requirement that the parents obtain their child's consent before any request for the data of their children aged 13 and up can be met.?A statement reminding parents that this is now departmental advice might be a useful addition to your school's Privacy Notice, possibly with a link to the guidance itself.

It's worth remembering that consent is not the only (and certainly not the best) lawful basis on which schools may process personal data. Students will not be able to withdraw their consent for schools to share information such as report cards, discipline notices or similar communications with parents because these documents are usually shared under a different lawful basis (such as contracts or legal obligation). But the issue of children's consent is an interesting one, and I will address it in a future post.

The new collection of updates also included information about the role of DPOs in schools. There is little in the guidance that will strike anyone as genuinely new or radical, but I do think it constitutes a reminder of the importance of maintaining an up-to-date Record of Processing (RoP). Setting up an RoP can be time-consuming at the outset. But it is a worthwhile investment of time. A well ordered RoP will usually be a school's most important governance instrument for data processing, as well as a hugely helpful tool in the case of a successful cyber attack.

When schools introduce new initiatives there are very often implications for data processing, and the RoP becomes the checklist for ensuring everything is done correctly. For example, recently in my school district we looked at how we were running "Shadow Days" for prospective new students across all grade levels.

Shadow days can be informative for both schools and parents, and they can helpfully inform admission decisions for both parties. They are, however, unusual in that schools suddenly have a clear and present need for potentially sensitive data about young people who have no connection with the school other than their parents' (possibly transitory) interest in enrolling them there.

Under normal circumstances, schools would not have a purpose for processing the special category data of a vulnerable person with no connection to the school - an act that on its own prompts the need for a data protection impact assessment (DPIA). But in the case of a Shadow Day, you would clearly need to know that, for example, the five-year-old coming to your EYFS setting has a severe shellfish allergy, or carries an auto-injector, or is asthmatic or has Type 2 diabetes etc.

In such cases, the RoP becomes your assurance that all the required precautions have been taken and that the data itself will be securely disposed of once the need for its retention by the school has expired. Some RoPs also host written DPIA forms with checklists and drop-down menus offering reminders about what needs to be done. One I used recently also featured a link to the ICO's template for Legitimate Interest Assessments. I hadn't seen that form for a while as we tend to avoid using Legitimate Interest as a lawful basis where alternative options exist, but it is a sound tool - and as it was compiled by the country's data protection regulator, its thoroughness is assured.

The DfE's February update also included a reminder to schools to check all their policies to ensure they are compliant with data protection legislation. They referred schools to the list of statutory policies - which was last updated in March 2022. I was pleased to see that my own school group has up-to-date policies in all the required policy areas. It's worth checking this on a regular basis. Think of it as akin to checking a car's tyre pressures or oil level.

The DfE has also now updated the guidance on data retention and managing data breaches. The department continues to refer schools to the IRMS toolkit from 2019, which is publicly available. If you are checking your school's retention schedule against this (widely used - and very well structured) model, do remember that the IICSA published updated retention guidance in November 2022 that may be relevant to you (though for obvious reasons, one hopes not).

Finally, earlier this month (February 2023), the DfE contacted schools to inform them about the new emergency alert service in England and Wales, and to request they inform their parent communities.

Emergency alerts may be sent in response to situations where lives are threatened. These include severe flooding, fires, extreme weather and public health emergencies.?

The DfE provided the following link to be communicated to parents: About Emergency Alerts - GOV.UK (www.gov.uk)

I hope you have found this, necessarily brief, tour through a fraction of the DfE's current updates helpful. We can all feel a bit like King Cnut against the tide at times dealing with this stuff. But we are not fighting alone - and we can all support our fellow school administrators around the country and help each other remain aware of, understand and implement the required steps as they come our way from a department that (we should remember) is there to serve us.

* The DPA 2018 defines ‘education data’ as:

• personal data which consists of information that forms part of an educational record; and
• is not data concerning health.

The definition of ‘educational record’ in the DPA 2018 differs between England and Wales, Scotland and Northern Ireland. Broadly speaking, however, the expression has a wide meaning and includes most information about current and past pupils that is processed by or on behalf of a school. The definition applies to nearly all schools including maintained schools, independent schools and academies.

However, information a teacher keeps solely for their own use does not form part of the educational record. It is likely that most of the personal information a school holds about a particular pupil forms part of the pupil’s educational record. However it is possible that some of the information could fall outside the educational record, eg information a parent of another child provides about the pupil is not part of the educational record.