DPO: Natasha's Law and Data Protection - Things to Consider
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 27th of January, with our Head of Data Services Craig Stilwell, LLB (Hons), L.P.C. This session was centred around: An overview of Natasha’s Law and Data Protection. Looking at how they impact each other; data sharing and following best practice with medicines and allergy information; common crossover scenarios between the legislations and how to handle them; and top tips for processing and managing allergen data.
Overview of Natasha's Law
In October 2021 a new law was introduced for businesses to follow – The Food Information (Amendment) (England) Regulations 2019 (with similar rules in Wales and NI). It is more commonly known as Natasha’s law.
It requires businesses to provide full ingredient lists and allergen labelling on foods that are pre-packaged.
There are a few different instances of where this may apply to Schools:
-
Packaging lunches and snacks for school trips.
-
Pre-packed foods which are sold/provided in the school canteen.
-
Indirectly how schools handle allergen information as part of health questionnaires carried out.
Whilst the data being inserted onto packaging itself may not immediately seem like personal data, there are many indirect implications. Thus, we thought it would be useful to provide some best practice tips to ensure you are not exposed.
Data Laws
Organisations who handle personal data must ensure they follow the provisions of the data protection act when doing so. Specifically, the data protection principles:- Lawfulness, fairness and transparency
- Having a fair reason to use the data.
- We need a lawful basis such as consent, legal obligation or public task.
- Purpose limitation
- Not using data for incompatible purposes.
- Data minimisation
- Data is limited to what is necessary.
- Accuracy
- Data is accurate and up to date.
- Storage limitation
- Keeping data for no longer than is necessary.
- Integrity and confidentiality
- Ensure suitable security for the data.
- Accountability
- Ensure you have evidence to show compliance with the above (such as processes, policies, training).
Allergens and health data is classed as special category data, a form of personal data that is deemed more sensitive. This means there are extra measures to consider, particularly in respect to the lawfulness principle.
The normal lawful basis in these scenarios is:
- Consent
- As part of health questionnaires, consent may be sought.
- Legal obligations
- Requirement as part of health and safety legislation.
- Public task
- This can also be applicable.
For special category data the most likely lawful bases are:
- Explicit consent
- Substantial public interest
- Necessary for purposes of preventive or occupational medicine, for treatment or management of health and social care systems.
- Necessary for reasons of public interest in the area of public health.
Data Sharing
In some of these instances we need to share personal data with third party organisations and individuals, such as caterers.In this instance there is a code of practice produced by the ICO. For the link please click HERE
This isn’t a separate document and many commentators do find the data sharing guidance slightly confusing. But its best to see it as a series of good practice measures to consider.
Some key points to take from it, which can be applied to data sharing allergen information include:
- Do you have a data sharing arrangement in place with the provider?
- This could be useful.
- It doesn’t prove/disprove compliance but can show you established a mutual position to take data protection and security seriously.
- Will data need to be shared on a one-off basis or regularly?
- If it is regular data sharing there is more emphasis on need for process/agreements.
- Sharing data for emergency purposes
- Can be done if there is a possibility of greater harm in not sharing.
- It is important not to see this as a reason to over-share.
- Data sharing should also follow the principles (i.e., do we have a lawful basis to share).
- We should be more careful when we are handling children’s data.
- They are more vulnerable subjects and may have more difficulty in understanding our processes.
- It is important to try and be as clear with children as with staff.
- Is the processing necessary?
- Is there a less intrusive way of sharing the data?
- Ensure we share data securely
- For example: encryption, password protection, limited access, transparency, only using what is necessary
Common Scenarios
Health questionnaires
As part of health questionnaires, schools will need to detail allergies, medical conditions, medication and authorisation to dispense medication. Considerations include:
-
How do we ensure it is accurate? Do we review the data regularly?
-
How do we ensure the data (or elements of the data) are only shared with those that need to see it?
-
How do we keep it secure?
-
Retention periods for this data.
-
This may depend on if you transfer that data to the next school or not.
-
Otherwise, normally until the age of 25 except if it forms part of the care plan, which requires until the age of 31 (as the care plan expires at the time of turning 25).
-
-
How is this securely (and accurately) transferred to third parties?
School trips
There may be times when lunches need to be labelled together with the children’s name and either taken with the staff member or shared with certain trip providers. Again, as long as we have established lawful reason this should be fine. However, you should consider:
-
Ensuring the third party delete data when no longer needed and dispose of it securely.
-
Who is labelling?
-
Are checks made to ensure labelling is correct and accurate?
-
There is no scope for error here so how do we check this?
-
Reviews of MIS systems for accuracy can be helpful.
-
Consider not oversharing on registers, do we need all the information?
-
-
Consider transportation and how this may affect communications (such as cross-contamination).
Sharing data with caterers
In addition to the third-party sharing considerations, here are some additional thoughts:
-
How do they match up your data set?
-
o Sometimes they need pictures as well as names.
-
How do they ensure this data is kept secure?
-
Sometimes this may be kept behind a hatch, but we want to ensure in public halls that caterers and limited staff see it rather than visitors.
-
-
Due diligence is key.
-
People often ask if X third party do something, are we liable? It is never a clear answer.
-
To minimise risk, showing you did your checks and were thorough is more likely to distance yourself from being a causal link in the chain.
-
This extends not only to data due diligence but checking they have practices for dealing with allergies, such as prevention of cross contamination.
-
-
Training records – Are training records kept or due diligence checks carried out on suitable training?
-
These may be required for longer to ensure a competent person is in charge.
-
Other events
Consider and plan for other events which may fall under Natasha’s law, such as events with catering. Examples include school fairs, cake sales, discos, breakfast and after school clubs, parties, parents evening, catering for staff, catering for governors.
All of these should come with the same considerations as above. Make clear to all staff that they need to be weary of these changes and you may need to carry out an assessment on a practice that was previously deemed ok.
A good question to ask is how do we ensure labelling is correct?
Common Tips and FAQs
Processes for managing allergens
Think about the best way you can ensure allergens are recorded and detailed correctly.
We find that schools are very good at managing sensitive records such as this, but considerations to take are:
-
How can you ensure allergen information is visible to some but not others e.g., coloured lanyards?
-
How is the accuracy of the data provided checked?
-
Remind parents/students to keep up to date and check for themselves.
-
How do we ensure the allergen data we share with students and parents is visible and accurate too?
-
Sometimes the pupil may not be aware so checks should be in place.
-
How do we check third-party practices when it comes to handling data?
Displaying medical conditions and allergies
Schools regularly may have details of allergies available to staff. There is nothing detailing how these are made available, but the things you need to think about are:
-
How do we ensure that only those who need to see the data can view it?
-
How do we ensure it is suitably secure?
Sometimes, this data may be in a staff room which again can be fine if all staff are aware, but what about if you regularly allow visitors into the staff room. This should be considered.
Details on those posters should be considered. For example, staff may need to know the medication they are on or what to administer but don’t necessarily need to display the condition they suffer from. It depends on circumstance.
Similarly, if an allergy is heightened so visitors are aware, you may display that allergy on reception, but they may not need to know the individual concerned.
Transparency
Transparency underpins data protection law. Ensure your consent forms are clear who data is being shared with and what it is being used for.
Possibly detail this in privacy notices and send regular updates to parents to re-inform them that this is how you are using their data.
Also consider whether you need to re-establish this data to be kept updated. Follow the same protocols for care plans.
Data Requests
This may result in more data requests, including requests for processes, care plans, details of allergen information being readily available.
It is important to ensure requests are dealt with in certain time periods. We recommend you seek the assistance of your DPO to see what does and does not need to be disclosed.
Data requests can be reactionary such as when an incident takes place, but they may also be checking to see that you do have processes in place.
Training
It is important to have staff trained in the processes put into place. Data protection training should be regular and at least bi-annually.
Most data requests can also go to any staff so it is important they are aware and trained for this so they can pass requests on to be dealt with promptly.
Helpful Information:
ICO Data Sharing Code of Practice - https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/data-sharing-code/
Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, governors and other schools’ leaders to monitor GDPR compliance; and to assist you manage your data protection.
You can also find information regarding our School Data Protection Officer (DPO) service here.
If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0203 326 9174 or email georgina.decosta@judicium.com.
Related content
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 2nd October, with our Data Protection Consultant Sam Hall.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 10th July, with our Data Protection Consultant Lane Baker.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 5th June, with our Data Protection Consultant Bethany Parker.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 8th May, with our Data Protection Consultant Jessica Gant.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 20th of March with Data Services Consultant Patrick Ballantine.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 14th of February with Data Services Consultant Sam Hall.
Sofa Sessions | Data Protection