Summary
The policies and processes schools and multi-academy trusts need to protect personal data and respond effectively to a personal data breach.
This toolkit will help school staff, governors and trustees:
- understand how to comply with data protection law
- develop their data policies and processes
- know what staff and pupil data to keep
- follow good practices for preventing personal data breaches
This advice is intended for maintained schools and academies. Independent schools are welcome to use it where appropriate.
Contents
-
Data protection legislation, and who and what it’s intended to protect.
-
Changes to the bill and support available from the Department for Education (DfE).
-
The lawful grounds for accessing, collecting, storing and using personal, special category and criminal offence data.
-
Who is responsible for making sure data is processed securely in a school.
-
How data protection officers can help make sure schools are compliant with data protection laws.
-
How to comply and document compliance with UK GDPR and the Data Protection Act 2018.
-
Who you can share personal data with and what consent you need to get – for example, when publishing exam results and taking photos in school.
-
A subject access request (SAR) is a type of information rights request. A SAR lets people access a copy of the personal data a school holds about them or someone they have parental responsibility for.
-
How to manage other information rights requests, including changing, deleting or restricting the processing of personal information.
-
Explains how to carry out an audit to check what personal data your school holds. You can use a data retention schedule to document how long you'll keep different types of data for.
-
Good practice for preventing personal data breaches in your school. It explains how to recognise and respond effectively to a personal data breach.
-
The benefits and risks of using generative AI in educational settings.