A quick guide to the GDPR for schools and colleges

Despite the current disruptions and uncertainty – or perhaps because of it – it’s paramount that you remain GDPR (General Data Protection Regulation) compliant.

A data breach would create additional stress and more work for you as you battle to investigate and fix the source of the breach, complete your notification requirements and await feedback from the supervisory authority.

What does the GDPR mean for schools?

The education sector has a harder time than most when it comes to the GDPR, because children’s data merits extra protection and schools and colleges often work with tight budgets, thereby lacking the resources to retain a dedicated information security team.

Likewise, because there is a legal requirement to retain learner data for years after they leave – educational institutions will typically possess a large cache of personal data.

The good news is that the GDPR could be beneficial to organisations in the long term, because it ensures that they reduce the amount of data they process and implement measures that will save money.

For example, one of the GDPR’s principles states that organisations must have greater accountability over the data they collect.

This means, in part, that they only collect data when necessary (what the Regulation refers to as ‘data minimisation’) and that appropriate technical and organisational controls are in place.

For schools, this means giving students – or, in some cases, those with parental responsibility – the right to access and review information that the school stores on them.

Doing this reassures individuals that you are only collecting a reasonable amount of personal information, and it gives them the opportunity to query anything they’re unhappy about or amend records that are inaccurate or incomplete.

Another essential thing to know about GDPR compliance is that its rules don’t necessarily restrict the way organisations process personal data.

This is one of the biggest myths surrounding the Regulation, with people frequently asking us whether they are still allowed to keep data use information in certain ways.

The reality is that all organisations, including schools, can process data provided that they document a legal basis for doing so. These bases are in many cases very broad and will almost certainly align with your data processing practices under the GDPR’s predecessor, the DPA (Data Protection Act) 1998.

For schools, most processing can be justified on the grounds of public interest. This refers to any activity that’s necessary to carry out a specific task that ensures the welfare of the general public or to exercise official authority.

You need to be careful that the data you process is proportionate to your aims (i.e. don’t collect any more information than you need), but by following these rules, you can avoid the complexities that come with getting and obtaining consent.

Who is the data controller and who is responsible for GDPR compliance in schools?

Under the GDPR, the act of obtaining personal data is split into two roles – the data processor and the data controller – and these come with different responsibilities.

In most data processing activities, schools will be the data controller. This means they determine whose information to collect, what types of data are needed and why it’s necessary.

Data controllers must also determine:

  • Whether the information will be shared with a third party and, if so, which one(s);
  • When and where data subjects’ rights apply;
  • How long the data will be retained; and
  • Whether to make non-routine amendments to the data.

Data processors, by contrast, are the people or organisations handling personal data on behalf of the controller. They are responsible for:

  • Overseeing the logistics of data processing;
  • Ensuring that the data is stored securely;
  • Implementing necessary controls for personal data transfers;
  • Ensuring that a retention schedule is adhered to; and
  • Disposing of sensitive data when it’s no longer needed.

The data processor may be a third-party supplier that the school has hired to complete these tasks, or it may be a department within the school itself.

Data controllers and data processors are equally accountable for GDPR compliance, meaning that both parties could face disciplinary action in the event of a data breach.

It’s therefore essential that when schools hire a third-party data processor, they create legally binding contracts that clearly outline how the data processor will meet its requirements.

This helps both parties understand exactly what’s expected of them, and will mitigate the school’s responsibility should a data breach occur.

At what age can pupils be consulted over their data processing?

The GDPR states that, with one exception, organisations cannot legally obtain consent from minors. It’s up to each country to define when someone is no longer a ‘minor’ – in the UK, it’s 13.

If the data subject is younger than that, the organisation must seek the approval of a person holding “parental responsibility”, and make “reasonable efforts” to verify that the person providing the consent is indeed a parental figure.

If the data subject is 13 or older, the organisation is free to seek consent in the same way it would with anyone else.

However, you must remember that the GDPR requires that any communication (including consent requests) must be written in such a way that data subjects can easily understand it.

When you are communicating with children, you must therefore make sure that the language is appropriate. It’s advisable to test your consent requests and privacy policies for clarity.

As we mentioned, there is one set of circumstances where these rules don’t apply: information collected for preventive or counselling services offered directly to the child.

This includes child protection programmes, therapy, and services related to health and wellbeing.

If your school provides services such as these, you are permitted to seek the child’s consent directly without needing the approval of someone with parental responsibility.

In many cases, there is a reason the child has sought outside help rather than speaking to a parent, so it makes sense for the organisation to not only bypass their approval but also to keep such records separate from the rest of the data subject’s files.

This ensures that, should the parental figure submit a data subject access request, they wouldn’t receive the information collected as part of these services.

What happens if a school breaches the GDPR?

If a school learns that it has suffered a data breach, it must investigate the incident immediately.

Your aim is to determine whether the breach needs to be reported to your supervisory authority, which will be the case if it “pose[s] a risk to the rights and freedoms of natural living persons”.

This generally refers to the possibility of affected individuals facing economic or social damage (such as bullying), reputational damage or financial losses.

But how do you know when that’s the case? Here are some examples:

  • Social damage

This applies when the breached records include special needs information, staff and pupil records, child protection records, staff pay scale and payroll information, and pupil progress and attainment records.

  • Identity theft or fraud

This applies when names, dates of birth and addresses are all compromised, or when completed pupil data collection sheets are breached.

  • Financial loss

This applies when banking information from payroll data or recruitment forms is breached, or when unauthorised parties access payment software, billing information or bank accounts.

  • Reputational damage

This applies when the breached information contains staff or pupil performance management records, or child protection records.

How can schools work with the ICO?

If you determine that the incident does meet the notification requirements, you have 72 hours from the time you discovered the breach to report it to your supervisory authority – which, in the UK, is the ICO (Information Commissioner’s Office).

Organisations are expected to provide a detailed account of the incident, including:

  • The extent of the damage;
  • When and how you learned about the breach;
  • When the breach happened;
  • What data protection training the relevant staff have received;
  • Whose data has been affected;
  • How you are responding to the incident; and
  • Who the ICO should contact if it needs more information.

The ICO won’t expect you to provide a comprehensive analysis, given the limited time you have. However, it will expect you to demonstrate an awareness of what’s happened and how the damage should be addressed.

Once you’ve notified the ICO, it will confirm receipt, and the incident will go on a list of active cases that the organisation is looking into. You will generally hear back within a few weeks if the investigators are happy with your actions.

But if the ICO suspects a GDPR violation, it may begin a formal investigation, which can take several months to complete.

Manage your school or college’s GDPR with GDPR.co.uk and our DPO services

You can simplify your data protection compliance requirements with the help of our DPO service and GDPR compliance platform for schools.