JISCMail - DATA-PROTECTION Archives

It is often difficult to explain to schools about Controllers in common / Controller to Controller data sharing. Most have now got to grips with Controller / Processor, many are happy with Joint Data Controllers … but Controller to Controller … not so much.

The latest example is a plea to Health contacts.

School nurses collect a fair chunk of data and there are a number of ways they are employed and/or who directs their work from the information sent to me and conversations so far.

Trying to get schools to understand that where the data is requested by NHS / Trusts for their own use then that is core to how you handle it with the children and parents.

It is often not clear what the Lawful Basis is for this either … some schools are being told it is opt-out and being told that this won’t change (even when challenged as to where ‘opt-out’ appears as a term in GDPR / DPA18).

A summary we have so far is …

Where the school employs the nurse and the data is sent over to the Trust, then it is a Controller to Controller transfer, and the school needs to be clear about this in the Privacy Notice, and also inform parents / children where to look for the relevant PN with the Trust.
Where the Trust employs the nurse and the data is collected via the school, the Trust should inform that children / parents about what is going on and point to their PN. The school should support this transparency as much as they can.
Where the LA employs the nurse and the data is sent over to the Trust, then it is a Controller to Controller transfer … but the LA should inform that children / parents about what is going on and point to their PN, and the Trust one too. The school should support this transparency as much as they can.
Where the Lawful Basis is Consent – it has to be clear that it is ‘opt-in’ … where it is something else (Public Task?) then it should be clear that there is a right to object (which may or may not be upheld).

Most of the issue with these things is clear communication from the groups involved and supporting each other on transparency to the Data Subjects.

Would any Health colleagues disagree with the above? What does the wider list think on this?

Tony Sheppard

Operations Manager

GDPR in Schools

Office: +44 (0)208 144 8621

Mobile: +44 (0)7891 019594

The information in this email and any attachment(s) is confidential and intended solely for the use of the addressee. If you are neither the addressee nor an authorised recipient for the addressee, please notify the sender and delete the email from your system immediately. Unauthorised use, dissemination, distribution, publication or copying of this communication or attachments is prohibited and may be unlawful. Our messages are checked for viruses but please note that we do not accept liability for any viruses which may be transmitted in or with this message. Views expressed by an individual in this email do not necessarily reflect the views of GDPR in Schools Ltd.

GDPR in Schools Ltd is a private limited company registered in England and Wales.
Registered office: 11 Kingsley Lodge 13 New Cavendish Street, London, United Kingdom, W1G 9UG.
Company registration number: 10699302.
ICO registration number: ZA248932.