GDPR for schools – a quick intro
Since 2018 – and possibly before – you’ve probably heard a lot about the General Data Protection Regulation (GDPR). It’s a law from the EU that sets out how organisations can use people’s personal data, and from some of the headlines, it seems like it applies to everyone and everything.
Thankfully, this isn’t the case, but it is an important law and it does apply to schools’ data, so schools need to make sure they meet its requirements. This article is focused on how the GDPR affects schools.
Before starting, it’s useful to understand a few key terms. We have outlined these here
Who is affected?
At your school, some people will be more affected than others, but everyone has a role in data protection.
The school’s leadership team is responsible for making sure the school’s data protection activities meet its requirements. The team needs to ensure that everyone else knows how to handle personal data, which means it should have policies and procedures that anyone can follow and lead a culture of data privacy. At least one member of the leadership team should get some more specialised training on the GDPR, such as a GDPR Practitioner qualification.
The data protection officer (DPO) is responsible for checking that the school is handling data properly and advising on how to do so. They need to have a strong grasp of both data protection law and how the school uses personal data.
Most schools will need a DPO. Independent schools will need to appoint one if their core activities require ‘regular and systematic monitoring of data subjects on a large scale’, or large-scale processing of sensitive personal data. Even if you don’t need one, it’s good practice to do so and demonstrates that the school takes data protection seriously. Read more about appointing an appropriate DPO here
Everyone needs to understand and follow the policies and procedures for handling personal data and lead by example in how they handle the data in their care. Everyone will need some kind of training so they know where to find the right procedures and when to ask the DPO or leadership team for support. A strong training programme will help staff understand their role in data protection and encourage them to take personal responsibility for it. Some roles may also have additional duties, such as those involved in child protection, contracts with suppliers, or be asked to help out with data protection activities such as data protection impact assessments (DPIAs).
What do I need to know?
Most staff will really only need to know what the policies and procedures are, and make sure they follow them. To help you understand how these fit in, here are some of the key facts about data protection in schools.
Reporting data breaches
Data breaches are any instance when personal data is accidentally or unlawfully disclosed, destroyed, lost or altered, or if there is unauthorised access to personal data. Where there is a risk to the rights and freedoms of the data subjects whose data has been compromised, these breaches need to be reported to the Information Commissioner’s Office (ICO) within 72 hours of being discovered. It’s important that everyone knows to report any suspected breaches so they can be investigated.
Understanding when schools need to report a data breach
All data breaches must be reported as soon as possible to the relevant person in school, such as the DPO. They can decide whether the breach needs to be reported to the ICO. The GDPR states that any breaches that could lead to physical, material or non-material damage to an individual should be reported.
In the school setting, this includes breaches that could cause: discrimination, including bullying; identity theft or fraud; financial loss; reputational damage; and loss of confidentiality of personal data protected by professional secrecy. We explain this further in a blog on the IT Governance website.
Personal data moves around a lot, but there are rules about how this can be done. It’s useful to split this up by who the recipient is:
Processor in the UK
This might include companies that provide Cloud (online) software or apps. Personal data can only be sent to a processor if there is a contract in place that makes sure the recipient will protect the personal data. It’s important to remember that some processors might store the data outside the UK, in which case you need to treat the transfer as if it is going to a processor outside the UK.
Processor outside the UK
A lot of processors are based outside the UK, especially Cloud service providers. As well as making sure there’s a contract to guarantee the personal data will be protected, other measures might be necessary to ensure data subjects’ rights are protected.
The data subject
Data subjects can ask for access to their personal data whenever they like and the school will have to provide it. This is normally done through a data subject access request (DSAR – see below).
For school-wide software and apps, most staff won’t need to worry too much about the first two as the contracts and any other measures should be taken care of by the school’s contracting processes. You should be mindful of any services you decide to use within your classroom or department, and choose companies that display strong data protection practices and where there is a contract in place.
Data subjects have a number of rights under the GDPR, including the right to access their personal data via a DSAR. A DSAR can also be used to exercise their other rights.
Possibly the most important part about DSARs is that the data subject can submit them in any way they like. They could ask in person, over a phone call, via email, by sending a letter or any other method they like. Because of this, everyone needs to know how to recognise a DSAR so that it can be acted on quickly.
The GDPR says that DSARs need to be responded to within a month (with extensions possible under some conditions), and you should keep a record of the request, as well as how and when it was fulfilled. Your school should have a clear procedure to follow when you receive a DSAR.
We explain this further within the DSAR section of this website.
Children have the same rights as anyone else under the GDPR, but there are additional requirements to protect their data. Children can consent to processing just like an adult as long as they are considered competent, otherwise consent must be given by their parent or guardian. For most data processing in school, consent is not the lawful basis. Consent applies to processing such as adding a child’s photograph to the school website or sending their details to the local press.
For ‘information society services’ that require consent, however, the child must be at least 13 to consent. Information society services are any service provided over the Internet, such as social media, e-commerce sites, and so on, and may need consent for some of their processing activities. If your school uses any services like this, you should ensure that consent is given by the appropriate person.
Any app that will be used to store or process personal data of pupils or staff needs to comply with the GDPR, and the school will need to ensure that the terms and conditions recognise this. Depending on the app itself, you may need to make sure there’s a contract between the app developers and the school. If in doubt, check with the DPO.
What about Brexit?
While Brexit means that EU law doesn’t generally apply in the UK from 1 January 2021, the GDPR has been passed into UK law as the UK GDPR. This is nearly identical to the EU’s version of the law and will make little difference to most schools unless they use processors that are based or store data outside the UK, or have students or staff who spend some part of the year living in the EU.
Under the UK GDPR, the only supervisory authority (data protection regulator) is the ICO, which provides a lot of guidance on data protection.
If the school has students or staff who live in the EU for at least part of the year, it may need to make sure it is also meeting the requirements of the EU GDPR. As mentioned above, the EU GDPR and the UK GDPR are largely identical, but the school will need to identify a supervisory authority in the EU that these data subjects can access.