Statutory requirement, data sharing and regulations
The legislation, guidance and best practice to follow.
You must submit an AP census return, including a named set of pupil records, under the Education (Information about Children in Alternative Provision) (England) Regulations 2007.
This statutory requirement:
- means that providers do not need to obtain parental or pupil consent to the provision of information
- ensures providers are protected from any legal challenge that they are breaching a duty of confidence to pupils, and
- ensures that returns are completed by providers
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) mandate certain safeguards regarding the use of personal data by organisations, including the department, local authorities and schools. Both give rights to those (known as data subjects) about whom data is processed, such as pupils, parents and teachers. These rights include (amongst other information that the department is obliged to provide) the right to know:
-
the types of data being held
-
why it is being held
-
to whom it may be communicated
As data processors and controllers in their own right, it is important that schools process all data (not just that collected for the purposes of the school census) in accordance with the full requirements of the Uk GDPR. Further information on the UK GDPR can be found in the Information Commissioner’s Office (ICO) overview of the UK General Data Protection Regulation (GDPR).
Legal duties under the UK General Data Protection Regulation and the Data Protection Act 2018: privacy notices
Being transparent and providing accessible information to individuals about how schools and local authorities will process their personal data is a key element of UK GDPR and the DPA 2018. The most common way to provide such information is through a privacy notice. Please see the Information Commissioner’s Office (ICO) website for further guidance on privacy notices.
DfE provides suggested wording for privacy notices that schools and local authorities may wish to use. However, where the suggested wording is used, the school or local authority must review and amend the wording to reflect local business needs and circumstances. This is especially important, as the school will process data that is not solely for use within census data collections.
It is recommended that the privacy notice is included as part of an induction pack for pupils and staff, is made available on the school website for parents, and features on the staff notice board or intranet. Privacy notices do not need to be issued on an annual basis, where:
-
new pupils and staff are made aware of the notices
-
the notices have not been amended
-
they are readily available in electronic or paper format
However, it remains best practice to remind parents of the school’s privacy notices at the start of each term (within any other announcements or correspondence to parents), and it is important that any changes made to the way the school processes personal data are highlighted to data subjects.
Legal duties under the UK General Data Protection Regulation and the Data Protection Act 2018: data security
Schools and local authorities have a legal duty under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 to ensure that any personal data they process is handled and stored securely. Further information on data security is available from the Information Commissioner’s Office.
Where personal data is not properly safeguarded, it could compromise the safety of individuals and damage a school’s reputation. Your responsibility as a data controller extends to those who have access to your data beyond your organisation where they are working on your behalf – for example, where external IT suppliers can remotely access your information.
It is vital that all staff with access to personal data understand the importance of:
-
protecting personal data
-
being familiar with your security policy
-
putting security procedures into practice
As such, schools should provide appropriate initial and refresher training for their staff.