The GDPR was enacted into UK Law as the Data Protection Act 2018. As for many organisations it imposes legal obligations on schools and the ways they must manage and process personal data.
The legislation gives the Information Commissioner’s Office (ICO) powers to impose significant financial penalties, Ofsted now includes data protection compliance within their inspection criteria and there is a greater chance of reputational damage from bad publicity.
This page explains what the new legislation means for schools and the main areas that need to be considered. It is based on the DPO Centre’s experience from working with over 120 schools and colleges.
WHAT DOES NEW DATA PROTECTION LEGISLATION MEAN FOR SCHOOLS?
Like other organisations, all schools must:
- have access to their personal data
- ensure it is correct and modify it as necessary
- have it deleted (unless needed for legitimate reasons)
SCHOOL ACTIVITIES USING PERSONAL DATA
Schools must protect personal data in a wide range of areas. These include :
- SIMS, ScholarPack, Arbor etc.
- 2Simple, Tapestry early years systems
Communications and consent management
- Photography and displaying pictures
- Social media, posting images
- Parent communications, satchel post, Teachers2Parents, ParentMail etc.
- Privacy, retention and data
- Staff handbooks
- Network security
- Email systems
- Staff payroll, pension and other HR records
- Paper records
- Visitors’ book and access systems
- Managing CCTV/Video
Managing Sensitive Information
- Special educational needs
- Medication and medical data
- Safeguarding and family issues
- DBS Checks
Teaching and getting the job done
- Children’s workbooks
- Wall displays and name badges
- Pupil premium data
- eports and taking data home
- School printing facilities
Sharing data with others
- School trips, peripatetic learning
- Supply teachers
- Feeder and transitional schools
- References for employers and other institutions