Data Protection in Schools: How to Comply With The Data Protection Act 2018
Any organisation that handles personal information must comply with the Data Protection Act 2018 (as amended in accordance with GDPR). However, some organisations have greater data protection risks than others, and this is particularly the case in schools. They must handle personal data about staff and students securely and confidentially, which requires them to implement robust systems and management strategies.
You must know how to help your school fulfil these data protection requirements, so everyone’s personal information is acquired and held securely at all times. This guide will help you understand what duties you should fulfil to uphold data protection in your school.
The contents of this guide are:
- Summary of the Data Protection Act in schools
- The key data protection principles
- Categories of personal data
- Preventing data security breaches in schools
- Data protection use policy for schools
- Who is responsible for data protection in schools?
Use the above links to help you navigate to a specific section in the guide.
Summary of The Data Protection Act in Schools
Schools are often filled with hundreds of people. This means your school will likely process a significant amount of personal data about both students and staff, and may regularly share this information with third parties. As a result, data protection in schools can prove especially difficult. However, the Act’s guidance is clear-cut for data controllers and you must adhere to it.
The Act requires schools to:
- Keep personal information safe and secure.
- Protect personal information from misuse.
- Process data securely and confidentially.
- Ensure that all the information they hold about data subjects is accurate.
- Only collect and hold data for its intended purpose.
- Give data subjects control over the use of their personal data.
- Ensure that third parties with whom they share data also process data securely.
Personal information refers to both facts and opinions about a person, whether your school collects it automatically online, holds it electronically on computers, or has hard copies of data in folders and filing cabinets.
Processing data refers to anything you do with a person’s data, including collecting, storing, editing, retrieving, using, disclosing, archiving, and destroying it.
Any data controllers that breach the Data Protection Act, including schools, could receive a significant fine and may suffer other consequences, such as a damaged reputation. The maximum fine a business may face for non-compliance is up to £17 million or 4% of their global turnover (whichever is higher).
Your school can easily avoid these negative legal consequences by having sufficient procedures in place and ensuring everyone fulfils their duties. These are set out in the Act’s key data protection principles.
Need a Course?
Our Data Protection for Schools Course explains what your responsibilities are under the UK data protection law and the EU GDPR, and will help you understand the steps you should take to ensure that your school’s data processing activities are secure and legally compliant.
The Key Data Protection Principles
In order to protect data subjects’ personal information, data protection law (as amended by GDPR) requires all data controllers to follow these key principles:
- Fair, lawful, and transparent processing.
- Purpose limitation.
- Data minimisation.
- Data retention periods.
- Data security.
Let’s examine how each of these apply to school settings:
1. Fair, lawful, and transparent processing.
Under this principle, schools must explain how they plan to process any personal data that they acquire from individuals. This refers to data about both staff and students, and anyone else whose personal information your school processes.
Your school must have a data privacy notice or policy and terms and conditions that clearly explain how it’ll use any data they receive about a person. This information must be clearly visible to a person at the point when you’re acquiring their data.
For example, if you share a consent form with a student and their parents about a school trip, you should have a statement on it about what their personal information is needed for, what the school intends to use it for, and whom it may be shared with.
Children over 13 should have the opportunity to give consent regarding data protection, but should receive parental input where needed.
2. Purpose limitation.
Schools must not acquire, hold, or process data in any manner that doesn’t relate to its original intended purpose. For example, you can’t take the data you acquired about students for assessments and then use it on your website. Furthermore, you can’t gather data about people on a ‘just in case’ basis. You must have a legitimate reason for obtaining and processing it, and be able to show evidence of this.
3. Data minimisation.
Your school must minimise the amount of personal data it holds, which connects closely to the previous principle. Data must be adequate, relevant, and limited to what is necessary. This means you must decide what information is absolutely critical for the intended purpose and not collect any further data.
When the data you’ve collected has fulfilled its purpose and you no longer need it, you must securely destroy it. The only exception to this is if you must hold it for legal purposes, such as bookkeeping records.
Your school should carry out regular audits of the personal data it holds to ensure it always remains up to date. This is essential for ensuring the school doesn’t process data that does not accurately represent the data subject. It also helps to prevent emergency risks. For example, if an out-of-date address or phone number is on record, this can delay emergency actions.
Furthermore, if a member of staff or a student (or their representative) notifies you of a change relating to their personal data, you must update it as soon as possible. This requirement also applies to any third parties with whom you share personal data, such as payroll companies or external exam bodies. Your school must have a system in place for ensuring these third parties can easily correct data where necessary.
5. Data retention periods.
Your school must not hold onto data for longer than is necessary. Once you no longer need it, you must securely destroy it. The disposal of records schedule published by the Department of Education can offer useful guidelines for when you should destroy certain records. Some stipulations are legal obligations while others are best practice, so you should familiarise yourself with them. However, it is still down to your school’s discretion, based on the purpose for which you acquired the data, to decide how long you need to hold onto it.
You should also be aware that data subjects have the right to erasure, also known as the right to be forgotten. This requires you to destroy any personal data you have about the person, unless you have a good reason not to. If you do not have a legitimate reason to deny this request, you must erase all the data you hold about them as soon as possible.
For example, a legitimate reason for not fulfilling an erasure request is needing information about a student so they can sit an exam. Another example is holding information about a member of staff to process their salary.
6. Data security.
This refers to securely holding the data you have about people. You must protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage. To do so, your school should use appropriate technical or organisational measures. For example, password protection on digital folders, encryption of files, and physical locks on filing cabinets.
Data security also applies to other forms of processing, including disposal. For example, shredding, incinerating, and securely erasing HDDs. When erasing hard drives, your school may require technical support, as simply erasing the data or formatting the drive can often prove insufficient.
Data security applies to both physical and digital data and to internal and external threats. People must not be able to access data without proper authorisation. For example, by physically accessing a room that holds student records or digitally acquiring them through cyber-attacks.
Your school must have security measures in place to prevent this, such as limiting access, using security software, and using secure storage facilities.
Accountability is a new addition to the Data Protection Act in accordance with GDPR. It requires all data controllers to have processes in place that prove their data protection measures are sufficient. This means that your school should keep accurate records of processing activities and update its policies where relevant.
As part of protecting personal data, all schools must also notify the Information Commissioner’s Office (ICO) annually. Failure to do so is a criminal offence. This is not a new requirement, but is an important part of accountability as it enables you to transparently show what data you’re processing and how.
Schools must notify the ICO of:
- The purpose for which it holds personal data.
- What data it holds.
- The source of said data.
- To whom they intend to disclose the data.
- To which countries they intend to transfer the data.
Categories of Personal Data
In order to fulfil these principles, you and everyone in your school must understand what exactly defines personal data. Under data protection law, there are two main types of personal data: personal data and information, and special category data.
Personal Data and Information
This refers to any data about an identifiable living individual that you process in your school, including any records and personal information about staff and students.
- Names of staff and pupils.
- Dates of birth.
- Photographs of staff and pupils that are clearly linked to their identity or other personal information about them.
- National insurance numbers.
- Financial information, such as bank details and tax status.
- Recruitment data.
- Attendance and behavioural information.
- Safeguarding information, including SEN assessments and data.
- School work and marks.
- Medical information, such as medical conditions and GP names.
- Exam results.
- Staff development reviews.
This is not an exhaustive list, but it provides common examples of personal data that your school may process.
Special Category Data
Previously known as sensitive personal information, special category data refers to information about more sensitive topics. For example, a person’s race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality, and criminal offences.
The main difference between processing personal data and special category data is that your school must apply greater care when processing the latter
Preventing Data Security Breaches in Schools
It is crucial for your school to have security measures that prevent data protection breaches to both physical and digital data. Following the principles discussed above will help you do so, but another important aspect to consider is students’ and staffs’ access to the internet and data.
Schools must consider how they can prevent breaches that may accidentally or deliberately occur when students and staff use the internet, intranet, and email systems.
Therefore, you must consider the following:
- Does your school monitor or regulate the use of the internet, email, and/or chat rooms?
- Do you use filtering systems to prevent students and staff from accessing inappropriate materials and sites on the internet or network?
- Is there a reporting procedure in place for accidental access to inappropriate materials or sites?
- Is internet safety a part of the curriculum?
- Does your school follow safe practices when publishing images and names of students on their website?
- Does everyone know how to send emails securely?
To combat the issues that these activities may present, your school should have a use policy in place.
Data Protection Use Policy for Schools
A use policy explains what practices students and staff should follow to securely use the internet and email for private communications. It should also cover issues of security when people need to access the school’s intranet off the school grounds via a phone or tablet.
A use policy should cover the following:
- Email. Is homework or other personal data shared between students and staff via email? Can it be done securely? Can you avoid emailing parents sensitive data? When sending bulk emails, are staff using the BCC function to protect potentially hundreds of parents’ emails?
- Chat rooms. Students should only have access to chat rooms that are educational in nature and closely moderated. As part of e-safety education, students should understand the importance of never giving out personal data that would identify them or others over chat.
- Mobile technology. The use policy should explain how people can use mobiles securely and safely and what restrictions apply where needed. Aspects to consider include video messaging, mobile access to the internet, entertainment services (e.g. streaming), and information-based services.
- School websites. You must protect students’ identities. Therefore, if you need to publish an image of a student, for example, their name must not accompany it and vice versa. You should also always acquire parental permission where relevant. Furthermore, your website should have a clear, detailed privacy statement that states how your school intends to use the information they acquire about data subjects and how they’ll process it securely.
Who is Responsible For Data Protection in Schools?
Ultimately, everyone has a responsibility to ensure the school securely processes data. Staff and even students who handle personal data need to be careful that it does not come into possession of anyone who doesn’t have permission to view or process it. For example, if a teacher has a USB containing information about their students’ assessment submissions, they are responsible for keeping this data secure.
However, your school should have designated individuals who have the necessary knowledge, experience, and training to implement and uphold systems and policies. More specifically, your school must have a designated Data Protection Officer (DPO). All public authorities are required to appoint a DPO by law, but even private schools should have one in place.
Data Protection Officers
The Data Protection Officer in your school is responsible for monitoring internal compliance and helping to establish policies and procedures. They should understand common information risks and the school’s strategies for combating them.
More specifically, DPOs can help businesses to:
- Know what personal information your school holds and for what purpose.
- Develop the school’s data protection policy.
- Arrange training for and offer advice to staff.
- Be aware of and monitor who has access to personal data and why.
- Establish best practice guidance for data processors and anyone in the school that handles data.
- Process and respond to all requests for information, correction or erasure.
- Establish and oversee physical and digital security measures.
- Ensure that everyone processes data securely, including when they must destroy it.
- Ensure that third parties have appropriate data protection measures.
Your school must have a written contract with third parties who process data that includes information about data protection duties. The contract should oblige them to implement appropriate security measures for protecting any personal data they process. However, the data controller (your school) still has the main responsibilities under the Data Protection Act: third parties are simply acting on your school’s behalf.
Therefore, your school must ensure that all third parties are consistently complying. To do this, your school could request written updates about security measures or carry out full audits (such as by visiting the third party’s premises).
It’s crucial for your school to follow the key data protection principles and put in place systems and strategies that facilitate data protection. By doing so, your school will comply with the Data Protection Act, protect staff and students’ confidentiality, and deliver education in a secure environment.