Statutory requirement, data sharing and regulations
The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) mandate certain safeguards regarding the use of personal data by organisations, including the department, local authorities and schools. Both give rights to those (known as data subjects) about whom data is processed, such as pupils, parents and teachers. These rights include (amongst other information that the department is obliged to provide) the right to know:
the types of data being held
why it is being held
to whom it may be communicated
As data processors and controllers in their own right, it is important that schools process all data (not just that collected for the purposes of the school census) in accordance with the full requirements of the UK GDPR. Further information on the UK GDPR can be found in the Information Commissioner’s Office (ICO) overview of the UK General Data Protection Regulation (GDPR).
Legal duties under the UK General Data Protection Regulation and the Data Protection Act 2018: privacy notices
Being transparent and providing accessible information to individuals about how schools and local authorities will process their personal data is a key element of UK GDPR and the DPA 2018. The most common way to provide such information is through a privacy notice. Please see the Information Commissioner’s Office (ICO) website for further guidance on privacy notices.
DfE provides suggested wording for privacy notices that schools and local authorities may wish to use. However, where the suggested wording is used, the school / local authority must review and amend the wording to reflect local business needs and circumstances. This is especially important, as the school will process data that is not solely for use within census data collections.
It is recommended that the privacy notice is included as part of an induction pack for pupils and staff, is made available on the school website for parents, and features on the staff notice board / intranet. Privacy notices do not need to be issued on an annual basis, where:
new pupils and staff are made aware of the notices
the notices have not been amended
they are readily available in electronic or paper format
However, it remains best practice to remind parents of the school’s privacy notices at the start of each term (within any other announcements / correspondence to parents), and it is important that any changes made to the way the school processes personal data are highlighted to data subjects.
Legal duties under the UK General Data Protection Regulation and the Data Protection Act 2018: data security
Schools and local authorities have a legal duty under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 to ensure that any personal data they process is handled and stored securely. Further information on data security is available from the Information Commissioner’s Office.
Where personal data is not properly safeguarded, it could compromise the safety of individuals and damage a school’s reputation. Your responsibility as a data controller extends to those who have access to your data beyond your organisation where they are working on your behalf – for example, where external IT suppliers can remotely access your information.
It is vital that all staff with access to personal data understand the importance of:
protecting personal data
being familiar with your security policy
putting security procedures into practice
As such, schools should provide appropriate initial and refresher training for their staff.
Responses