Navigation
Home Page
Home Page

GDPR

GDPR for schools

You will have heard that there is new regulations in place regarding how organisations handle personal data - it is called the General Data Protection Regulations and it became mandatory from May 25th 2018.

Our school handles a large amount of personal data. This includes information on pupils, such as assessments, medical information, images and much more. We also hold data on staff, governors, volunteers and job applicants.

As part of our daily work we also handle what the GDPR refers to as special category data, which is subject to tighter controls. This could be details on race, ethnic origin, biometric data or trade union membership.

What is personal data?

Data regulations are nothing new,  data is already governed by existing DPA regulations, which ensure personal data is handled lawfully. However, the new GDPR has gone further and requires organisations to document how and why they process all personal data, and gives enhanced rights to the individual.

The key changes for us as an organisation are:

  • Demonstrate compliance: schools need to document every system used to process personal data. They also need to map how this data is transferred to other systems or any third parties.
  • Appoint DPO: schools must appoint a Data Protection Officer (DPO) to ensure that their school is fully compliant to the new regulations (more info below).
  • Processor agreements: for any third-party processors you must have contracts in place stipulating that personal data is handled in compliance with the GDPR.  
  • Reporting a data breach: if personal data has been put at risk, you may be required to inform the ICO, and in some cases, the individual at risk. This should be done within 72 hours of the breach being discovered.
  • Staff training: despite the best efforts of the DPO in using compliant processes, these are only as secure as the people using them. Making sure staff are trained and there is a culture of data compliance is crucial.

With the increased emphasis on accountability will come more pressure on leaders to ensure their staff receive the necessary training. Systems in place will also impact anyone who handles personal data, even if that’s an attendance register.

Key changes for teachers:

  • Reporting a breach: teachers must understand what constitutes a breach and, if they suspect a breach has occurred, report it to their DPO.
  • Introducing new systems: if teachers want to introduce a new piece of subject-specific software or use any new processing system there needs to be a clear process in place to inform the DPO and ensure it is done compliantly.

Subject requests

 Any data subject (that’s someone whose data the school holds) can exercise certain rights with regards to their data. This means that a parent could ask for a school to produce all data it currently holds on their child, or a job applicant could ask you to erase all their details. Under the new law an individual could ask for their data in a portable form so they can pass it on to another organisation.

The school would be legally obliged to carry out these requests within 28 days of the request being given.

Although individuals were previously allowed to request access and an amend to any inaccuracies, they now have additional rights and the £10 fee has been waivered.

 

Reporting a breach

 If we are informed of a breach to someone’s personal data, we may be required to inform the ICO. Under serious circumstances we may be required to inform the individuals whose data has been put at risk.

 

We have put some school policies here to help you to understand how we deal with data, what it will look like from now on and what you can expect in the way we handle and keep your data secure.

Translate

Top

Cookies

Unfortunately not the ones with chocolate chips.

Our cookies ensure you get the best experience on our website.

Please make your choice!

Cookies

Some cookies are necessary in order to make this website function correctly. These are set by default and whilst you can block or delete them by changing your browser settings, some functionality such as being able to log in to the website will not work if you do this. The necessary cookies set on this website are as follows:

Website CMS

A 'sessionid' token is required for logging in to the website and a 'crfstoken' token is used to prevent cross site request forgery.
An 'alertDismissed' token is used to prevent certain alerts from re-appearing if they have been dismissed.
An 'awsUploads' object is used to facilitate file uploads.

Matomo

We use Matomo cookies to improve the website performance by capturing information such as browser and device types. The data from this cookie is anonymised.

reCaptcha

Cookies are used to help distinguish between humans and bots on contact forms on this website.

Cookie notice

A cookie is used to store your cookie preferences for this website.

Cookies that are not necessary to make the website work, but which enable additional functionality, can also be set. By default these cookies are disabled, but you can choose to enable them below: