Data Protection in Schools – Guidance for the Education Sector
This article has been updated to reflect GDPR 2018 and the revised Data Protection Act of 2018.
The Data Protection Act is designed to protect the privacy of individuals. It requires any personal information about an individual to be processed securely and confidentially.
In a school setting, this includes information relating to both staff and pupils. If you must obtain, store, share, or use their personal data, it’s crucial that you so so securely, as personal data is sensitive and private. Everyone, adults and children alike, has the right to know how the information held about them is used and to feel confident that your school is protecting it.
Data Protection Guide
This guide provides you with an overview of everyone’s responsibilities under the Data Protection Act if you work in education. It is vital for you to understand your legal responsibilities under data protection law, as everyone working in the education sector has a duty to ensure their school complies.
The contents of this guide are:
- What is Personal Information?
- Registering with the ICO
- Fair Processing and Privacy Notices
- The Key Data Protection Principles
- Information Security Measures
- Student Subject Access Requests
- Sharing Personal Information
- Special Category Data
- Holding Data and Keeping it Up to Date
- Publishing Exam Results
- Taking Photos in Schools
- Data Protection Policies and Training
- Preventing Data Security Breaches in Schools
- People Responsible for Data Protection in Schools
- Data Processors and Data Controllers
Use the above links to help you navigate to a specific section in the guide.
What is Personal Information?
Personal information is anything relating to a person that identifies them. This includes both physical records and digital records.
In a school, examples of personal information include:
- Names of staff and pupils.
- Dates of birth.
- Photographs of staff and pupils that are clearly linked to their identity or other personal information about them.
- National insurance numbers.
- Financial information, such as bank details and tax status.
- Recruitment data.
- Attendance and behavioural information.
- Safeguarding information, including SEN assessments and data.
- School work and marks.
- Medical information, such as medical conditions and GP names.
- Exam results.
- Staff development reviews.
Registering with the ICO
Under the Data Protection Act, all data controllers must notify the Information Commissioner’s Office (ICO) about how they process personal information. Each individual school is a data controller and so must register with the ICO. Failure to do so is a criminal offence.
Registration is done via a simple online form. It must be signed and sent to the ICO along with the annual fee. To access the registration form, go to the ICO’s website.
During the registration process, and annually from then on, schools must notify the ICO of:
- The purpose for which it holds personal data.
- What data it holds.
- The source of said data.
- To whom they intend to disclose the data.
- To which countries they intend to transfer the data.
Once you’ve registered, the ICO publishes certain details in the register of data controllers, which are available to the public.
Fair Processing and Privacy Notices
When you collect information about a child, parent or staff member, you must be clear and transparent about how you intend to use it.
Schools need to explain in clear language how and why they will process personal data of everyone in the school (both staff and students). For example, to facilitate education or to arrange school trips.
In order to do this and comply with the Data Protection Act Principles, schools must have privacy notices in place. The aim of a privacy notice is to summarise what information the school needs, why they are collecting it, and which third parties they may pass it onto. The person whom the information is about must give their explicit consent in order for you to hold it.
Different schools, such as primary versus secondary, will inevitably have different data requirements. Therefore, each school will need to create an individual privacy notice that covers the processing activities specific to their school.
However, all privacy notices should cover these key areas:
- Your identity and, if you are not based in the UK, the identity of your nominated UK representative.
- The purpose or purposes for which you intend to process the information.
- Information on how you will collect personal data.
- Details of how you will keep data up-to-date.
- Details of what to do with confidential waste.
- Information on what your school expects from staff who work with personal data.
- Details on the use of security systems, such as computer passwords and firewalls.
- Where necessary, how personal data is encrypted when held electronically.
- Who is a ‘trusted’ third party.
- Procedures for what to do if personal data is lost or stolen.
- The rules for sharing or transferring data outside of the organisation.
- Any extra information you need to give individuals in the circumstances to enable you to process the information fairly.
Your school should include the notice in any enrolment documentation and on the bottom of any forms used to collect personal information. It should also be readily accessible on the school’s website. To emphasise transparency and build trust early on, you could also consider sending out a copy of your privacy notice to students and their parents at the start of each school year.
To help you write a privacy notice, take a look at the ICO’s website.
The Key Data Protection Principles
In order to protect data subjects’ personal information, data protection law (as amended by GDPR) requires all data controllers to follow several key principles:
- Fair, lawful, and transparent processing.
- Purpose limitation.
- Data minimisation.
- Data retention periods.
- Data security.
The information provided throughout this guide helps you comply with all of these principles.
Information Security Measures
Once your school acquires personal information about students, parents and teachers, it must keep this data secure. Unauthorised access or loss of information can cause serious harm to people. The ICO can issue fines if they learn that appropriate safety precautions are not being taken, and the maximum fine a business may face for non-compliance is up to £17 million or 4% of their global turnover (whichever is higher).
Both manual and digital records need to be secure. The level of security should reflect the potential harm that could result from the loss or misuse of the data. Furthermore, procedures should be in place to respond to any security breaches.
Not all security measures need to be complicated: sometimes just a simple check-in and check-out system can help reduce risks.
Possible security measures for data protection include:
- Shredding all confidential waste.
- Using strong passwords.
- Installing a firewall and virus checker on your computers.
- Encrypting any personal information held electronically.
- Disabling any ‘auto-complete’ settings.
- Holding telephone calls in private areas.
- Limiting access, i.e. only those who absolutely need to access the data should be able to do so.
- Checking the security of storage systems.
- Keeping devices under lock and key when not in use.
- Not leaving papers and devices lying around.
Memory sticks in particular need serious consideration as they are very easy to lose. You should either avoid the use of memory sticks completely or ensure they are password protected and fully encrypted. Furthermore, you must ensure that hard drives are erased securely if you are physically disposing of them. Your school may need to seek technical support as simply erasing the data or formatting the drive might prove insufficient.
Student Subject Access Requests
A student, or someone acting on their behalf, has the right to make a request to see any personal data their school holds about them and why.
Parents are only entitled to access the personal information held about their child if the child is unable to act on their own behalf, or if the child has given consent to their parent. Even if the child is young, the personal data being held is still their personal data. It doesn’t belong to anyone else, including their parents or guardian.
Before responding to an access request for information, you need to consider whether the child is mature enough to understand their rights. If they are, then your response to the request should go to the child, not their parent.
Parents, however, do have the right to see their child’s educational records. A subject access request needs to be made in writing, whether it’s a letter, email or social media message. You may wish to consider creating a standard form for people to fill in.
You can learn more about subject access requests on the ICO’s website.
Sharing Personal Information
There are occasions where sharing personal data with local authorities, other schools, different departments or social services cannot be avoided. It may be that without sharing the data, actions cannot be completed.
For example, you may need to pass on details about a child showing signs of harm to social services, or another school may need to know which pupils will be present at their sports day event.
You must consider all the legal implications and ensure that you have the ability to share the specified data. For example, what is the intention behind sharing? Who requires the data, which data is needed and what will it be used for?
Consent must be given by the individual before their personal information can be shared. This is usually part of the privacy notice issued when the data is first collected. This applies whether you are sharing data between people or online, such as photographs on the school’s Facebook page.
Letters sent from schools to parents should have a data protection statement at the bottom where relevant. For example, if a reply slip is included and requires providing personal data.
Data should only be transferred to other countries if they have suitable or equivalent security measures.
Your school should obtain explicit consent from the individual if personal data needs to be processed outside of the UK. If the school cannot establish a safe system of data protection with another country, they should not even consider sharing the personal data.
Special category data
This refers to information about more sensitive topics. For example, a person’s race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality, and criminal offences.
There are greater legal restrictions on special category data than regular personal data. Most schools will hold some form of sensitive data about pupils and staff, so processing this requires extra care.
Holding Data and Keeping it Up to Date
During the time when you hold data about a person, and for as long as it is being used, it must be monitored for accuracy. It’s essential that you ensure it remains relevant and accurate.
Carry out an information audit at least annually.
To carry out an audit, you should:
- Write a letter at the start of each school year asking parents and students to check that their details are correct. This also helps prevent emergency risks, e.g. if an old address or phone number is on record.
- Check that ‘live’ files are accurate and up to date.
- Any time you become aware that information needs amending, do so immediately
- Any personal data that is out of date or no longer needed should be ‘destroyed’. This may involve shredding documents or deleting computer files securely so that they cannot be retrieved.
- Schools must follow the disposal of records schedule. This schedule states how long certain types of personal data can be held for until it must be destroyed. Some stipulations are legal obligations while others are best practice.
You are violating the Data Protection Act if you keep any data for longer than it is needed.
Schools must not acquire data and process it in any manner that doesn’t relate to the intended purpose. For example: data acquired about students for assessments can’t then be used on the school’s website.
Determining what may be excessive includes looking at forms and deciding what information is absolutely critical for the intended purpose. Anything else may be considered excessive and irrelevant, and must not be collected.
Publishing Exam Results
The Data Protection Act does not stop schools from publishing exam results online or in the local press. However, if you intend to do so, you must act fairly. For example, will the results be published in alphabetical order or in grade order? The latter can be quite controversial. You must inform students first that their results will be published and how the information will be displayed, so they have the opportunity to voice any concerns and withdraw their result from the list if desired.
Students also have the right to make a subject access request to see a breakdown of their marks and the markers’ comments . These should be provided if called upon. However, information comprising of the answers written by a candidate during an exam cannot be provided. This means a subject access request cannot be used to obtain a copy of the student’s completed exam script.
Learn more about publishing exam results on the ICO’s website.
Taking Photos in Schools
When is consent needed or not needed for photos?
- Personal use: parents photographing and/or videoing the school play. Consent is not needed.
- Official school use: photos or videos taken for use in the school prospectus and on the website. Consent is needed from the person being videoed or photographed.
- Media use: photos taken for a newspaper article. Consent is needed from the person being videoed or photographed.
If an image of a student is used, their name must not accompany it and vice versa.
The ICO provides further guidance on taking photos at school.
Data Protection Policies and Training
The aim of a data protection policy is to help staff understand how to safely and fairly process personal information.
The policy should include practical guidance on what can and cannot be done with data. Furthermore, it should be communicated to employees regularly. It’s important that all staff receive guidance on the confidentiality of personal information.
The policy will stipulate how individuals can use the internet and email for private communications securely. It should also cover issues of security when the school’s intranet is accessed from outside of the school grounds via a phone or tablet etc.
A use policy should cover the following:
- Email. Is homework or other personal data shared between students and staff via email? Can it be done securely? Can you avoid emailing parents sensitive data? When sending bulk emails, are staff using the BCC function to protect potentially hundreds of parents’ emails?
- Chat rooms. Students should only have access to chat rooms that are educational in nature and closely moderated. As part of e-safety education, students should understand the importance of never giving out personal data that would identify them or others over chat.
- Mobile technology. The use policy should explain how people can use mobiles securely and safely and what restrictions apply where needed. Aspects to consider include video messaging, mobile access to the internet, entertainment services (e.g. streaming), and information-based services.
- School websites. Your website should have a clear, detailed privacy statement that states how your school intends to use the information they acquire about data subjects and how they’ll process it securely.
Preventing Data Security Breaches in Schools
Schools must prevent breaches of data through the internet, intranet, and email systems.
Therefore, your school should consider the following:
- Does the school have a Data Protection Policy in place?
- Does the school have a Use Policy in place?
- Is the use of the internet, email, and/or chat rooms monitored and regulated in some way?
- Are filtering systems used to prevent access to inappropriate materials and sites on the internet and network?
- Is there a reporting procedure in place for accidental access to inappropriate materials or sites?
- Is internet safety taught as part of the curriculum?
- Does the school follow safe practices when publishing images and names of students on their website?
- Is information sent to parents via email?
Indicators of inadequate data protection practices include a lack of e-safety education across the curriculum, no internet filtering or monitoring, and students being unaware of how to report problems.
People Responsible for Data Protection in Schools
Ultimately, everyone has a responsibility in ensuring data is processed securely in a school. Staff and even students who handle personal data need to prevent it from coming into possession of anyone who hasn’t been given permission to view or process it. However, your school should have designated individuals who are educated on data protection and who implement and uphold systems and policies.
More specifically, your school must have a designated Data Protection Officer (DPO). All public authorities are required to appoint a DPO by law, but even private schools should have one in place.
Data Protection Officers
The Data Protection Officer in your school is responsible for monitoring internal compliance and helping to establish policies and procedures. They should understand common information risks and the school’s strategies for combating said risks.
More specifically, DPOs can help businesses to:
- Know what personal information your school holds and for what purpose.
- Develop the school’s data protection policy.
- Arrange training for and offer advice to staff.
- Be aware of and monitor who has access to personal data and why.
- Establish best practice guidance for data processors and anyone in the school that handles data.
- Maintain a log of access requests made to the school.
- Process and respond to all requests for information, correction or erasure.
- Monitor the use of removable media, i.e. USB and external hard drives.
- Fulfil any duties that the ICO requires of the school, such as renewing your data protection licence.
- Establish and oversee physical and digital security measures.
- Ensure that everyone processes data securely, including when they must destroy it.
- Ensure that third parties have appropriate data protection measures.
Data Processors and Data Controllers
Data Processors and Data Controllers must liaise.
The school may give some degree of responsibility to an individual or third party for data protection. This individual is known as the data processor. A written contract should be made, which requires the processor to implement appropriate security measures for protecting any personal data processed.
However, the data controller is still responsible under the Data Protection Act for data protection. The data processor is purely acting on their behalf. This is why data controllers must have methods for ensuring that the data processor is consistently complying. For example: requesting regular written updates about security measures or carrying out full audits (e.g. visiting the premises).
What to Read Next:
- How to Apply for a Data Protection Licence
- Quick Guide to Selecting Suitable Data Protection Methods
- GDPR Online Training