Simplifying GDPR for Piano Teachers

When Liz Giannopoulos contacted me about a month ago to offer a guest post about GDPR, my initial response was, “what’s that?”

It is a response that was echoed by many when Liz’s post was published here just a few days later. It quickly became apparent that many instrumental teachers, like me, didn’t know the first thing about GDPR, even though it comes into effect on May 25th 2018. I know that many are hugely grateful to Liz for her very clear introduction to the subject.

In the weeks since then, there has inevitably been a huge debate about GDPR, and no small amount of activity on the part of those of us who are concerned to run our teaching businesses on a professional and legal footing.

This post will consider some of the biggest questions teachers have been asking and – with further help from Liz and from piano teacher Joanne Snowden – will offer some updated and accessible answers to these practical concerns:

  • Do I need to register as a data controller with the ICO?
  • What do I get for the £35 registration fee?
  • Do I need to seek consent from data subjects?
  • How do I write a Privacy Notice, and what should be included?

There has been much confusion about these issues, and often the ensuing debate between teachers has seemed to miss the core value that data privacy is a basic right for us all.

GDPR is ultimately about caring for our students and clients.
It is about respecting their basic rights.
It is an act of kindness.

Alongside putting my students’ and clients’ needs first, taking time to reflect on how I use other peoples’ personal information (and why) has proven to be a genuinely helpful professional development exercise.

As piano teachers we often enjoy considerable autonomy – and don’t always welcome challenges to our independence – but taking time to reflect on our compliance to external professional standards is worthwhile in and of itself.

With that in mind, let’s now turn to some big questions that teachers have been asking…

Registering with the ICO

Whether we need to register with the ICO as “Data Controllers” has been a source of ongoing doubt and confusion, often stemming from teachers being unsure quite how best to answer some of the questions on the ICO’s online self-assessment tool.

This online self-assessment tool is recommended by professional association The Incorporated Society of Musicians, who also note:

“If you make decisions about what happens to the data of your clients or customers, it is likely you will need to register. Processing data digitally extends to your mobile devices (such as smartphones on which you access emails or store telephone numbers).”

For further information, including the rationale and details behind the online questionnaire, this document from the ICO is a useful resource. Having dug into that information, let me share the answers I myself gave as a piano teacher, and leave you to decide whether your answers should be the same:

  1. Do you use CCTV for the purposes of crime prevention? NO
  2. Are you processing personal information? YES
  3. Do you process the information electronically? YES
  4. Is your organisation responsible for deciding how the information is processed? YES (self-employed individuals are classed as an organisation)
  5. Do you only process information for one of the following [listed] purposes? NO 
  6. Are you a not-for-profit organisation that qualifies for an exemption? NO
  7. Are you processing information for any of the following purposes?
    YES: EDUCATION  (“LEISURE” gives the same result)

At this point I was told:  “You need to register.”

Put very simply, if you are a self-employed piano teacher and process any of your students’ personal information electronically, then according to the official documentation it certainly seems that you have to register, so that is what I’ve done.

Some teachers have questioned whether “education” includes private tuition, but I soon found that the ICO includes “Home Tuition” as a specific subcategory at the point of registration.

Anecdotally, teachers who have phoned the ICO for further insight have seemed to receive conflicting responses, which has added to confusion, but perhaps this is because the ICO is itself in transition between the existing rules and the new GDPR rules which – remember – don’t apply until May 25th.

The Registration Fee

One reason that some teachers are reluctant to register is that there is an annual fee, currently £35.
“What do we get in return?” I hear many ask…

The short answer is that our businesses get included in the ICO’s Register, which is published on their website. The ICO also provide additional support and a monthly newsletter.

I would suggest some other important benefits, such as:

  • demonstrating that we care about our students’ and others’ rights;
  • gaining clarity about appropriate use of personal information;
  • a heightened sense of professional accountability and legitimacy;
  • an opportunity to present our businesses as responsible and professional;
  • peace of mind.

As the Information Commissioner, Elizabeth Denham herself puts it:

“I say again to those organisations who want to build customer trust in how they collect and use personal data, the opportunities to improve your organisation and the services you offer, through the GDPR, are enormous.”

That said, I am sympathetic to teachers who are anxious about seeing their personal addresses and other information included in a public register. One suggestion that might solve the issue for some would be to obtain a business PO Box address. This isn’t cheap, but is an option designed for those wanting to run a business from home, and look professional while maintaining personal privacy – you can find out more here.

Seeking Consent

Whether or not a piano teacher registers their business with the ICO, they must still comply with the new regulations. Among these, businesses must have a valid lawful basis in order to process anyone’s personal data.

There are six lawful bases for processing – of which Consent is one – and you will find a detailed guide to all six on the ICO website here.

There are three lawful bases which seem likely to suit a piano teacher’s typical information processing activities:

  • Contract – where contracts exists between teachers and their clients;
  • Legal Obligation – e.g. paying taxes, and child protection issues;
  • Legitimate Interests –  e.g. most business and educational activities.

The ICO explain that:

“Legitimate interest is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

When legitimate interest is used as the legal basis for processing anyone’s personal information, we must balance our use of data with that individual’s interests, rights and freedoms.

Perhaps the best way to be sure about this is to ask for Consent whenever information is shared with others, for example:

  • writing a reference for a student;
  • sharing medical or SEN data with an examination board;
  • liaising with their school;
  • identifying students on a website;
  • using photos in which students are identified.

That consent might not involve producing more forms and paperwork – it could be a simple email acknowledgement or a signed note kept on file. But make sure the client knows how their consent can subsequently be withdrawn, should they change their mind.

How are we to communicate all this in an easy-to-understand way to our students and clients?

This is where the Privacy Notice fits in …

The Privacy Notice

How do I write a Privacy Notice, and what should be included?

The ICO helpfully provide plenty of information about what should be included, which is available on their site here.

Personally, I have found it very helpful to look at the Privacy Notices provided by others. I’ve spent time googling local schools, churches, businesses and youth groups to see what they had produced. One of the most helpful for me was that published by ABRSM, from which I borrowed a number of wording and layout ideas.

To help readers with writing a Privacy Notice I am pleased to offer here three examples for download, which you can compare and adapt for your own use as necessary.

Joanne Snowden

Joanne’s private practice “Piano with Jo” operates on similar lines to those of self-employed piano teachers up and down the country, so her policy will be useful to all who want a simple Privacy Notice to give parents.

She has chosen to include a space for students and clients to sign that they have read the policy. Obtaining a form of proof of this is important for compliance, but I understand sending via email may equally suffice.

Download Joanne’s Privacy Notice

Liz Giannopoulos 

Since her original article, Liz has updated her Privacy Notice, but tells me:

“I’ve pretty much followed the action plan I wrote in the original article.”

Liz’s practice employs several other teachers, and she is involved in running the Battersea Piano Festival. Her Privacy Notice takes account of these extended business activities, and remains a model of clarity. She explains,

“This privacy notice is designed to cover students, taught by me and taught by my associates. It also covers my associates and the data I hold about them. And it needs to cover Battersea Piano Festival, the adjudicators and the participants. That’s a lot of relationships to cover in one page!”

Download Liz’s revised Privacy Notice

Andrew Eales

Unlike Liz, I don’t presently employ other teachers or run a major annual event. On the other hand, I am active as a writer, composer, consultant and blogger, which brings different challenges and online visibility.

Taking account of these business quirks and my personal foibles, my Privacy Notice is a little more detailed than the other two, including sections on my websites. But notice that my layout, though spread across two pages, is almost identical to the other two policies here.

Keyquest Music Privacy Notice v1.2

Three Businesses – Three Privacy Notices, all a bit different but with much common ground! By considering them all, you should hopefully be able to pick out the features and wording that will cover your own business.

Concluding Thoughts

The topics discussed in this post aren’t comprehensive in terms of our GDPR compliance – please refer back to Liz’s original article for more information.

The ICO have also provided this very handy checklist for compliance, as well as some hugely useful online tools here.

As I’ve embraced the process of preparing my teaching business for GDPR, I have been struck by the sheer amount of information which we can amass as private music teachers. Going through the requirements for compliance has helped me to reflect on my own professionalism – something that perhaps as lone piano teachers we do too rarely.

Once again:

GDPR is ultimately about caring for our students and clients.
It is about respecting their basic rights.
It is an act of kindness.

In that same spirit, Liz, Joanne and I all want to wish our colleagues the very best – and hope that the support we have shared here will be helpful.

Disclaimer: Nothing in this article constitutes legal advice. Specialist advice should be taken in relation to specific circumstances. The contents of this article are for general information purposes only. Whilst we endeavour to ensure that the information in this article is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising from the use of, or inability to use, this material, or from any action or decision taken as a result of using this material.

Published by

Andrew Eales

Andrew Eales is a pianist, writer and teacher based in Milton Keynes UK, where he runs Keyquest Music - his successful independent music education business, private teaching practice and creative outlet.

5 thoughts on “Simplifying GDPR for Piano Teachers”

  1. Thank you SO much for this – I have spent a huge amount of time reading but not achieving much, and your hard work and generosity, together with Joanne’s and Liz’s, has given me the impetus and confidence to go ahead with what I have to do. I particularly appreciate the ‘caring’ approach; taking time to ensure that we consistently respect and consider others’ needs and avoiding the trap of feeling persecuted into compliance for little or no personal gain.

    Liked by 1 person

    1. According to the GDPR directive:

      “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

      So for example if you collect, store and use a student’s phone number, these activities all count as processing.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s