Home » Data Protection in Schools: How to Comply With The Data Protection Act
Any organisation that handles personal information about people is required to comply with the Data Protection Act (1998). They must ensure it is handled securely and confidentially, which requires the implementation of robust systems and management strategies. Some organisations are at greater risk than others, however, including school settings.
Schools will hold all sorts of information about both students and staff and so are legally required to follow the Data Protection Act’s requirements. Personal information includes both the facts and opinions of a person.
Data controllers that breach the Data Act, including schools, could be fined up to £500k.
Given that schools comprise of potentially hundreds of people and regularly share information with third parties (including students’ parents and exam boards), data protection can prove especially difficult. However, the Act’s guidance is clear-cut for data controllers such as schools and must be adhered to.
By following the Act’s principles, consistently reviewing and updating the processes through which data is protected, and creating data protection policies, schools can ensure data breaches are something we only read about in old news stories.
Processing data includes collecting, storing, editing, retrieving, disclosing, archiving, and destroying – whether it be electronic or hard copy. All these processes are covered by the Act and data controllers must follow the 8 Data Protection Principles when engaging in any of them.
The 8 Data Protection Principles
- Data must be processed fairly and lawfully.
- Data should be obtained only for one or more specified and lawful purposes
- Personal data held shall be adequate, relevant, and not excessive.
- Data should be accurate and up to date.
- Data should be held no longer than for the purpose it was originally collected.
- Data should be processed in accordance with the data subject’s rights under the Act.
- Data should be secured.
- Data should only be transferred to other countries if they have suitable or equivalent security measures.
Let’s examine how each of these principles apply to school settings:
1. Data must be processed fairly and lawfully.
Under this principle, schools must explain in clear language that the personal data of everyone in the school (both staff and students) will be processed. They must make it clear why they are processing the data, e.g. to facilitate education or to arrange school trips.
Letters sent from schools to parents should ideally have a data protection statement at the bottom where relevant (e.g. if a reply slip is included and requires them revealing personal data). Said statement should specify what the information is needed for, what the school intends to use it for and to whom it may be shared with. A signature that gives consent to the school for using the data for the purpose specified should be acquired where possible, especially in the case of sensitive personal data (which we will discuss later).
Children over 12 should be given the opportunity to give consent with regard to data protection, but where needed parental input should be sought.
2. Data should be obtained only for one or more specified and lawful purposes.
Schools must not acquire data and process it in any manner that doesn’t relate to the intended purpose. So, for example, data acquired about students for assessments can’t then be used on the school’s website.
3. Personal data held shall be adequate, relevant, and not excessive.
Determining what may be excessive includes looking at forms and deciding what information is absolutely critical for the intended purpose. Anything else may be considered excessive and irrelevant. Fields that are vital could have an asterisk placed next to them to make it clear to the person what they must fill in and where they can leave spaces blank.
Information should not just be collected because it might become useful later – it has to be essential for the present intended purpose.
4. Data should be accurate and up to date.
At least annually, schools should check that ‘live’ files are accurate and up to date. An information audit could be conducted – writing to each person and asking them to confirm that the data the school holds about them is correct.
Not only is this essential for ensuring the school is not processing data about people that is inaccurate and therefore might not be representing them correctly, but it also prevents emergency risks, e.g. if an out-of-date address or phone number is on record.
Although checks should be carried out annually, any time the school becomes aware that information needs amending they should do so immediately.
5. Data should be held no longer than for the purpose it was originally collected.
Once data the school has collected is no longer needed, it must be disposed of securely. Schools must follow thedisposal of records schedule, which indicates for how long certain types of personal data can be retained and after how long of being held it must be destroyed. Some stipulations are legal obligations while others are best practice.
6. Data should be processed in accordance with the data subject’s rights under the Act.
Under the Human Rights Act 1998, everyone has ‘the right to private family life and correspondence” which impacts on how a school can use personal data – privacy and confidentiality must be maintained as much as possible. Consent should always be sought if there is any uncertainty surrounding the use of personal data.
7. Data should be secured.
This naturally applies to the obvious aspect of holding data in a secure fashion – e.g. with password protection, encryption, physical locks, etc. But it also applies to other forms of processing, including disposal – for example, shredding, securely erasing HDDs (technical support may be required as simply erasing the data or formatting the drive might not be enough).
Training all staff about security procedures and about the Data Protection Act is also essential for ensuring security. Everyone will likely handle personal data at some point so they must be aware of how to handle it securely. Furthermore, schools must ensure that security checks of data processors that are not a member of the school’s staff are undertaken.
8. Data should only be transferred to other countries if they have suitable or equivalent security measures.
All European Union countries have equivalent data protection rules so it is safe to transfer personal data to another EU country if necessary. However, explicit consent should be acquired from the individual if personal data needs to be processed outside of the UK for whatever reason and unless the school can establish a safe system of data protection with a country that is outside the EU they should not even consider sharing personal data.
All data controllers, including schools, must follow these principles to ensure that the Data Act is complied with and that people’s privacy is protected. Every person has the right to not have personal data about themselves shared or exposed; their right to decide who has access to their personal information must be upheld.
Furthermore, the following information (referred to as ‘fair processing information’) should be readily available to the person whom the data is regarding:
- Details of the data the school holds on them.
- The purpose(s) for which the data is being held.
- Third parties whom the information may be passed onto.
As part of the process of protecting personal data, all schools must notify the Information Commissioner’s Office (ICO) annually. Failure to do so is a criminal offence.
They must notify the ICO of:
- The purpose for which the school holds personal data.
- What data it holds.
- The source of said data.
- To whom they intend to disclose the data.
- To which countries they intend to transfer the data.
Categories of Personal Data
Personally identifiable information (PII)
This refers to any data which relates to an identifiable living individual and is processed. In the context of an educational setting, this means any records and personal information about staff and students. Examples include:
- Names of staff and pupils.
- Dates of birth.
- National insurance numbers.
- School marks.
- Medical information.
- Exam results.
- SEN assessments and data.
- Staff development reviews.
Sensitive personal identifiable information (SPII)
This refers to information about more sensitive topics, such as a person’s race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality, and criminal offences.
The main difference between processing personal data and sensitive personal data is that there are greater legal restrictions on the latter. Most schools will hold some form of sensitive data about pupils and staff, so processing this requires extra care.
Preventing Data Security Breaches in Schools
Aside from professionally and confidentially handling data within the school and when passing it electronically or physically to third parties (such as examination boards or statutory bodies), and following the 8 principles as discussed above, another important aspect to consider is students and staffs’ access to the internet and data.
Schools must consider how they can prevent breaches that may inadvertently be caused by the use of the internet, intranet, and email systems. To decide where changes may need to be made to improve data protection, the following questions should be taken into consideration:
- Does the school have a Data Protection Policy in place?
- Does the school have a Use Policy in place?
- Is the use of the internet, email, and/or chat rooms monitored/regulated in some way?
- Are filtering systems used to prevent access to inappropriate materials and sites on the internet/network?
- Is there a reporting procedure in place for accidental access to inappropriate materials/sites?
- Is internet safety taught as part of the curriculum?
- Does the school follow safe practices when publishing images and names of students on their website?
- Is information sent to parents via email?
Indicators of inadequate data protection practices include a lack of e-safety education across the curriculum, no internet filtering or monitoring, and students being unaware of how to report problems.
Data Protection Use Policy for Schools
This will stipulate how individuals can use the internet and email for private communications securely. It should also cover issues of security when the school’s intranet is accessed from outside of the school grounds via a phone or tablet etc.
Aspects that a use policy should cover include:
- Email – is homework or other personal data allowed to be shared between students and staff via email? Can it be done securely? Can emailing parents sensitive data be avoided? When sending bulk emails, are staff using the BCC function so that potentially hundreds of parents’ emails are not disclosed?
- Chat rooms – students should only have access to chat rooms that are educational in nature and are moderated. As part of e-safety education students should be taught to never give out personal data that would identify them or others over chat.
- Mobile technology – the policy should stipulate how these can be used securely and safely and what restrictions apply where needed. Aspects to consider include video messaging, mobile access to the internet, entertainment services (e.g. streaming), and information-based services.
- School websites – students identities must be protected; if an image of a student is used their name must not accompany it and vice versa. Parental permission should always be acquired. Furthermore, a clear, detailed privacy statement should be displayed on the website which states how information they acquire will be used.
Responsibility for Data Protection in Schools
Ultimately, everyone has a responsibility in ensuring data is processed securely in a school. Staff and even students who handle personal data need to be careful that it does not come into possession of anyone who hasn’t been given permission to view or process it by the person whom the data is about.
So, for example: if a teacher has a USB containing information about their students’ assessment submissions, they are responsible for ensuring this data is not lost. If it were, it’d be a breach of data protection.
There should be specifically elected individuals who are educated on data protection and who implement and uphold systems and policies, however.
The Senior Information Risk Officer (SIRO)
All schools should have a senior member of staff who is familiar with information risks and the school’s strategies for combatting these risks. This is usually a member of the Senior Leadership Team, and responsibilities include:
- Ensuring appropriate mitigations are in place to minimise risks.
- Fostering a culture that values, protects, and utilises information securely and in a way that benefits the organisation.
- Owning the information risk policy and risk assessments and ensuring they are implemented by the Information Asset Owner(s).
- Acting as an advocate for information risk management.
SIROs should undertake information risk management training every year to keep their skills and capabilities up to date and relevant to their organisation. It’s essential that they have the necessary knowledge and skills to fulfil their role and ensure people’s privacy.
The Information Asset Owner (IAO)
The IAO is a member of the school community who is responsible for compiling or working with specific personal information. According to gov.uk, they are required to have a strong understanding of:
- What information the organisation holds and for what purpose.
- How the information is amended, added to/removed, or moved overtime.
- Who has access to the data and for what purpose.
- How the information is retained and disposed of securely.
They also have a number of responsibilities, including:
- Maintaining a log of access requests made to the organisation.
- Monitoring users’ rights to transfer information to removable media, i.e. USB and external hard drives.
- Negotiating, managing, and approving agreements on the sharing of personal information.
- Monitoring access to personal information.
- Provide an annual written assessment to the SIRO detailing the security and use of their asset.
When appointed to their position the must undertake information management training, and retake it at least annually.
Data processors and data controllers must liaise
The school – the data controller – may give some degree of responsibility to an individual or third party for data protection and they are known as the data processor. A written contract should be put in place with the data processor, which obliges them to implement appropriate security measures for protecting any personal data processed.
However, the data controller is still responsible under the Data Protection Act for data protection: the data processor is acting on their behalf. Thus, they must have methods for ensuring that the data processor is consistently complying. For example: requesting regular written updates about security measures or carrying out full audits (e.g. visiting the premises).
By adhering to the 8 principles as stipulated by the data act and putting in place systems and strategies that facilitate data protection, schools will be able to comply with the Data Protection Act and ensure that staff and students’ confidentiality is not compromised and that the school can deliver education in a secure environment.
- School’s Data Protection Responsibilities – from the Information Commissioner’s Officer (ICO)
- Data Protection and Security – A Summary for Schools (NAACE)
- Basic Guidance for the Education Sector: Data Protection in Schools (also from the Hub)
Like this article?
Please share with your friends
Liz has a degree in English and Creative Writing and is skilled at writing about technical subjects in a style that anyone can understand – she enjoys supporting people’s learning. Outside of work, Liz spends her time on hobbies such as writing, reading, gaming, and fine art.