GDPR: essential information for schools
General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, and will replace the existing Data Protection Act. The new regulations represent the biggest change in data protection legislation for 20 years, and its implementation will have a significant impact upon the ways in which all schools process the data of pupils and staff.
Awareness and training
Ensure staff are aware that data protection legislation is changing, and assess the impact that this will have on the school. Governors, the Head Teacher and the Senior Leadership Team should already be planning for GDPR, and have identified areas where the school will need to make changes.
Data Protection Officer
Your school may already have a Data Protection Officer (DPO) in place, if not you will need to appoint someone to take responsibility for data protection across the school. It is mandatory for maintained and academy schools to appoint a DPO.
You need to consider which types of personal data you hold, and where it is stored – including any paper records, the cloud, internal networks and systems. This will include data on students, parents, staff, governors, partnership organisations, suppliers and more. Suppliers that process personal data on behalf of your school must be GDPR compliant.
The GDPR identifies children as “vulnerable individuals” who need “special protection” and therefore you should consider how the child-specific rules will affect your school. Students must give their active, informed consent for information to be gathered and processed, and there must be specific legal grounds for obtaining it. For pupils under 16, parental consent is required.
The current data protection law does not include biometric data but GDPR includes it in the definitions of personal data. If your school uses biometric data, for example, fingerprint scanning to pay for school meals, you will need to apply the same safeguards to this type of data as others.
Update software and IT equipment
GDPR requires you to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” so you may need to look at updating your IT systems or software to ensure they are protecting personal data effectively. Good cyber security should be practised throughout the school, and you should consider whether cyber insurance is appropriate.
Make sure you have effective procedures in place to detect, report and investigate a data breach. All staff should be familiar with the correct procedures, and encouraged to report any potential breach at the earliest opportunity..
Review all your privacy notices including your website, and ensure they are updated and sent to the relevant parties before May 2018. The Department of Education has produced a series of privacy templates for use by schools.
Subject Access Requests
Currently pupils in maintained schools have the right to access the personal information that is held about them, but there is no equivalent legal right for students attending academy schools or free schools.
Under the GDPR, all pupils can make a Subject Access Request (SAR) to see the personal information you hold about them. Both they and their parents also have the right to see their educational records.
The Information Commissioner’s Office (ICO) says, “In deciding what information to supply in response to a SAR, you need to have regard to the general principles about exemptions from subject access.” Information that might be excluded from a SAR made by a pupil could include “information that might cause serious harm to the physical or mental health of the pupil or another individual”. Detailed guidance for schools is available from the ICO website.
Access Request Fees
Currently schools can charge a £10 fee for a subject access request but under the new legislation, you must provide the information without charge. You must provide the information within one month of the request.
Find out more