Detailed guide: Brexit guide: data protection for education providers
The steps education providers must take to remain compliant with data protection laws when the UK leaves the EU.
Overview
Read this guidance if you:
-
are an education provider who is a data controller or data processor
-
transfer personal data between the UK and the EEA
-
transfer personal data within the EEA
This guidance is:
-
not designed to cover every incidence of where you process personal data
-
not designed to replace your own risk review
-
not a substitute for legal advice
Steps you must take
These steps will help you plan how you can continue to share and receive personal data lawfully.
You should:
-
continue to carry out your own risk review
-
get legal advice if you are not sure
Sharing data with the EEA
Contact anyone you share personal data with within the EEA.
You should explain you can still share personal data lawfully with them once the UK leaves the EU.
Receiving data from the EEA
Identify where you receive data from the EEA and determine:
-
who the data controllers and processors are
-
where the data is stored
Example: data controllers based in the EEA
If you’re running a school exchange with a data controller based in the EEA, you may want to consider whether standard contractual clauses (SCC) are suitable.
Use the Information Commissioner’s (ICO) free interactive tool to help you decide whether this is the case.
Example: when standard contractual clauses (SCC) are not appropriate
If standard contractual clauses (SCC) are not appropriate, the General Data Protection Regulation (GDPR) has other articles in it which will provide you with additional safeguarding measures.
You can find these in Article 46 and Article 49 of GDPR. More information can be found on the ICO website.
General Data Protection Regulation (GDPR)
GDPR will be incorporated into UK law if there’s a no-deal Brexit.
This and the Data Protection Act 2018 will continue to apply to data transferred within or from the UK.
Contracts: new and existing
Ensure that contracts, which include the processing of personal data in the EU, provide the additional safeguards required.
This applies to:
-
existing contracts
-
new contracts you put in place after Brexit
Data Protection Impact Assessments (DPIA) and privacy notices
Review and update your:
-
Data Protection Impact Assessments (DPIA)
Make sure they:
-
are up-to-date
-
reflect any changes you are making to your ways of working
Stay up-to-date
This page tells you what to do if there’s a no-deal Brexit. It will be updated if anything changes, including if a deal is agreed.
Sign up for email alerts to get the latest information about Brexit.
Read the guidance on the Information Commissioner’s Office website for further information on data protection.
Definitions
Personal data
Personal data includes, but is not limited to:
-
contact information about pupils, students, learners, staff and carers
-
health information
-
details about recipients of pupil premium
-
employee references
-
safeguarding information about an individual
-
passport information, if planning trips to the EU
-
exam pupil references and results
Data controller
Data controller means a person, company or other body that determines the purpose and means by which personal data is processed.
Educational establishments, such as schools, colleges and universities, are often data controllers in their own right.
Data processor
Data processor means anyone who handles personal data on the instructions of a controller, for example, storing, collecting or analysing data as part of a service provided to the controller.
Published 27 March 2019
Last updated 19 August 2019 + show all updates
- Format updates have been made to highlight actions that people need to take. A link has also been added that allows people to sign up for email alerts to get the latest information about Brexit.
- First published.
Responses