What is a Data Controller and a Data Processor?
Schools are regarded as ‘data controllers’. This means that they determine the particular ways, means and reasons in which they utilise the personal data they hold. ‘Data processors’ only use the personal data transferred to them in the particular way that the ‘data controller’ tells them to. Data processors for schools will include the suppliers which process personal data on their behalf for example, transport providers, finance, or the school text messaging service.
Do schools need a Data Protection Officer (DPO) and who can take on this role?
Under the GDPR, you must appoint a DPO if you are a public authority.
When making the decision as to who your school DPO should be, avoid creating a conflict of interest. For example, the Headteacher, Chair of Governors or IT Manager would not be good choices as these are the people who would be making or influencing any technological or processing decisions. It would be a bit like marking your own homework! Any other role is likely to be fine providing that they have the right personal qualities, skills, experience and knowledge, no conflict of interest, the authority to challenge SLT and importantly the time to carry out the role. As a minimum, the DPO will be required to raise awareness, train staff (data protection training should be provided annually or no later than every 2 years in schools and is a legal requirement), carry out audits, inform and advise the school on data protection matters, monitor compliance with GDPR and school policies, advise on the use of Data Protection Impact Assessments. The school DPO is the main contact point for the ICO and data subjects.
If you’re interested in outsourcing your DPO responsibilities, you should consider our outsourced DPO service as a solution. One of our data protection experts will act as your school DPO, working with you to understand your organisation and its compliance requirements. They’ll complete the necessary tasks and provide you with guidance whenever you need it. We also offer a range of services to support your own school DPO in their role.
How can schools demonstrate to the Information Commissioner’s Office (ICO) that they take GDPR and Data Protection seriously?
There are a number of things schools can do to demonstrate this and these are a few examples – this list isn’t exhaustive!
- Carry out an annual audit to check their GDPR compliance and develop an action plan to address any issues or areas of concern raised
- Carry out a data mapping audit to assist your school in setting up a Record of Processing Activities document
- Update their policies, procedures, consent forms, privacy notices, contracts
- Deliver awareness training to staff either annually or at least every 2 years and more in-depth training to those who handle particularly sensitive information
- Create a school retention policy and publish this on the school website
What should we communicate to parents and carers about GDPR?
Schools must inform parents and carers about the personal data being collected, how this data is being used, whether there are any third parties involved with this data, and their rights in relation to this data. This is usually communicated in a Privacy Notice. The ICO recommend a layered approach in providing privacy information. Schools may want to think about giving a hard copy of the privacy notice to parents of new pupils joining the school, emailing parents a copy of or link to the notice, making the notice available on the school’s website and noticeboard, referencing the privacy notice in communications with the parents.
Do schools need to write a policy explaining how they manage personal information?
Yes. This is otherwise known as a Data Protection Policy. Schools hold a multitude of personal information not only about pupils but also about staff and this will include special categories of personal information, for example health data. The school Data Protection Policy requires the school to detail how they comply with the enhanced obligations of the GDPR. Every school must have a Data Protection Policy from which the school’s Privacy Notice will be derived.
What is the difference between a privacy notice and data protection policy?
A privacy notice is a public document that communicates privacy information to the people about whom you hold personal data. It sets out how you will process their data lawfully and in accordance with the GDPR.
A data protection policy is an internal document which sets out the processes and procedures your school has adopted in order to ensure compliance with the GDPR in the processing of personal data.
Does a privacy notice have to be signed by parents?
No, a privacy notice does not need to be signed by parents. Schools should consider including the privacy notice in the new school year information pack for pupils, parents and carers.
What is the age of child consent in GDPR context?
Schools need to consider this question for online and non-online services.
Online services: (such as the use of social media or online games or third party interactive learning systems) – the age of consent for a child is from 13 years old. If the child is less than 13 or, for whatever reason deemed incapable of giving informed consent, then the consent must be sought from the parent or guardian for the child.
Non-online services: GDPR does not set out the general age of child consent for non-online services. Schools must consider the appropriate age for children to be able to consent and in doing so they should consider the age at which children would fully understand their actions and the consequences of giving their consent. Schools may wish to align this age of consent in relation to GDPR with the other consents sought, for example school educational visit consents. If schools wish to rely upon consent from children, then schools must ensure that the child can understand what they are consenting to otherwise the consent is not ‘informed’ and therefore is invalid.
Do all school staff need GDPR training?
Yes. It is important that all school staff are aware of their responsibilities for the protection of personal information. Schools must deliver awareness training to staff either annually or at least every 2 years and more in-depth training to those who handle particularly sensitive information. Our e-learning training will help you to meet these requirements.
Is there an issue regarding the extent to which admin staff have access to information?
Admin staff in schools have access to personal data as part of their job and therefore schools need to ensure that they comply with the GDPR principles. The GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so. It’s therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policies and put its procedures into practice. Your school must provide appropriate initial and refresher training. Schools should restrict all staff access only to the information that they need to perform their role.
Many primary schools struggle to have secure storage space to file large individual pupil records for the required period – how this might be managed?
In an effort to increase efficiency and future proof the school’s systems, schools should consider switching to electronic records by scanning documents. Schools may consider using secure off-site storage providers to safely secure records that do not necessarily need to be onsite (perhaps records that wouldn’t need to be accessed urgently) but which cannot be destroyed. Schools must be satisfied that the information will be held securely. It is also the responsibility of the school to remove data which is no longer required.
Is consent required for use of pupil photographs?
Consent is required for the use of pupil photographs in certain circumstances. If a school wishes to use pupil photographs for general display or publication purposes, parental consent should be sought regularly. The frequency should also be stated in the school’s pupil and parent privacy notice. Where pupil photographs are used for identification purposes within the secured pupil records for example on SIMS, consent is not required. A school may consider using public task as a legal basis for processing in using the pupil photographs for this purpose and therefore consent is not required.
Do you have to delete pupils’ photographs from a school website at end of each year?
Schools do not need to delete photographs from the school website each year provided that they have consent in place to use the photographs for this purpose and have set out the length of retention within such consent. Schools only need to stop using these photos once the time period for retention has lapsed.
Should schools allow third parties to take pupil photos, for example at sporting, music or drama events? or should schools have a no photography policy?
This is a matter for each individual school’s Board of Governors. There is no requirement that schools adopt a no photography policy at sports, music or drama events from a GDPR perspective. Data protection does not apply to the use of personal data for personal or household activities. From a data protection perspective, schools may wish to have clear guidance regarding parents or others taking photographs and videos with respect to school social media policies. For example parents may not post photos and videos of school events which include children other than their own on social media sites. Where a school event includes children for whom consent to take photographs and videos has not been provided, the school must decide how to manage this. The school would require consent if it wished to photograph the event itself for promotional or other such reasons.
Is consent from parents or carers required for display of child’s photo with medical needs?
No. A risk based assessment should be undertaken. In some schools, a considerable percentage of a class may have inhalers, eppipens or other emergency medical interventions. It is necessary to ensure the correct intervention is administered to the child. The decision to use photographs for the identification of children at risk of requiring urgent medical intervention is ultimately a decision for the school. They must consider a number of factors, such as the number of staff; the number of children with conditions, risks associated with misapplied medical interventions, the decision to have photographs displayed in at risk areas or staff rooms. A school may consider this necessary as part of its duty of care to pupils. As this is special category information, schools may consider that the processing is necessary for the purposes of occupational medicine or health care treatment. Schools should also inform affected parents and carers that this is being done. It may be appropriate to have some method of covering the photos when the school is closed for example a curtain – to prevent casual access through windows or where the school spaces are being used at night.