Home Page
Home Page


GDPR for schools

You will have heard that there is new regulations in place regarding how organisations handle personal data - it is called the General Data Protection Regulations and it became mandatory from May 25th 2018.

Our school handles a large amount of personal data. This includes information on pupils, such as assessments, medical information, images and much more. We also hold data on staff, governors, volunteers and job applicants.

As part of our daily work we also handle what the GDPR refers to as special category data, which is subject to tighter controls. This could be details on race, ethnic origin, biometric data or trade union membership.

What is personal data?

Data regulations are nothing new,  data is already governed by existing DPA regulations, which ensure personal data is handled lawfully. However, the new GDPR has gone further and requires organisations to document how and why they process all personal data, and gives enhanced rights to the individual.

The key changes for us as an organisation are:

  • Demonstrate compliance: schools need to document every system used to process personal data. They also need to map how this data is transferred to other systems or any third parties.
  • Appoint DPO: schools must appoint a Data Protection Officer (DPO) to ensure that their school is fully compliant to the new regulations (more info below).
  • Processor agreements: for any third-party processors you must have contracts in place stipulating that personal data is handled in compliance with the GDPR.  
  • Reporting a data breach: if personal data has been put at risk, you may be required to inform the ICO, and in some cases, the individual at risk. This should be done within 72 hours of the breach being discovered.
  • Staff training: despite the best efforts of the DPO in using compliant processes, these are only as secure as the people using them. Making sure staff are trained and there is a culture of data compliance is crucial.

With the increased emphasis on accountability will come more pressure on leaders to ensure their staff receive the necessary training. Systems in place will also impact anyone who handles personal data, even if that’s an attendance register.

Key changes for teachers:

  • Reporting a breach: teachers must understand what constitutes a breach and, if they suspect a breach has occurred, report it to their DPO.
  • Introducing new systems: if teachers want to introduce a new piece of subject-specific software or use any new processing system there needs to be a clear process in place to inform the DPO and ensure it is done compliantly.

Subject requests

 Any data subject (that’s someone whose data the school holds) can exercise certain rights with regards to their data. This means that a parent could ask for a school to produce all data it currently holds on their child, or a job applicant could ask you to erase all their details. Under the new law an individual could ask for their data in a portable form so they can pass it on to another organisation.

The school would be legally obliged to carry out these requests within 28 days of the request being given.

Although individuals were previously allowed to request access and an amend to any inaccuracies, they now have additional rights and the £10 fee has been waivered.


Reporting a breach

 If we are informed of a breach to someone’s personal data, we may be required to inform the ICO. Under serious circumstances we may be required to inform the individuals whose data has been put at risk.


We have put some school policies here to help you to understand how we deal with data, what it will look like from now on and what you can expect in the way we handle and keep your data secure.