Data protection: Looking after your pupils’ information
As a business, we take the protection of our pupils’ information incredibly seriously, but we also understand that there is plenty of confusing information out there in relation to data protection, and how it applies to businesses such as ours. Because of this, we thought that we’d share with fellow driving schools the long, short and the basics of data protection in plain English.
The Official Word from the ICO
The Information Commissioner’s Office (ICO) is the public body responsible for ensuring businesses meet their obligations in terms of data protection. They enforce the Data Protection Act 1998, which applies to living individuals’ data which is stored either digitally or physically on paper.
There are eight core principals to the Data Protection Act, which state that personal data must be:
“1. Fairly and lawfully processed;
2. Processed for specified purposes;
3. Adequate, relevant and not excessive;
4. Accurate and, where necessary, kept up to date;
5. Not kept for longer than is necessary;
6. Processed in line with the rights of the individual;
7. Kept secure; and
8. Not transferred to countries outside the European Economic Area unless the information is adequately protected”.
The seven-step checklist to meeting your data protection obligations
1. You must let your pupils know what information you’re holding and what it will be used for.
2. You must hold the data securely (see our section on this further down).
3. The data you hold must be kept up to date.
4. Once you no longer have any need for the data, it must be destroyed (such as when a pupil passes).
5. You must ensure access to the information is only given to those who need it.
6. Where CCTV is in use, it must not record any details (e.g. it must be faced towards your desk, rather than behind it).
7. You must train your staff on their data protection responsibilities.
Do driving instructors need to ‘register’?
You may have heard that some small businesses need to notify the ICO about their data processing. Driving instructors do not fall into this category, and you don’t need to register.
Important pointer: You must hand over a copy of all data held on an individual if requested
Should a pupil request to see their information, you are legally obliged to provide them with a copy.
“What happens if I breach the Data Protection Act?”
Breaches of data protection are taken seriously and can be deemed a criminal offence, the punishments for which ranges up to a £5,000 fine.
Storing data securely
Cloud storage offers just about the most robust protection you could find – over and above storing files on your hard drive (which could, in all likelihood, be stolen should your premises by burgled). But you must choose a premium provider (free providers simply won’t offer the same level of security as the paid options). You must also ensure that any cloud provider is going to store your data in the UK (as outlined in the Data Protection Act).
Alternatively, you should follow good data practice when storing it in-house namely:
– Keeping all paper files locked away in a robust filing cabinet when not in use
– Using anti-virus on your computers
– Installing a firewall for your IT system
– Ensuring that staff change their passwords regularly, that they do not share passwords, and that passwords contain at least one capitalised letter, a number and a non-alphabetically character, to a minimum of eight characters long.
Our pupils are safe in the knowledge that our data management skills are as good as our driving tuition. To book a driving lesson in Kent, call the team at Lanes School of Driving, Kent – phone on 020 8166 5678 or pop us a message via our contact page.