GDPR AND DATA PROTECTION EXPLAINER REGARDING SCHOOL TRIPS.
The General Data Protection Regulation (the “GDPR”) came into effect on May 25th 2018 and has heightened awareness with regard to the collection, use, storage and deletion of personal data. The detail of the GDPR is somewhat complex, but the core principles are logical; (i) do not collect more information than is necessary for the purpose required, (ii) be clear and transparent about what you intend to use it for, (and obtain consent if you wish to use it outside of the core purpose for which it was collected) (iii) keep it safe, (iv) do not retain it for longer than is necessary, (v) provide the data subject with the right to access, amend and delete personal data you hold, and (vi) if passing the personal data on to a third party for processing only then do so based on a contract (usually a Data Processing Agreement). This explainer assumes that all schools have a basic level of understanding regarding what personal data is, and what it means to be a controller and/or a processor.
In the context of school group bookings, a number of concepts arise frequently, and we attempt to address these as clearly and simply as possible below. (Note: the GDPR is complex and the Topflight for Schools (“TFS”) explanations below should not be substituted for taking appropriate advice regarding your own obligations as a school).
WHAT STUDENT’S PERSONAL DATA IS REQUIRED FOR TFS SCHOOL TRIPS?
WHO IS COLLECTING THE “SCHOOL TRIP DATA SET”, IS IT TFS, THE LEAD ORGANISER OR THE SCHOOL?
There are variables, but the Participants generally do not provide data directly to TFS (save perhaps for credit card or payment information). The Participant’s data is usually collected by the lead tour organiser. TFS understands that the organiser is usually an employee of the school and would not be gathering the data otherwise than for the purposes of a “school trip”. TFS believes the safest interpretation is that as the lead organiser gathering the School Trip Data for the TFS trip, it places the school in the position of “Data Controller”. In principle this does not materially alter the school’s responsibilities, it already holds the vast majority of the data comprised in School Trip Data Set. However, this data was gathered in a different context, for different purposes, and there is some additional data (such as shoe sizes, dietary requirements, medical conditions, skiing experience etc.), which is newly gathered for the purpose of the TFS trip.
HOW SHOULD THE “SCHOOL TRIP DATA SET” BE COLLECTED AND HANDLED BY THE SCHOOL?
The data collection process is a matter for each school to decide, in conjunction with the lead organiser within each school. The ultimate requirement of TFS is that the School Trip Data Set must be inputted to the TFS management system. This is usually undertaken by the lead organiser through the TFS Portal.
Some schools collect personal data by using paper forms completed by each Participant (or their guardian), or they gather it via email or verbally, and subsequently populate spreadsheets or tables with the collected data.
Other schools and lead organisers use a “Mail Chimp” type system, where individual Participants each receive communication via email which requires them to populate specified information. When inputted, the data is populated into an online “Google Docs” type document, which is both password protected and securely hosted, and controlled by the lead organiser only. That lead organiser then extracts the data and inputs it into the TFS Portal. Although, TFS does not give guidance on data collection to the Schools, this “mail chimp” type system, would be the preferred structure.
Behaviours regarding the School Trip Data Set which TFS suggests are not appropriate, are the following;
- Storing data on excel spreadsheets (password protected or not) in multiple locations, or at all;
- Saving data spreadsheets on Laptops (particularly lead organiser private laptops). Student data sets should be saved on the school servers only;
- Sending data, in an email or on attached spreadsheets, even if password protected. (A single incorrect email addressee is potentially a notifiable breach to the Data Protection Commission);
- Any person other than a lead organiser, or a school employee, inputing the data into the TFS Portal;
- If collecting data in paper form, leaving those forms in an unsecure location and thereby exposing data.
The School Trip Data Set should be treated separately by the School, i.e. it should be securely stored on the school servers, and should be subject to a separate deletion policy compared to the rest of the student data which the school holds. TFS suggests that the School Trip Data Set should be deleted within a reasonably short period of time after the trip, such as for example 6 months, unless otherwise specifically required. This allows for any accidents or claims to emerge, and the remaining data can then be deleted. There is no effect on the data which the school already holds for its own purposes, however, the School Trip Data Set will have expired as it will no longer be required.
WHAT IS THE RELATIONSHIP BETWEEN THE LEAD ORGANISER THE SCHOOL AND TFS WITH REGARD TO STUDENT DATA?
The School Trip Data Set is transmitted either by the lead organiser, or the school, to TFS. While it may appear that TFS could be a Data Processor, the TFS legal interpretation is that; (i) the school (through the lead organiser) collects the data and requires it for its own purposes with regard to the trip (i.e. the lead organiser will need to obtain contact details, medical conditions, dietary requirements etc), and (ii) the school/lead organiser is also collecting the School Trip Data Set for and at the request of TFS, in accordance with TFS’s requirements. TFS is advised that this relationship puts the School and TFS in the position of separate controllers, each having their own obligations in that regard.
WHAT SHOULD THE SCHOOL TELL THE STUDENT/GUARDIAN WHEN COLLECTING THE “SCHOOL TRIP DATA SET”?
We suggest the following wording;
You have received this information request, because you, or your dependent, have agreed to participate in a school trip organised with Topflight for Schools Limited (“TFS”). The school already holds certain personal data with regard to its students, which was gathered for the purposes previously communicated, and in accordance with the school’s Privacy Statement. This personal data is collected now for the purpose of the school trip, and is also collected in accordance with the school’s Privacy Statement. In addition, the personal data now gathered is as requested by TFS, for the purposes of the school trip, and it is shared with TFS, which also becomes a controller of the personal data. TFS, as a data controller in its own right, must comply with the GDPR with regard to your personal data, and you should read the TFS privacy statement available on its website at www.topflightforschools.ie, and note particularly the ways in which it will need to share certain details of your personal data with third parties, including hotels, airlines, coach companies, ski schools and equipment hire companies, for the purposes of the trip. Note also that your (or your dependents) participation on the trip will be evident on a list of travelling students, which will be available to all participants and visible when making the tour payment. If you wish your participation to remain confidential, please highlight that to the tour leader when submitting your data.