How does GDPR apply in schools?

In this article Chorus Advisers look to provide the answer to the question, ‘How does GDPR apply in schools?’

Data Protection in Schools

Data Protection within schools has never been more important than it is today. With such a large amount of personal data (pupils, parents and staff included) being processed online it, is essential that schools ensure compliance with GDPR and the Data Protection Act 2018.

All members of staff must handle data securely and confidentially; data protection should be considered internally with the same importance as Safeguarding. The school must, by law, be able to prove that they have the appropriate technical and organisational process in place for this to happen.

All maintained schools and academies must appoint a Data Protection Officer (DPO) by law.  Independent schools do not have to do so, unless they are processing large amounts of special category data. However, this doesn’t mean they can process data to any lesser standard. The laws around data protection remain exactly the same. However, in these cases it must be asked: is the current data protection lead role being carried out to the same standards as safeguarding within the school?

What schools should consider

So, how does GDPR apply in schools? Basic reference points would be:

  1. Is the school registered with the Information Commissioner’s Office (ICO) as a data processor? (Failure is against the law and could lead to an automatic fine)
  2. Are regular (termly) compliance audits undertaken to prove accountability?
  3. Is there a Retention policy followed by staff?
  4. Do you arrange regular data protection training for staff?
  5. Are you aware who has access to personal data and why?
  6. Do all staff have knowledge of how to respond to a Subject Access Requests (SAR)?
  7. Could staff recognize a data breach such as an email sent to wrong parent?
  8. Has the school conducted Data Protection Impact Assessments (DPIAs) on any new processes used within the school? (eg Zoom, Teams etc)

Beyond these basic requirements, the data protection lead should also be updating the SLT and Governors on ongoing changes to the law and for any requirements that are particularly relevant in the current crisis, such as:

  1. How to handle SAR or FOI requests regarding exam gradings. This is particularly relevant as it may affect students going forward with 11 plus results.
  2. Key Privacy concerns surrounding COVID 19 “back to work” safety measures. (eg recording of health data)
  3. How to conduct safe online home schooling.

In summary

We all understand that this is a particularly difficult time for schools in preparing for probably the hardest school term ever, and realise the law will not allow you to drop your standards on data protection.

Corus Advisers are on THE LIST where you can find their full range of GDPR services. For more information, please visit them at their website

This article has been adapted for ALLOWLIST from the original source at: