Data Protection in Schools

Data protection in schools is a must. Schools work with an incredible amount of personal data. This includes information such as pupil names, addresses, medical information, images, and more. Additionally, information related to job applicants, governors, staff and volunteers is often stored within a school database.

The Data Protection Act (DPA) was designed to protect the privacy of individuals. When the DPA was updated to the GDPR in May 2018, the regulations around data protection changed throughout Europe. Subsequently, following Brexit, with effect from the 1st Jan 2021, the UK stopped being part of the EU and hence the ‘EU-GDPR’ ceased to protect the rights and freedoms of UK citizens regarding their personal information. To prevent this from becoming the case, the UK Government published an update to the DPA 2018 called the Data Protection, Privacy and Electronic Communications Regulations, now known as UK GDPR.

Schools handle what the UK GDPR classifies as ‘special category data’, detailing pupil information such as ethnicity, race, biometric data, and trade union membership in some instances. This data is subject to strict controls, and therefore schools need to adhere to UK GDPR guidelines and protect this information efficiently.

This article will provide all the essential information on the Data Protection Act 2018 relating to schools. We’ll discuss what data protection is, the importance of privacy notices in schools, and the fundamental principles and security measures that must be applied by data controllers. We’ll also offer advice concerning what information can be shared, how to carry out an audit, what should be covered in a Data Protection Policy, and what the role of a data protection officer entails.

What is data protection?

Data protection refers to safeguarding private and important information from compromise, corruption and loss. Data protection is becoming ever more important in today’s data-driven society, as the amount of information created and stored expands year-on-year.

Since May 2018, data protection in UK schools must adhere to strict guidelines published in the UK GDPR legislation. This particular set of guidelines is more rigorous than previous legislation and carries severe penalties for non-compliance. All UK schools must both comply with the UK GDPR provisions and prove to regulators that they have various data protection protocols in place.

The processing of personal data stored on school websites, paper, servers and databases is all covered by UK GDPR. Critically, schools must undertake stringent data protection impact assessments when they upgrade their software, change IT infrastructure, or introduce new technology that deals with personal data. Note that UK GDPR compliance is a legal obligation, making it illegal if your school fails to produce precise documentation that proves effective management of all information systems. Penalties are delivered on a case-by-case basis, with the maximum fine for non-compliance set at £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Folders full of GDPR guidance and legislation" width="1200" height="350" />

What is personal information?

Personal information can be defined as anything relating to an individual that identifies them. This applies to both physical and digital records.

Examples of personal information that a school may store include:

• Names and dates of birth for both staff and pupils.
• Images of staff and pupils that confirm their identity and can be linked to additional personal information.
• National Insurance numbers.
• Addresses of staff and pupils.
• Recruitment information.
• Financial records, such as tax information and bank details.
• Information relating to pupil behaviour and school attendance.
• Medical records, including GP names and medical conditions.
• Exam results and class grades.
• Staff development reviews.
• School assessments and marks.
• Safeguarding information, including data related to SEN assessments.

With such a myriad of personal information held by schools, the importance of protecting such data is paramount.

Privacy notices

When you collect information concerning a parent, child or member of staff, you must offer transparency about how this information will be used. Your school has to explain precisely how you will process the personal information of all staff and pupils. Examples include how to arrange school trips, facilitate education, or store grades and exam results.

To ensure UK GDPR compliance, schools must display clear privacy notices. The purpose of a privacy notice is to present and summarise what information the school requires, why this information is being collected, and which third parties are privy to such data. The individual whom the information relates to must give full consent to your school in order for you to store it. Primary and secondary schools have different data requirements. For this reason, every single school must have its own privacy policy covering the processing activities that are specific to their school.

That said, all school privacy notices need to cover these key areas:

• Information relating to how you intend to collect personal data.
• Any purposes relating to your intentions to process information.
• Your identity, and the identity of your nominated UK representative (applicable to non-British citizens).
• Information on how data will be kept up-to-date.
• Details on confidential waste procedures.
• Details related to computer security, such as firewalls and computer passwords.
• Precise information on guidelines and expectations of staff working with personal data.
• Information relating to all ‘trusted’ third parties involved with accessing or disseminating personal data.
• Details on how personal data is encrypted and secured electronically.
• Procedures put in place in case personal data is stolen or lost.
• Guidelines for transferring or sharing data outside of the school.
• All additional information for individuals regarding fair data processing.

Your school must publish its privacy notice on all enrolment documentation and on forms used to collect any personal information. There should also be a clear privacy notice uploaded onto the school website.

We recommend sending a digital copy of your privacy notice to all students and parents at the beginning of each new school year.

For help curating your school privacy notice, you can visit the official ICO website.

What are the key principles?

The GDPR (General Data Protection Regulation) and its UK version have been in effect for several years now. Compliance is essential, not only because it helps prevent security incidents but also because it ensures that data processing practices are responsible and efficient. This legislation is even more essential for the education sector, and you should be aware of the seven key UK GDPR principles so that you can comply efficiently.

1. Lawfulness, fairness and transparency

All data must be obtained on a lawful basis, leaving individuals fully informed and complying with UK GDPR legislation in full. Lawfulness means that any processes that your school has in place relating to the personal data of pupils and staff must meet all UK GDPR requirements. This includes data storing, processing and collection. UK GDPR legislation contains directions for each step of your data management policy.

Fairness relates to your actions. Whether you control or process data, your processes must follow procedures described to the data subject. This means that the promises outlined in your school privacy statement must be followed as you collect subject data. Additionally, all data must be used only for pre-stated purposes and time periods.

Transparency refers to your privacy notice. All staff, pupils and parents must be informed of the purposes, means and time period of data processing. You need to let all individuals affected know precisely what will be done with their data and who can gain access to this information.

2. Purpose limitation

When it comes to your privacy notice, it’s paramount that you inform all subjects about the purpose of your school’s data collection. UK GDPR legislation states that this purpose has to be ‘specified, explicit and legitimate’. Therefore, data can be used and collected only for the purposes that have been made accessible to the data subject who has consented.

3. Data minimisation

Only collect the necessary data. The UK GDPR was designed to keep data collection to the bare minimum. Therefore, all personal data collected must be ‘adequate, relevant and limited to what is necessary concerning the purposes for which they are processed’. Under UK GDPR guidelines, all schools must be able to justify the amount of data they collect. Therefore, you must create and publish adequate policy documentation.

4. Accuracy

Any personal data has to be ‘accurate and, where necessary, kept up to date’. Therefore, all old and outdated records, contracts and personal data must be erased as soon as this information is no longer essential.

5. Storage limitations

This principle relates to the process of data minimalisation and clearly states that personal data has to be ‘kept in a form which permits identification of data subjects for no longer than necessary’. When you collect data, you must define a retention period that relates to your specific objectives. As always, the information has to be documented in case of an investigation.

6. Integrity and confidentiality

This principle states that personal data must be handled ‘in a manner [ensuring] appropriate security’, which includes ‘protection against unlawful processing or accidental loss, destruction or damage’. This means that anonymisation and pseudonymisation systems must be applied where necessary to protect the identity of staff and students. Some schools invest in official accreditation such as ISO 27001 to prove their commitment to cybersecurity.

7. Accountability

Finally, all schools are fully responsible for compliance with the principles outlined in the UK GDPR. This legislation requires thorough evidence and documentation of policies related to the processing and collection of data. Each step of your school’s data management policy must be carefully justified and formulated by way of official documentation. These documents must be available to prove compliance should the relevant policies request access.

Security measures

Once personal information relating to staff, parents and pupils is acquired, it has to be kept secure. Loss of information or unauthorised access can cause severe damage to individuals. Failure to protect this information can lead to severe penalties for a school’s managerial team, not to mention the impact a data breach could have on the school’s reputation. All manual and digital records must be protected with a level of security that directly reflects the potential harm that could come from data loss or misuse. Additionally, robust procedures must be put in place to respond to such security breaches.

Security measures don’t have to be complicated – simple check-in and check-out systems are often sufficient to protect personal data.

Potential security measures for school data protection include:

• The use of strong passwords.
• Encryption of all personal information stored electronically.
• Shredding of all physical copies of confidential waste.
• Installation of virus-checking software and firewalls on school computers.
• Turning off all ‘auto-complete’ settings.
• Limiting access to personal information wherever necessary.
• Holding telephone calls in designated private areas.
• Ensuring that all storage systems are secure.
• Keeping digital devices locked away securely when not in use.
• Making sure that all papers and devices containing sensitive information are stored securely.

Small electronic storage devices such as memory sticks and SD cards require serious consideration as they can be easily misplaced. If you must use memory sticks to store personal information, we recommend ensuring that they are fully encrypted and password protected.

Additionally, hard drives must be securely erased if they are being discarded. This should be done by a professional who is technically capable of completely formatting the drive to eliminate all data.

What personal information can be shared?

Occasionally, some schools must share personal data with other schools, different departments, local authorities and social services. On these occasions, it may be the case that actions cannot be completed or verified without sharing such data. For example, if a pupil shows signs of physical or mental abuse, this information may need to be passed on to social services. Additionally, if a school trip is being organised in conjunction with another school, data must be shared to confirm attendance and ensure the safety of all participants. Before sharing this data, all legal implications must be considered. You must also have the ability and permission to share the specified data.

Questions you should ask include:

• Who requires this data?
• Which data is required, and for what purposes will the information be used?
• What is the intention behind sharing this information?

You must also receive consent from any said individual before their personal information is shared. This information should have already been presented in your school privacy notice when the data was initially collected. Note that this even applies to sharing images on the school’s Facebook page, in the school prospectus, or in any other marketing materials both online and offline. Any literature sent from schools to parents requires a printed data protection statement where applicable, including if a reply slip is included requiring personal data related to the pupil or their parents. If your school plans to transfer data to other countries, this information can only be shared if there are equivalent or suitable security measures in place in the recipient’s organisation.

For example, if any personal data relating to staff, pupils or parents require processing outside of the UK, explicit consent is required from all individuals involved. If your school fails to establish a safe data protection system with a foreign country, you should never consider sharing any personal information.

Taking photos in school

Rules around consent for school include:

• Images for personal use – Parents photographing and/or recording the school play. Consent is not necessary.
• Official school use – Images or videos taken for use on the school website and inside the prospectus or as part of official marketing materials. Consent is required from the person being videoed or photographed.
• Media use – Photos taken for a blog, press release, or newspaper article. Consent is needed from the person being videoed or photographed.

For all images of pupils that are published, their names must not be accredited unless this is pertinent and the pupils/their parents have given consent.

How to undertake a school audit

To guarantee that all information is vetted for accuracy, stored only for the time that it is relevant, and stored securely, annual audits should be carried out.

To conduct an audit, you should:

• Monitor all ‘live’ files to make sure they are updated and accurate.
• Send out a letter at the beginning of each school year urging parents and pupils to check that all of their personal details are correct. This is a great way to avoid emergencies; especially when emergency contact information is out of date.
• Amend all information that is inaccurate immediately.
• Destroy all personal data that is no longer needed or is out of date. This could involve deleting computer files, shredding documents or formatting hard drives securely so that all information is permanently erased and inaccessible.
• Adhere to the disposal of records schedule, which states the duration that certain types of personal information can be retained before they must be destroyed. Note that some stipulations are legally required while others are recommended for best practice.

If your school holds any personal data for longer than it is required, you will violate the Data Protection Act.

You must never acquire or process data in a manner that fails to relate to its intended purpose.

For example, data received relating to pupils’ assessments should never be published on the school’s website. When you determine what kind of information could be deemed excessive, we recommend investigating school forms and outlining which data is critical for the forms’ intended purpose. Any additional information should be marked as excessive and should not be collected.

What should be covered in a school data protection policy?

The purpose of a school Data Protection Policy is to educate all staff on how to process personal information fairly and safely. Your official school policy should provide practical guidance on how data can and cannot be handled, stored or published. All of this information must be regularly shared with employees. All school staff must receive adequate training on the confidentiality of personal information.

Your Data Protection Policy must highlight how individuals can use the school intranet, internet and email for private communications safely and securely. There must also be guidelines covering security issues that are apparent when staff and pupils access the school intranet from outside of the school campus. This could be on a smartphone, tablet, laptop or desktop device.

To ensure data protection in schools, a typical Use Policy should cover:

Email

Do staff or students share personal data, homework or conversations via email? Can this process be completed securely? Is it possible to avoid sending personal data to parents over email? Are all staff implementing BCC to protect the anonymity of parents when sharing bulk emails?

Mobile technology

Your school Use Policy should outline the necessary restrictions recommended to use mobile devices safely and securely. You must consider mobile access to the internet within school grounds, access to streaming and entertainment services, and restrictions on video messaging or information-based services.

Chat rooms

On school premises, pupils should only be able to access chat rooms if they are related to education and closely monitored. All students should receive e-safety education, outlining the importance of protecting personal data that could identify them or others when using online chat portals.

School websites

Your school website must display a detailed privacy statement that explains how the school uses any personal information that is acquired concerning data subjects. It should include information about how data is processed and stored.

How do we prevent breaches of data?

Schools must have measures in place to prevent breaches of data through their internet, intranet and email systems. We recommend that your school considers the following:

• Does your school have a Use Policy in place?
• Has a Data Protection Policy been implemented throughout the school?
• Do you monitor the use if school internet, intranet, and any accessible chat rooms and regulate their use?
• Do you have restrictions in place to prevent access to inappropriate websites and materials on the school internet and network?
• Do you teach internet safety as part of your school curriculum?
• Do you have a reporting procedure in place in case inappropriate materials or websites are accessed?
• Do you follow strict safety guidelines when publishing names or images of students on your school website?
• Do you send information to parents via email?

Evidence of inadequate data protection practices or guidelines includes lack of internet monitoring or filtering, little or no e-safety education in place, and students with no awareness of how to report data-sensitive problems.

What is the data protection officer’s role?

Following recent guidelines published in the official UK GDPR Article 39, the responsibilities of a data protection officer (DPO) include:

• Mediating contact between an organisation and the relevant supervisory authorities.
• Training all employees on applicable UK GDPR compliance requirements.
• Conducting regular assessments and audits to guarantee total UK GDPR compliance.
• Sustaining records of any company-wide data processing activities.
• Replying to data subjects to educate them on how their personal data is stored, secured and used by the company.
• Outlining to staff, parents and pupils all data protection measures have been implemented.
• Responding to requests to share copies of personal data or erasing data as and when necessary.

Data protection officers help schools to:

• Gain full knowledge on what personal information is held in a school, how it is stored, and how it can be used.
• Full implement a robust Data Protection Policy.
• Training all staff relating to UK GDPR and data protection.
• Mediating with relevant authorities to ensure full UK GDPR compliance.

An efficient DPO must ensure internal compliance throughout the school and alert the relevant authorities about issues of non-compliance. This is the case even if the school could accrue substantial penalties or fines.

The role of a DPO is ever-changing in line with technological innovation and data protection laws. Therefore, an ideal candidate must be savvy and willing to continually train and educate themselves to meet current guidelines or changes in the law.

We hope that this guide has helped you to understand the importance of data protection in schools, the impact that UK GDPR has on your school, and how to improve and implement your school’s Data Protection Policy.