The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) mandate certain safeguards regarding the use of personal data by organisations, including the department, local authorities and schools.
Both give rights to those (known as data subjects) about whom data is processed such as pupils, parents and teachers. These rights include (amongst other information that the department is obliged to provide) the right to know:
- the types of data being held
- why it is being held
- to whom it may be communicated
For the purposes of data protection legislation, the terms ‘process’, ‘processed’ or ‘processing’ apply to any activity involving the personal data, such as:
- collecting
- storing
- sharing
- destroying
- etcetera – please note: this list is not exhaustive
As data processors and controllers in their own right, it is important that schools process all data (not just that collected for the purposes of the school census) in accordance with the full requirements of the UK GDPR.
Further information on the UK GDPR can be found in the Information Commissioner’s Office (ICO) UK General Data Protection Regulation (GDPR).
The sections below provide additional information on two aspects of data protection legislation – namely privacy notices and data security.
Legal duties under the UK General Data Protection Regulation and Data Protection Act 2018: privacy notices
Being transparent and providing accessible information to individuals about how you will process their personal data is a key element of UK GDPR and DPA 2018. The most common way to provide such information is through a privacy notice. Please see the Information Commissioner’s Office (ICO) website for further guidance on privacy notices.
The DfE provides suggested wording for privacy notices that schools and local authorities may wish to use. However, where the suggested wording is used, the school or local authority must review and amend the wording to reflect local business needs and circumstances.
This is especially important, as the school will process data that is not solely for use within census data collections. As such, to comply with UK GDPR, the privacy notice should contain details of all uses of data within the school, which may include, for example, information used locally for pupil achievement tracking and (where relevant) the use of CCTV data.
The DfE recommends that the privacy notice is included as part of an induction pack for pupils and staff, is made available on the school website for parents and features on the staff notice board or intranet. Privacy notices do not need to be issued on an annual basis, where:
- new pupils and staff are made aware of the notices
- the notices have not been amended
- they are readily available in electronic or paper format
However, it remains best practice to remind parents of the school’s privacy notices at the start of each term (within any other announcements / correspondence to parents), and it is important that any changes made to the way the school processes personal data are highlighted to data subjects.
Legal duties under the UK General Data Protection Regulation and the Data Protection Act 2018: data security
Schools and local authorities have a (legal) duty under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 to ensure that any personal data they process is handled and stored securely. Further information on data security is available from the https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/.
Where personal data is not properly safeguarded, it could compromise the safety of individuals and damage your school’s reputation. Your responsibility as a data controller extends to those who have access to your data beyond your organisation where they are working on your behalf – for example, where external IT suppliers can remotely access your information.
The ‘School procurement: selecting a school MIS’ and ‘Responsible for information’ pages provide further guidance and advice.
It is vital that all staff with access to personal data understand the importance of:
- protecting personal data
- being familiar with your security policy
- putting security procedures into practice
As such, schools should provide appropriate initial and refresher training for your staff.
Where schools chose to use cloud software services, additional information on handling data securely within such environments is available within the department guidance on data protection for schools considering cloud software services.
Information Commissioners Office and Department for Education websites: