General Data Protection Regulations (GDPR) May 2018


We have obtained the following information regarding GDPR (we do not accept any liability regarding this information)


Clerks-and-GDPR (5).pdf Clerks-and-GDPR (5).pdf
Size : 731.792 Kb
Type : pdf


A member of the NLAGB executive had contacted the NGA (National Governance Association) advice line after a query was raised with them from a Board of governors about GDPR and found that NGA are about to publish a guide for governors on GDPR and that we will put a link to this on our website as soon as we are notified that it is available.

 

In the meantime here is the response to our query which we felt might be useful information for all heads and governors to be aware of immediately

 

NGA advice relating to publishing governor information on the school website

 

To summarize your query, you would like to confirm whether the information which schools are required to publish concerning their governors contravenes the General Data Protection Regulations (GDPR.)

Article 6, section 1 of the GDPR sets out the six grounds on which data can be lawfully processed:

“1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

 

In this case, it is grounds (c) and (e) which justify the publication of certain governor details on the school website.

 

The statutory guidance on governing body constitutions in maintained schools states:

 

“32.Governors hold an important public office and their identity should be known to their school and wider communities. In the interests of transparency, a governing body should publish on its website up-to-date details of its governance arrangements in a readily accessible form. This should include:

 

• the structure and remit of the governing body and any committees, and the full names of the chair of each;

• for each governor who has served at any point over the past 12 months:

• their full names, date of appointment, term of office, date they stepped down (where applicable), who appointed them (in accordance with the governing body’s instrument of government),

• relevant business and pecuniary interests (as recorded in the register of interests) including:

 

• governance roles in other educational institutions;

• any material interests arising from relationships between governors or relationships between governors and school staff (including spouses, partners and close relatives); and

 

• their attendance record at governing body and committee meetings over the last academic year.”

 

As such, there is a clear obligation on the school to publish this information, which means that processing personal data in this manner can likely be justified by the “public interest.”

 

Academies are also required to publish the same information according to the Academies Financial Handbook. Section 2.5.2 states:

 

“2.5.2 In the interests of transparency, an academy trust must publish on its website upto-date details of its governance arrangements in a readily accessible format. This must include:

 

· the structure and remit of the members, board of trustees, its committees and local governing bodies (the trust’s scheme of delegation for governance functions), and the full names of the chair of each (where applicable)

· for each member who has served at any point over the past 12 months, their full names, date of appointment, date they stepped down (where applicable), and relevant business and pecuniary interests including governance roles in other educational institutions

· for each trustee and local governor who has served at any point over the past 12 months, their full names, date of appointment, term of office, date they stepped down (where applicable), who appointed them (in accordance with the trust’s articles), and relevant business and pecuniary interests including governance roles in other educational institutions. If the trust’s accounting officer is not a trustee their relevant business and pecuniary interests must still be published.

· for each trustee their attendance records at board and committee meetings over the last academic year

· for each local governor their attendance records at local governing body meetings over the last academic year”

 

As such, schools are required to publish the interests and attendance records of those governing. GDPR allows personal data that was processed in order to meet these obligations to be justified as either meeting a legal requirement, or satisfying a public interest. The ICO is clear that obligations do not have to be explicitly set out in statute, and sources such as statutory guidance are sufficient:

 

Article 6(3) requires that the relevant task or authority must be laid down by domestic or EU law. This will most often be a statutory function. However, Recital 41 clarifies that this does not have to be an explicit statutory provision, as long as the application of the law is clear and foreseeable. This means that it includes clear common law tasks, functions or powers as well as those set out in statute or statutory guidance.

 

You do not need specific legal authority for the particular processing activity. The point is that your overall purpose must be to perform a public interest task or exercise official authority, and that overall task or authority has a sufficiently clear basis in law.


        Further information can be found on this website under National News 2018 particulary under NGA News Briefings April 2018.

 

Page last updated 5 July 2018

Make a free website with Yola