By now, you should have heard about the General Data Protection Regulation (GDPR) and hopefully you’ve already begun the journey to ensure your school, academy or MAT is compliant. However, we know the GDPR is a complicated subject to get to grips with, so we’re going to break down the rules and steps you need to take to prepare for the regulation.
Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. You may not rely on this as legal advice.
GDPR – What is it?
Since April 2016 the GDPR has been in effect but all businesses were given two years to ensure they were compliant by 25th May 2018. The GDPR has been introduced to ensure all data is handled appropriately and that your customers, or pupils and their parents in the case of schools, have access to view the data you keep on them.
A lot of the principles of GDPR are similar to those in the current Data Protection Act, so if your school is already compliant with the current legislation, it should prove to be a good foundation to GDPR compliance. There are, however, new regulations and specific enhancements, so you will have to take on new processes and change some existing ones.
Each school must assign a Data Controller and Data Protection Officer (DPO) who will be responsible for protecting the data. This will most likely be the School Business Manager or a Governor, but it can be outsourced to an external party if you prefer.
Multi-academy trusts will need one DPO which will look after every school within the trust.
Your Data Controllers will need to decide what data to collect based on information required for some returns to the LA/DfE. When doing this however, they should only share relevant information and ask themselves, “Is it necessary to share this?” and “Is the information needed?”
How to make sure your school, academy or MAT is compliant
To make sure you are compliant, you must ensure that:
- You only keep the data that you need
- You only keep the data for as long as necessary
- You keep the data up to date and as accurate as possible
- You make sure that data is only accessible to those who need to see it.
Parents may ask the school which data is being held about their children, so it is always best to keep your students, and their parents, aware of the data you are recording. The Data Protection Officer should be able to provide any individual with their data when they ask for it.
Getting consent from an individual needs to be specific. If you have asked for consent for one situation, you will have to ask again for another. Consent is not a blanket basis, it must be specific, and you must make it clear which data you are collecting, and why, in advance.
GDPR for schools involves getting consent for your pupils, which means you will usually need to ask their parents for consent whenever you want to collect data. The GDPR will bring into effect special protection for children’s data, especially in the context of commercial internet services like social media. Currently, GDPR sets the age a child can give consent at 16, however, this may be lowered to 13 in the future. If you need consent for a child younger than this, you must then ask a person holding “parental responsibility” for consent.