Statutory requirement, data sharing and regulations
The legislation, guidance and best practice to follow.
The submission of school census individual pupil records is a statutory requirement on schools under:
- Section 537A of the Education Act 1996
- the Education (Information About Individual Pupils) (England) Regulations 2013 (the 2013 Regulations)
- Section 99 of the Childcare Act 2006 (CA 2006)
- the Childcare (Provision of Information About Young Children) (England) Regulations 2009 (the 2009 Regulations)
Putting the school census on a statutory basis:
- means that schools do not need to obtain parental or pupil consent to the provision of information
- ensures schools are protected from any legal challenge that they are breaching a duty of confidence to pupils
- helps to ensure that returns are completed by schools
The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) mandate certain safeguards regarding the use of personal data by organisations, including the Department for Education (DfE), local authorities and schools. Both give rights to those (known as data subjects) about whom data is processed, such as pupils, parents and teachers. These rights include (among other information that DfE is obliged to provide) the right to know:
- the types of data being held
- why it is being held
- to whom it may be communicated
As data processors and controllers in their own right, it is important that schools process all data (not just that collected for the purposes of the school census) in accordance with the full requirements of the UK GDPR. Further information on the UK GDPR can be found in the Information Commissioner’s Office (ICO) overview of the UK General Data Protection Regulation (GDPR).
Legal duties under the UK General Data Protection Regulation and the Data Protection Act 2018: privacy notices
Being transparent and providing accessible information to individuals about how schools and local authorities will process their personal data is a key element of UK GDPR and the DPA 2018. The most common way to provide such information is through a privacy notice. See the ICO’s website for further guidance on privacy notices.
DfE provides suggested wording for privacy notices that schools and local authorities may wish to use. However, where the suggested wording is used, the school or local authority must review and amend the wording to reflect local business needs and circumstances. This is especially important, as the school will process data that is not solely for use within census data collections.
It is recommended that the privacy notice is included as part of an induction pack for pupils and staff, is made available on the school website for parents, and features on the staff notice board or intranet. Privacy notices do not need to be issued on an annual basis, where:
- new pupils and staff are made aware of the notices
- the notices have not been amended
- they are readily available in electronic or paper format
However, it remains best practice to remind parents of the school’s privacy notices at the start of each term (within any other announcements or correspondence to parents). It is important that any changes made to the way the school processes personal data are highlighted to data subjects.
Legal duties under the UK General Data Protection Regulation and the Data Protection Act 2018: data security
Schools and local authorities have a legal duty under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 to ensure that any personal data they process is handled and stored securely. Further information on data security is available from the ICO’s website.
Where personal data is not properly safeguarded, it could compromise the safety of individuals and damage a school’s reputation. Your responsibility as a data controller extends to those who have access to your data beyond your organisation if they are working on your behalf – for example, if external IT suppliers can remotely access your information.
It is vital that all staff with access to personal data understand the importance of:
- protecting personal data
- being familiar with your security policy
- putting security procedures into practice
As such, schools should provide appropriate initial and refresher training for their staff.