The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) mandate certain safeguards regarding the use of personal data by organisations, including the department, local authorities and schools.<\/p>\n\n\n\n
Both give rights to those (known as data subjects) about whom data is processed such as pupils, parents and teachers. These rights include (amongst other information that the department is obliged to provide) the right to know:<\/p>\n\n\n\n
For the purposes of data protection legislation, the terms \u2018process\u2019, \u2018processed\u2019 or \u2018processing\u2019 apply to any activity involving the personal data, such as:<\/p>\n\n\n\n
As data processors and controllers in their own right, it is important that schools process all data (not just that collected for the purposes of the school census) in accordance with the full requirements of the UK GDPR.<\/p>\n\n\n\n
Further information on the UK GDPR can be found in the Information Commissioner\u2019s Office (ICO) UK General Data Protection Regulation (GDPR).<\/a><\/p>\n\n\n\n The sections below provide additional information on two aspects of data protection legislation \u2013 namely privacy notices and data security.<\/p>\n\n\n\n Being transparent and providing accessible information to individuals about how you will process their personal data is a key element of UK GDPR and DPA 2018. The most common way to provide such information is through a privacy notice. Please see the Information Commissioner\u2019s Office (ICO) website for further guidance on privacy notices<\/a>.<\/p>\n\n\n\n The DfE provides suggested wording for privacy notices <\/a>that schools and local authorities may wish to use. However, where the suggested wording is used, the school or local authority must review and amend <\/strong>the wording to reflect local business needs and circumstances.<\/p>\n\n\n\n This is especially important, as the school will process data that is not solely for use within census data collections. As such, to comply with UK GDPR, the privacy notice should contain details of all uses of data within the school, which may include, for example, information used locally for pupil achievement tracking and (where relevant) the use of CCTV data.<\/p>\n\n\n\n The DfE recommends that the privacy notice is included as part of an induction pack for pupils and staff, is made available on the school website for parents and features on the staff notice board or intranet. Privacy notices do not need to be issued on an annual basis, where:<\/p>\n\n\n\n However, it remains best practice to remind parents of the school\u2019s privacy notices at the start of each term (within any other announcements \/ correspondence to parents), and it is important that any changes made to the way the school processes personal data are highlighted to data subjects.<\/p>\n\n\n\n Schools and local authorities have a (legal) duty under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 to ensure that any personal data they process is handled and stored securely. Further information on data security is available from the https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/guide-to-the-general-data-protection-regulation-gdpr\/security\/<\/a>.<\/p>\n\n\n\n Where personal data is not properly safeguarded, it could compromise the safety of individuals and damage your school\u2019s reputation. Your responsibility as a data controller extends to those who have access to your data beyond your organisation where they are working on your behalf \u2013 for example, where external IT suppliers can remotely access your information.<\/p>\n\n\n\n The \u2018School procurement: selecting a school MIS<\/a>\u2019 and \u2018Responsible for information<\/a>\u2019 pages provide further guidance and advice.<\/p>\n\n\n\n It is vital that all staff with access to personal data understand the importance of:<\/p>\n\n\n\n As such, schools should provide appropriate initial and refresher training for your staff.<\/p>\n\n\n\n Where schools chose to use cloud software services, additional information on handling data securely within such environments is available within the department guidance on data protection for schools considering cloud software services<\/a>.<\/p>\n\n\n\n Information Commissioners Office and Department for Education websites:<\/strong><\/p>\n\n\n\nLegal duties under the UK General Data Protection Regulation and Data Protection Act 2018: privacy notices<\/h2>\n\n\n\n
\n
Legal duties under the UK General Data Protection Regulation and the Data Protection Act 2018: data security<\/h2>\n\n\n\n
\n