The increasingly popular website ‘everyonesinvited’ contains thousands of “testimonies” by victims of sexual abuse and misconduct, largely – but by no means exclusively – at private schools. The testimonies are described as being anonymised, although most carry the name of the school or, in some cases, college or university. It has quickly become a primary source of information and it also has an Instagram account with tens of thousands of followers.
Data only becomes ‘personal data’ when it is information relating to an identifiable individual and, generally speaking, it will not be possible to identify individuals from these testimonies. Nevertheless, that may not always be the case where there is a named school, year group, description of an individual and so on. For instance, one complaint that was then reported in the media referred to the complainant being part of a cohort of 40 girls at a particular school, where they were all ranked according to their looks and the only black girl was ranked last.[1] That potentially identifies this particular student and, if so, would amount to a data breach by the website and anyone else who publishes the complaint. This suggests that the anonymisation needs to be taken several steps further.
Faced with these testimonies and the inevitable media focus on those relating to the private sector, various schools have indicated that they will investigate the concerns and allegations that have been made, as well as work to improve safeguards. That in turn raises questions about how schools should approach the challenges raised in processing what will always be sensitive personal data.
To take an example, King’s College School Wimbledon was accused of being “a hotbed for sexual violence” in a widely reported 11-page open letter posted on Instagram by a former pupil at a neighbouring private girls’ school. The letter contained numerous anonymised first-hand accounts of every level of sexual abuse, including rape, and included allegations of staff being aware of the problems, but doing nothing.
In its response, the school said that it was appointing a panel of independent experts to carry out a forensic review of the school’s policies, practices and values. However, to what extent can that forensic review access and use sensitive personal data to establish the facts? What are the school’s data protection responsibilities in respect of the data breaches they discover and the subject access requests that are made? How can that data be used in any employment issues that arise?
A school is going to have to carry out its own research to understand the level of the problems it faces and that will involve obtaining, collating and using personal data from current and former pupils and also staff.
Data concerning “a natural person’s sex life” is sensitive personal data under GDPR Article 9, which refers to the “Processing of special categories of personal data”. Beyond the conditions for processing “ordinary” personal data, there is another layer of conditions when processing sensitive personal data. The data subject can give explicit consent, but a school can also rely on processing being “necessary for reasons of substantial public interest”.[2]
The Data Protection Act 2018, which implements the GDPR, states that the “substantial public interest” condition is met when processing sensitive personal data for “Safeguarding of children and of individuals at risk”.[3] That requires the processing to be necessary for the purposes of protecting from harm or protecting the well-being of individuals who are either aged under 18 or are “aged 18 or over and at risk”.[4]
Therefore, collecting and using sensitive personal data from an identified student that contains details of sexual misconduct by another identified student would be lawful processing where the school was taking safeguarding steps to address the harm caused. The safeguarding condition necessary to make that processing lawful is balanced by the parallel requirement that there are measures to safeguard the rights and interests of the data subject. Therefore, any publication or distribution of the data would have to be restricted and, in most cases, sufficiently redacted.
A school can ask individuals to come forward and provide first-hand accounts, but it cannot coerce them into doing so. If a student does so, the last thing they might want is for any steps to be taken against a named individual, out of an understandable fear of the consequences.
In data protection terms, they would not explicitly consent to their sensitive personal data being processed for the specified purpose of identifying and dealing with the responsible third party. Although the school, as controller, does not have to rely on the data subject’s explicit consent to process the data, as set out above, the requirement to safeguard the data subject’s interests would make it difficult to process the data in the face of such an objection, depending upon the circumstances.
These ‘peer on peer’ issues will be particularly difficult to handle, but, as the Court of Appeal has said, “the “guiding principle” of the DPA is to enable data subjects to “protect their privacy”.[5] For instance, an intimate photo of a girl with an accompanying text from a boy sent from his mobile phone has ‘mixed personal data ‘ and therefore competing interests arise. However, as the Court went on to explain, “that principle necessarily gives rise to a “starting point”, in a mixed data case, that private information should not be revealed”.
In investigating these issues, can a school look at students’ mobile phones, given the extensive reference to the use of phones to photograph and transmit offensive images and messages? There is a power to search an “article” belonging to a pupil where there are reasonable grounds for suspecting it has been used to commit a criminal offence (Education Act 1996 s.550ZA) and the Department of Education guidance refers to this search extending to mobile phones.[6]
There are several data protection issues around the content of that mobile phone. The school will be processing data that the data subject has a right to see, the ‘data subject’ here including – for instance – the person whose photograph is on the phone.[7] As this is data concerning the data subject, there are other applicable rights, such as the right to have the data erased.[8] The school has a power to inspect the phone, but must still meet conditions for processing the data it finds. The “substantial public interest” condition would probably be satisfied, as would another condition under Article 9: carrying out the obligations of the controller in the field of social protection law. The risks or needs that may give rise to “social protection” include “family/children”.[9]
“Sexting” may amount to a criminal offence contrary to the Sexual Offences Act 2003 and posting intimate pictures of someone without their consent may come within the Criminal Justice and Courts Act 2015. However, there are also criminal offences relating to data protection, such as unlawfully obtaining or disclosing personal data without consent under s.170 of the Data Protection Act 2018. There may also be a notifiable data breach under GDPR Article 33, although it is doubtful whether that will be high on anyone’s list of priorities.
One of the inevitable consequences of these developing problems will be increased data subject access requests (“DSARs”). There will be relevant exemptions, including the restriction on the data controller’s obligations where there are third party rights and information relating to other individuals.[10] It will be equally important to keep in mind that a DSAR only relates to personal data concerning the data subject making the request; it is not a blanket right to disclosure. However, logistically, DSARs will be challenging for schools and even more so where a school does not have a clear understanding of its data protection responsibilities.
What about staff who are implicated? There is clearly a disciplinary issue where a member of staff is alleged to have disregarded sexual abuse or worse, but the evidence may include sensitive personal data that the data subject might not consent to being used in disciplinary procedures, which will fall outside the safeguarding exemption. However, GDPR Article 9 provides another condition for processing sensitive personal data, which is for the purposes of carrying out the obligations and exercising specific rights of the controller “in the field of employment”, subject to appropriate safeguards. Again, there would need to be a balancing exercise.
Where a complaint is made, the regulator – the Information Commissioner’s Office – is likely to recognise the pressures placed upon schools by these complaints. An important measure of a school’s handling of data in investigating these issues will be its “appropriate policy document”, explaining its procedures and demonstrating that it has considered its data protection obligations.[11] That policy document needs to extend to any investigations that schools now choose to carry out.
(c) March 2021
[1] The Times, 20 March 2021
[2] It is debatable what, if anything, the word “explicit” adds to the concept of consent.
[3] Sch. 1 para. 18.
[4] An individual over 18 is “at risk” if they (a) need care and support, (b) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and (c)as a result of those needs is unable to protect themselves against the neglect or harm or the risk of it (Sch. 1 para. 18(3)).
[5] B v General Medical Council [2019] 1 WLR 4044.
[6] Searching, screening and confiscation – Advice for headteachers, school staff and governing bodies; January 2018.
[7] GDPR Article 15.
[8] GDPR Article 17.
[9] The term is defined in Regulation 2(b) of (EC) No 458/2007
[10] GDPR Article 23 and DPA Sch. 2 para. 16
[11] See Sch. 1 Part 4
