+ Post New Thread
Results 1 to 9 of 9
School ICT Policies Thread, Data Protection : Emergency Contacts in School Administration; It is (perhaps) well known that schools need to be careful when sending out data on documents where (say) an ...
  1. #1


    Join Date
    May 2009
    Posts
    3,396
    Thank Post
    301
    Thanked 917 Times in 684 Posts
    Rep Power
    346

    Data Protection : Emergency Contacts

    It is (perhaps) well known that schools need to be careful when sending out data on documents where (say) an address might be disclosed to the wrong person, say an estranged mother where there is a court order prohibiting contact etc. So we have become very careful (hopefully) about what data is displayed where and to whom.

    So we are thinking about sending out data checking sheets to parents. The sheets would contain information on the named individual (parent/guardian) and the student(s). We record in our MIS information about 'emergency' contacts; who should we contact in the event of some mishap etc when we cannot contact the parents. This seems to throw up some potential Data Protection issues :

    1. We would be disclosing data about an individual to another party without the permission of the data subject.
    2. We have no way from the MIS alone of identifying the source of the data (so we can't even say we are only disclosing it back to the person who gave it to us).- although strictly that may not matter (just because you gave me data, doesn't necessarily absolve me of my duties as data controller.
    3. We could potentially be falling foul of disclosure where court orders are in place (people do fall out with each other - sometimes that leads to strange things (for example a past neighbour is now the new partner of the mother and sending her contact details to the father would be something she might rightly object to).

    Given that, I don't see that we can send out checking sheets populated with contact data. But, nor do I see how we can't! A parent has a right to know who the school thinks they can contact and potentially even allow to collect a child from school. The problem is we don't necessarily know that contacts have given a parent permission to give their details.

    Is there a simple answer to this or some get-out-of-jail free clause in the DP act that I've not seen, that cuts through the issues to an easy yay or nay? Or is it more complex.

  2. #2

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,890 Times in 1,170 Posts
    Blog Entries
    19
    Rep Power
    614
    As part of the paperwork the school gives out when a child joins it is likely to state that the parent is responsible for keeping the school up to date with *all* changes of circumstances. If you are given data which is subsequently used to send out information then you can only keep this as accurate as you can if the data owner keeps you informed. You notify people that update requests will happen on an annual basis and point out teh risks of it going astray if *they* fail to live up to their part of the partnership.

    Some schools have a few things in place to make this a bit simpler.

    1 - Instead of posting the data collection form to the presently registered home address you put it into a sealed envelope and it is handed to the student to take home. Tutors then log the returns and if there has not been a return (signed by the appropriate parent) then calls are made home to chase. Any child which is at risk, or is a family which has members who are vulnerable, would tend to have the paperwork handed directly to the parent / guardian.

    2 - Instead of posting the forms out they may be handed out at a parents' evening to be checked and updated. If parents do not attend the parents' evening then this is followed up by pastoral staff who can also check on the data at the same time. Again, vulnerable children and families with vulnerable members are targeted more directly.

    Remember that the DPA includes the phrase 'taking all reasonable measures' ... short of knocking on each house a child is thought to live in, having a DNA check on the parents and then cross-checking againt anything that has gone through the courts ... there is not much more you can do.

    As far as court orders go ... anything which involves a child is meant to be fed back to others in contact with that child including their school. If this is not happening in your area you need your SLT to get in touch with the local social care team. Any gaps can be dealt with and if you have found some and fail to notify people about it then you put your own OFSTED inspection at risk ... as well as the children (altogether now ... "Won't anyone think of the children?"!!!)

  3. Thanks to GrumbleDook from:

    pcstru (6th July 2012)

  4. #3


    Join Date
    May 2009
    Posts
    3,396
    Thank Post
    301
    Thanked 917 Times in 684 Posts
    Rep Power
    346
    Thanks but I think you have missed the heart of the problem (my fault for not explaining it well enough). We record information on data subjects, who if they are identifiable living individuals are subject to the provisions of the DPA. Let's classify it that we have three distinct data subjects;

    A - A child/student/pupil
    B - A Parent
    C - A Named Individual who is designated an Emergency Contact (by B).

    We want to send details to B of C but essentially we have no permission from C to do so. We don't necessarily know that C's details were supplied by B, they might have been supplied by another guardian etc several years back (parents split up and one of them runs off with C, making it contentious when C's contact details are listed on the form sent to the other parent).

    Does that make it clearer?

  5. #4

    Garacesh's Avatar
    Join Date
    Jan 2012
    Posts
    3,428
    Thank Post
    1,310
    Thanked 503 Times in 369 Posts
    Rep Power
    240
    Then don't. Instead of saying "Is the ICE contact Mr. Pootis Spencer, BLU Base, Heavyville, 07123456789?" just ask "Due to Data Protection we cannot disclose the emergency contact to you for cross-checking, however, can you please give us the emergency contact details if they have changed since the date your child joined the school."

    Would that not work, or am I interpreting this wrong?

  6. Thanks to Garacesh from:

    pcstru (6th July 2012)

  7. #5

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,214 Times in 761 Posts
    Rep Power
    395
    Quote Originally Posted by pcstru View Post
    A parent has a right to know who the school thinks they can contact and potentially even allow to collect a child from school. The problem is we don't necessarily know that contacts have given a parent permission to give their details.
    IANAL, but in my opinion the former outweighs the latter here. Without getting into the technicalities, the parent generally has a right to see data that relates to their child. Just because the data also relates to someone else doesn't negate that right.

    If you want a watertight opinion, simply ask the ICO what their opinion is. Their helpline details can be found here: https://www.ico.gov.uk/Global/contact_us.aspx

  8. Thanks to AngryTechnician from:

    pcstru (6th July 2012)

  9. #6

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,890 Times in 1,170 Posts
    Blog Entries
    19
    Rep Power
    614
    IANAL but ...

    If the original data about the contact (person C) was provided by the parent (person B) then person B has a right to see that data. If some of the data is subsequently updated by person C directly then you have to check with person C that person B is someone that data can be shared with. This is about linked contacts and linked data. If the data about person C has been updated by person B then you can send it out to person B anyway.

    The problem arises when you don't know who has update the details of person C. You *have* to presume the worst case scenario and that it was by person C and that person B has not been involved. There are still some things you can send to person B though. Information that they will already know about the person can still be shared. This means that the data collection sheet can have something like ...

    Your Emergency Contact for [child] is: [name of person B].
    Can you please confirm if this is still the case and provide current contact details which will be cross-checked against present information. We may contact this person to verify your relationship with them and that they are happy to be the emergency contact.
    You have not asked for more information than that already known. There could be a few gaps in this which you might want to consider how you deal with it ... things like if the name has changed due to marriage you might not want to share that so you might have to check if any names have changed in the last 12 months. It is also an idea for form tutors to have a look at the forms before they go out as they can often have more knowledge about changes of personal circumstances than might be on the MIS.

    Not a complete answer, but hopefully enough common sense to fit in with what others have said and allow you to assess the risk.

  10. Thanks to GrumbleDook from:

    pcstru (6th July 2012)

  11. #7


    Join Date
    May 2009
    Posts
    3,396
    Thank Post
    301
    Thanked 917 Times in 684 Posts
    Rep Power
    346
    Quote Originally Posted by GrumbleDook View Post
    IANAL but ...

    If the original data about the contact (person C) was provided by the parent (person B) then person B has a right to see that data.
    That seems reasonable, but it may well be incompatible with the principles of DP. I think Bristol Uni's explanation of the principles is excellent but I can't square 1 & 6 with processing emergency contacts in the way that seems reasonable.

    If some of the data is subsequently updated by person C directly then you have to check with person C that person B is someone that data can be shared with. This is about linked contacts and linked data. If the data about person C has been updated by person B then you can send it out to person B anyway.

    The problem arises when you don't know who has update the details of person C.
    I think it arises before that - when in receipt of the data you have no way of determining that the supplier has any right to supply the data and you can't at the point that you store the data comply with the statutory rights of the data subject (C).
    Not a complete answer, but hopefully enough common sense to fit in with what others have said and allow you to assess the risk.
    Thanks for putting some thought into it. I have asked the ICO for their advice, specifically can we/can't we and what specifically supports their opinion (in terms of legislation). I think I can see a way of putting us in the correct position in future (pretty much by doing as you suggest) but it is much more administration overhead than (I guess) most schools currently do. I don't want to force work on us that we don't need to do, but nor do I want to be on the end of a DP complaint!

  12. #8


    Join Date
    May 2009
    Posts
    3,396
    Thank Post
    301
    Thanked 917 Times in 684 Posts
    Rep Power
    346
    Quote Originally Posted by Garacesh View Post
    Then don't. Instead of saying "Is the ICE contact Mr. Pootis Spencer, BLU Base, Heavyville, 07123456789?" just ask "Due to Data Protection we cannot disclose the emergency contact to you for cross-checking, however, can you please give us the emergency contact details if they have changed since the date your child joined the school."

    Would that not work, or am I interpreting this wrong?
    That would work, but I will then be asking some very busy people to do more work than they already do. That may be necessary in the end (I'd rather that than a DP complaint) but if I do do that, I need to be on quite firm ground!

  13. #9

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,890 Times in 1,170 Posts
    Blog Entries
    19
    Rep Power
    614
    @pcstru
    One of the things you have to be careful of when looking at the principles is presuming that you any change requires permission every single time and that you, ie the school as the data processor, has to be the only person jumping through hoops. The key word again is reasonable.

    If you have data about a data subject given to you by another data subject you have to presume that a) they have a reason to share that information and b) that the subject has no disagreement to the data being processed. Your risk assessment makes you concerned about validating this, including the original data and the agreement to process, then you have the caveat that you check with the new data subject (person C), including having their signature on the same data collection form or on a separate Emergency Contact form. Once you have checked that this is valid then there is also an onus on the data subject (person C) to ensure that this is kept up to date with you, and that they continue to give permission to process the data. If there has been a previous agreement to share data between the 2 data subjects (persons B and C) then you can presume that this continues or, if your risk assessment shows concerns about this, you can specify a length of time for which you will process the data and when you will ask for permission again.

    It is not so much about being DP compliant but about how your Risk Assessment informs you about what you need to do to ensure that the data subjects are a) aware of what you are doing, b) have opportunities to verify data and c) that you have taken reasonable measures to consider and deal with any associated issues.

    For some schools this might be minimal ... in some areas this could be a lot of work due. To some extent it is based on the amount of changes of emergency contacts you have had to deal with in the past, whether you have had issues due to complaints, whether there is good internal communication about protection orders, etc ...

    It is a balancing act and just because you are doing it one way now doesn't mean that you will always do it that way. You might want to review the process on a yearly basis ... based on feedback from the data collection exercise.



SHARE:
+ Post New Thread

Similar Threads

  1. Data Protection : Real life examples of consequences?
    By contink in forum How do you do....it?
    Replies: 21
    Last Post: 14th July 2007, 11:37 PM
  2. Stateside Hosting, Data Protection, etc...
    By plexer in forum Web Development
    Replies: 0
    Last Post: 17th May 2007, 10:48 AM
  3. Backups - Data Protection Manager
    By fooby in forum How do you do....it?
    Replies: 4
    Last Post: 14th December 2006, 11:45 AM
  4. Data Protection Act And Root/Administrators Passwords.
    By tickmike in forum General Chat
    Replies: 4
    Last Post: 11th September 2006, 04:35 PM
  5. Data Protection Act - re: Remote Access
    By mark in forum School ICT Policies
    Replies: 18
    Last Post: 26th September 2005, 08:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •