Schools are regarded as \u2018data controllers\u2019. This means that they determine the particular ways, means and reasons in which they utilise the personal data they hold.<\/p>\n\n\n\n
Data processors only use the personal data transferred to them in the particular way that the data controller tells them to.<\/p>\n\n\n\n
Data processors for schools will\u00a0include the suppliers which process personal data on their behalf for example,\u00a0transport providers, finance, or the school text messaging service.<\/p>\n\n\n\n
Under the GDPR, you\u00a0must\u00a0appoint a DPO if\u00a0you are a public authority. When making the decision as to who your school DPO should be, avoid creating a conflict of interest. For example, the Headteacher, Chair of Governors or IT Manager would not be good choices as these are the people who would be making or influencing any technological or processing decisions. It would be a bit like marking your own homework!<\/p>\n\n\n\n
Any other role is likely to be fine providing that they have the right personal qualities, skills, experience and knowledge, no conflict of interest, the authority to challenge SLT and importantly the time to carry out the role.<\/p>\n\n\n\n
As a minimum, the DPO will be required to raise awareness, train staff (data protection training should be provided annually or no later than every 2 years in schools and is a legal requirement), carry out audits, inform and advise the school on data protection matters, monitor compliance with GDPR and school policies, advise on the use of Data Protection Impact Assessments. The school DPO is the main contact point for the ICO and data subjects.<\/p>\n\n\n\n
If you\u2019re interested in outsourcing your DPO responsibilities, you should consider our outsourced DPO service as a solution. One of our data protection experts will act as your school DPO, working with you to understand your organisation and its compliance requirements.<\/p>\n\n\n\n
They\u2019ll complete the necessary tasks and provide you with guidance whenever you need it. We also offer a range of services to support your own school DPO in their role.<\/p>\n\n\n\n
\nThere are a number of things schools can do to demonstrate this and these are a few examples – this list isn’t exhaustive!\n<\/p>\n\n\n\n
Schools must inform parents and carers about the personal data being collected, how this data is being used, whether there are any third parties involved with this data, and their rights in relation to this data. This is usually communicated in a Privacy Notice. The ICO recommend a layered approach in providing privacy information.<\/p>\n\n\n\n
Schools may want to think about giving a hard copy of the privacy notice to parents of new pupils joining the school, emailing parents a copy of or link to the notice, making the notice available on the school\u2019s website and noticeboard, referencing the privacy notice in communications with the parents.<\/p>\n\n\n\n
Yes. This is otherwise known as a Data Protection Policy. Schools hold a multitude of personal information not only about pupils but also about staff and this will include special categories of personal information, for example health data. <\/p>\n\n\n\n
The school Data Protection Policy requires the school to detail how they comply with the enhanced obligations of the GDPR. Every school must have a Data Protection Policy from which the school’s Privacy Notice will be derived. <\/p>\n\n\n\n
A privacy notice is a public document that communicates privacy information to the\u00a0people about whom you hold personal data. It sets out how you will process their data lawfully and in accordance with the GDPR.<\/p>\n\n\n\n
A data protection policy is an internal document which sets out the processes and procedures your school has adopted in order to ensure compliance with the GDPR in the processing of personal data.<\/p>\n\n\n\n
\nNo, a privacy notice does not need to be signed by parents. Schools should consider including the privacy notice in the new school year information pack for pupils, parents and carers.\n<\/p>\n\n\n\n
Schools need to consider this question for online and non-online services.<\/p>\n\n\n\n
Online services: (such as the use of social media or online games or third party interactive learning systems) – the age of consent for a child is from 13 years old. If the child is less than 13 or, for whatever reason deemed incapable of giving informed consent, then the consent must be sought from the parent or guardian for the child.<\/p>\n\n\n\n
Non-online services: GDPR does not set out the general age of child consent for non-online services. Schools must consider the appropriate age for children to be able to consent and in doing so they should consider the age at which children would fully understand their actions and the consequences of giving their consent.<\/p>\n\n\n\n
Schools may wish to align this age of consent in relation to GDPR with the other consents sought, for example school educational visit consents. If schools wish to rely upon consent from children, then schools must ensure that the child can understand what they are consenting to otherwise the consent is not \u2018informed\u2019 and therefore is invalid.<\/p>\n\n\n\n
Yes. It is important that all school staff are aware of their responsibilities for the protection of personal information. Schools must deliver awareness training to staff either annually or at least every two years and more in-depth training to those who handle particularly sensitive information. Our e-learning training will help you to meet these requirements. <\/p>\n\n\n\n
Admin\u00a0staff in schools have access to personal data as part of their job and therefore schools need to ensure that they comply with the GDPR principles.<\/p>\n\n\n\n
The GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so.<\/p>\n\n\n\n
It’s therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policies\u00a0and put its procedures into practice. Your school must\u00a0provide appropriate initial and refresher training. Schools should restrict all staff access only to the information that they need to perform their role.<\/p>\n\n\n\n
In an effort to increase efficiency and future proof the school\u2019s systems, schools should consider switching to electronic records by scanning documents.<\/p>\n\n\n\n
Schools may consider using secure off-site storage providers to safely secure records that do not necessarily need to be onsite (perhaps records that wouldn’t need to be accessed urgently) but which cannot be destroyed.<\/p>\n\n\n\n
Schools must be satisfied that the information will be held securely. It is also the responsibility of the school to remove data which is no longer required. <\/p>\n\n\n\n
Consent is required for the use of pupil photographs in certain circumstances. If a school wishes to use pupil photographs for general display or publication purposes, parental consent should be sought regularly.<\/p>\n\n\n\n
The frequency should also be stated in the school\u2019s pupil and parent privacy notice. Where pupil photographs are used for identification purposes within the secured pupil records for example on SIMS, consent is not required.<\/p>\n\n\n\n
A school may consider using public task as a legal basis for processing in using the pupil photographs for this purpose and therefore consent is not required. <\/p>\n\n\n\n
\nSchools do not need to delete photographs from the school website each year provided that they have consent in place to use the photographs for this purpose and have set out the length of retention within such consent. Schools only need to stop using these photos once the time period for retention has lapsed.\n<\/p>\n\n\n\n
This is a matter for each individual school\u2019s Board of Governors. There is no requirement that schools adopt a no photography policy at sports, music or drama events from a GDPR perspective. Data protection does not apply to the use of personal data for personal or household activities.<\/p>\n\n\n\n
From a data protection perspective, schools may wish to have clear guidance regarding parents or others taking photographs and videos with respect to school social media policies. For example, parents may not post photos and videos of school events which include children other than their own on social media sites.<\/p>\n\n\n\n
Where a school event includes children for whom consent to take photographs and videos has not been provided, the school must decide how to manage this. The school would require consent if it wished to photograph the event itself for promotional or other such reasons. <\/p>\n\n\n\n
No. A risk based assessment should be undertaken. In some schools, a considerable percentage of a class may have inhalers, epipens or other emergency medical interventions. It is necessary to ensure the correct intervention is administered to the child.<\/p>\n\n\n\n
The decision to use photographs for the identification of children at risk of requiring urgent medical intervention is ultimately a decision for the school. They must consider a number of factors, such as the number of staff; the number of children with conditions, risks associated with misapplied medical interventions, the decision to have photographs displayed in at risk areas or staff rooms.<\/p>\n\n\n\n
A school may consider this necessary as part of its duty of care to pupils. As this is special category information, schools may consider that the processing is necessary for the purposes of occupational medicine or health care treatment.<\/p>\n\n\n\n
Schools should also inform affected parents and carers that this is being done. It may be appropriate to have some method of covering the photos when the school is closed for example a curtain \u2013 to prevent casual access through windows or where the school spaces are being used at night. <\/p>\n","protected":false},"excerpt":{"rendered":"
What is a data controller and a data processor? Schools are regarded as \u2018data controllers\u2019. This means that they determine the particular ways, means and […]<\/p>\n","protected":false},"author":981,"featured_media":0,"parent":8943,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":"","_links_to":"","_links_to_target":""},"class_list":["post-8945","page","type-page","status-publish","hentry"],"acf":[],"publishpress_future_action":{"enabled":false,"date":"2026-05-13 17:45:27","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"","extraData":[]},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/www.devon.gov.uk\/support-schools-settings\/wp-json\/wp\/v2\/pages\/8945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devon.gov.uk\/support-schools-settings\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.devon.gov.uk\/support-schools-settings\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.devon.gov.uk\/support-schools-settings\/wp-json\/wp\/v2\/users\/981"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devon.gov.uk\/support-schools-settings\/wp-json\/wp\/v2\/comments?post=8945"}],"version-history":[{"count":2,"href":"https:\/\/www.devon.gov.uk\/support-schools-settings\/wp-json\/wp\/v2\/pages\/8945\/revisions"}],"predecessor-version":[{"id":28422,"href":"https:\/\/www.devon.gov.uk\/support-schools-settings\/wp-json\/wp\/v2\/pages\/8945\/revisions\/28422"}],"up":[{"embeddable":true,"href":"https:\/\/www.devon.gov.uk\/support-schools-settings\/wp-json\/wp\/v2\/pages\/8943"}],"wp:attachment":[{"href":"https:\/\/www.devon.gov.uk\/support-schools-settings\/wp-json\/wp\/v2\/media?parent=8945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}