The General Data Protection Regulation and your school

Published: Wednesday, 09 May 2018 19:27

Claire Ashton, of IT Governance, considers the implications for schools of the General Data Protection Regulation (GDPR).

Summary points

  • The GDPR came into force on 25 May 2018 and replaces the Data Protection Act (DPA).
  • The GDPR expects you to be aware of the data you process. You need to know what you have, where it came from, how and why you are processing it, how long you keep it for, how it is secured and what rights the data subjects have over it.
  • Schools should audit their current position using a data map, which is an exercise that maps the journey of data across school, including which software it is entered into, who has access to it and how it is secured.
  • Under the GDPR, consent is tightening up compared with what was expected under the DPA and applies to non-school necessary processing, such as sharing photographs on the website and with the press.

On 25 May 2018, the General Data Protection Regulation (GDPR) replaced the UK’s Data Protection Act (DPA) and all data protection laws across Europe. Designed to modernise data protection, the GDPR applies post-Brexit and to all organisations that handle personal data, including your school.

Being aware of data

In simple terms, the GDPR expects organisations to be aware of the data they process. Your school needs to know what data it has, where it came from, how and why the school is processing it, how long to keep it for, how it is secured and what rights the data subjects (the people whose data the school holds) have over it.

Understanding the data you hold

Data mapping is an exercise that will help you to understand the data your school holds. It maps the journey of data across a school, including which software it is entered into (including software and apps used by teachers in the classroom), who has access to it and how it is secured. The ICO has produced some useful information about data mapping (see ‘Further information’ below). 

Analysing school processes

Looking at key processes will identify any risky behaviour and help you to decide how to deal with the risk. The GDPR is not about stopping doing what you do now, but about considering whether risks to personal data (any piece of information that identifies a living individual) can be reduced, or whether the risk is worth taking. Examples of these processes include recruitment, how medical information is shared around school and how information is shared on school trips.

New rules regarding consent

Under the GDPR, consent is more stringent than it was under the DPA and applies to non-essential school processing, such as sharing photographs of individuals on the website and with the press.

The age of consent for this processing is now 13. If this applies to your school, you should introduce a process to gather consent from pupils, perhaps at the start of Year 8. If your pupils are incapable of giving their own consent then refer to their parents, as you do now. For all data subjects, consent must be as easy to withdraw as it is to give, and it must be explicit, recorded and opt-in, rather than opt-out. If employment contracts include that staff consent to the use of their personal data, then the lawful basis should be changed to contractual.

Five things your school must do now

1 Implement organisational measures that demonstrate your compliance

Accountability is a key principle of the GDPR and your school must implement reasonable measures to demonstrate compliance.

Update key policies and procedures

Many school policies and procedures need updating, and organisations such as GDPR ORB, The Key, School Bus, IT Governance and the Department for Education (DfE) have templates and guidance to help with this. However, these must be adapted to your school context and be based on the systems and processes you use, as identified in your data and process mapping. Start with the data protection policy, privacy notices, email usage policy, data breach procedure, subject access request procedure and data retention policies.

Taking the email usage policy as an example, if your staff regularly share personal data on email and copy in all staff, this poses two problems under the GDPR. If emails are never deleted there is a data retention problem, and if there is a subject access request all this information must be shared. Streamlining how email is used and introducing automatic deletion helps your school to demonstrate compliance with
the GDPR.

Improve data security

One of the six data protection principles is that data must be kept securely. From talking to schools, it is clear that many do not understand basic data security and the potential risks of their normal activity.

If you have access to an IT support team, they can advise you and help you to develop an IT security policy, and the government’s Cyber Essentials certification offers a free checklist as well as advice and guidance.

Train staff

Staff pose one of the biggest risks to data security in your school, both in how they handle data and because they are susceptible to external attacks. Introducing organisational security measures will help, as well as training staff in what to do when things go wrong and understanding the potential consequences.

2 Only use processors that demonstrate compliance

A processor is any individual or company with whom you share personal data, including software suppliers and physical service providers such as photographers. You must only use processors who you trust and who can demonstrate that they comply with the GDPR, including software used by classroom teachers that holds personal data. Suppliers should have updated their contracts with you and explained how they secure the data and would deal with a data breach.

3 Be open and transparent with data subjects

Data subjects have the right to know what you are doing with their data, who you are sharing it with, how long you are keeping it for, how you are securing it and what their rights are in respect of it. This is done through a privacy notice that you share with them when you collect the data. You should produce different notices for different data subjects to ensure that they understand what they are agreeing to. Follow the link in ‘Further information’ to privacy notice model documents for templates you can use for these.

4 Appoint a data protection officer

Maintained schools and academies must appoint a data protection officer (DPO), but under the GDPR there cannot be a conflict of interests with their other responsibilities. This means that it cannot easily be a current member of staff. The DfE has said that one school could be the DPO for another school, which is a cost-effective way of dealing with this problem. The Regulation states that the DPO must have extensive knowledge of the data protection laws, so choose your DPO carefully or employ an external support service.

5 Register with the Information Commissioner’s Office

It is now a statutory requirement for schools in England and Wales, as data controllers, to register with the ICO. Registration for maintained schools in Scotland is through the LEA, but independent schools must register.

Further information


Use the following items in the Toolkit to put the ideas in the article into practice:

About the author

Claire Ashton is a sector marketing manager for education at IT Governance and a GDPR practitioner. She has worked in the sector for almost 20 years and understands well the challenges faced by school business managers. IT Governance helps schools and multi-academy trusts protect themselves and their pupils from cyber threats and it supports organisations with their GDPR compliance.

Last modified on Wednesday, 23 May 2018 09:07

Only subscribers can access this information. Subscribe now, click below!