Data protection policies and procedures

How to comply and document compliance with UK GDPR and the Data Protection Act 2018.

Under UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), schools have to:

• comply with the legislation
• demonstrate that they’re complying

You can read more about the personal data you need to document and how to do so on the Information Commissioner’s Office (ICO) website, where there is a useful data controller’s checklist.

Statutory policies

It’s a legal requirement that your school has data protection policies and procedures in place and that you regularly review and update these, along with the associated documentation. You should also review your other statutory policies in the light of data protection legislation.

Record of processing activities

A record of processing activities is an efficient means of capturing all the important information about your school’s data processing activities. It will improve your information governance and show your compliance with accountability principles. It will also ensure you comply with other aspects of data protection law, such as the requirement to create privacy notices and keep data assets secure, thereby reducing the risk of a personal data breach. Guidance on how to document your processing activities is available on the ICO website.

Step 1: identify your personal data assets

Locate all the personal data your school has received, created or shared. It could be stored in:

• management information systems
• communication systems
• safeguarding technology
• health and social care records systems
• curriculum management software
• virtual learning environments
• workforce systems
• catering systems
• equipment records
• photo and video storage systems
• paper records and photos
• statutory returns to the Department for Education (DfE) and local authorities

Step 2: list your personal data assets

Compile a list of that personal data. Start with broad data item groups, then add beneath each group specific data items. For example, the data item groups for pupils might be:

• admissions
• attainment
• attendance
• behaviour
• exclusions
• personal identifiers, contacts and pupil characteristics
• identity management and authentication
• catering and free school meal management
• trips and activities
• medical information and administration
• safeguarding and special educational needs

Repeat this for the personal data assets of all data subjects in the school community.

Step 3: add information about your personal data assets

Record extra detail about each of the personal data items in the list. There’s no definitive format you need to follow in creating your record of processing activities, so develop your own to suit your school’s needs, using this guidance as a starting point.

Mandatory information

Your record of processing activities should include the following as a minimum:

• the name and contact details of your school
• the name and contact details of your data protection officer (DPO)/data protection lead
• the name and contact details of any joint controllers
• the purposes of the personal data processing you carry out
• the categories of personal data you process
• the categories of individuals whose personal data you process
• the categories of organisations with which you share personal data
• the schedule for retaining each category of personal data
• a general description of your technical and organisational security measures

Additional information

The following prompts will help you add more detail about each personal data item to your record of processing activities.

Source of personal data

Record whether the data item:

• was received by the school
• was created by the school
• has been or will be shared by the school

Category of personal data

Record whether it’s:

• personal data
• special category data
• criminal offence data

Data controller or data processor

Record whether, in respect of this data item:

• the school’s a data controller or a data processor
• the school’s a joint controller and, if so, with which organisation
• there’s an up-to-date controller-processor contract in place, if applicable

Access and use

Record, in respect of this data item:

• the lawful basis (personal data) and, if applicable, additional condition (special category or criminal offence data) that allows it to be accessed and used
• who has access to it and how that’s controlled
• whether there’s an up-to-date data sharing agreement in place, if applicable

Data retention and destruction

Record, in respect of this data item, the:

• data retention period and the justification for it
• procedure for depersonalisation or disposal of it at the end of the retention period
• disposal is manual or automated and, if manual, there’s a prompt to ensure it is destroyed

Consent, rights and subject access requests

Record whether, in respect of this data item, data subjects have:

• given their consent for it to be processed and, if so, how
• been informed of their rights regarding access, rectification and erasure
• been told about the procedure for making a subject access request

Security and personal data breaches

Record whether, in respect of this data item, there:

• are up-to-date information and communication technology (ICT) security policies and procedures in place to prevent a cyberattack
• is a procedure for secure sharing
• is a procedure for handle a personal data breach

Automated decision-making

Record whether, in respect of this data item, the processing involves any automated decision-making.

Share your record of processing activities with your school leadership team (SLT) and governors or trustees. They are responsible for ensuring your school is compliant with the DPA and keeps only the personal data it needs.

Data protection impact assessment (DPIA)

A DPIA is a tool to help you identify, measure and manage data protection risks. Under UK GDPR, a DPIA is needed whenever the processing of personal data is likely to result in a ‘high risk to the rights and freedoms’ of individuals.

An effective DPIA will help you:

• identify, manage and mitigate data protection risks
• fix problems at an early stage, minimising those risks
• consider and mitigate risks to individuals’ privacy
• ensure individuals’ expectations of privacy obligations are being met - for example, by the provision of privacy notices
• provide individuals with reassurance
• demonstrate both accountability and compliance with data protection law
• avoid reputational damage to your school

You should consider and document carrying out a DPIA of personal data collected:

• about vulnerable data subjects, including:
  • children (because of their age)
  • employees (because the power imbalance means they cannot easily consent or object to the processing of their data by an employer)
  • more vulnerable sectors of the population (who need special protection)
• by innovative technologies, such as:
  • biometrics
  • internet of things applications
  • safeguarding equipment, such as CCTV

Review your record of processing activities

Look again at each personal data item in your record of processing activities and ask yourself whether:

• there are any current data processing activities that do not have a lawful basis (personal data) and, if applicable, additional condition
• as the result of applying those justifications, you would be less likely to carry out any safeguarding activities – if so, re-assess how you’re applying the law
• you’re certain about the procedure for data sharing in every case, including when this takes place and with which organisations
• there’s a procedure in place for updating the data sharing agreement with any organisation to which you’re passing personal data
• there’s a procedure in place for updating your ICT security policies, and regular training for everyone who handles personal data
• the school’s systems allow you to carry out responsible data retention, depersonalisation and disposal procedures
• everyone in the school community knows the procedure for reacting to a personal data breach and that procedure has been tested

Record the risks

There’s no definitive DPIA format you must follow, so you can develop your own to suit your school’s needs, using this guidance and your own risk management framework as a starting point.

You can download a suggested DPIA template from the ICO website.

A DPIA does not have to demonstrate that all risks have been eliminated, but it’ll help you document them and assess whether any that remain are justified.

If it identifies a high risk and you cannot take measures to minimise it, you’ll need to seek advice from the ICO. You may not begin processing the personal data in question until you have acted on the ICO’s advice.

Regularly reassess the impact

A DPIA is not a one-off exercise. You need to keep it under regular review and update it if anything changes in your school’s data life cycle.

In particular, if you make any significant changes to how or why you process personal data, or the amount of personal data you collect, it has to demonstrate that you’ve assessed any new risks.

You should also review your DPIA if a new:

• security flaw is identified
• technology is made available
• contractor is appointed
• public concern is raised over the type of processing you do
• public concern is raised over the vulnerability of a particular group of data subjects

Privacy notices

Under UK GDPR and the Data Protection Act 2018, every school must make its privacy notices freely available to those whose personal data it handles.

A privacy notice explains:

• why a school needs to collect personal data
• what it plans to do with it
• how long it will keep it
• whether it will be sharing it with any other organisation

Privacy notices need to be clear and accessible, and regularly reviewed and updated. Being transparent builds trust, avoids confusion and lets everyone in the school community know what to expect.

Privacy notices should be reviewed by your data protection officer:

• at least annually
• whenever you make a significant change to how you process personal data

Parents, pupils and staff, who are the data subjects , must be notified in the case of any significant changes to your privacy notices or if the way you use their personal data changes.

What to include in a privacy notice

Your privacy notice is expected to explain to your data subject what makes it lawful for the school to use personal data, including any data that may be regarded as sensitive. The Information Commissioner’s Office (ICO) has a list of what a privacy notice should contain.

Your school’s privacy notice must include what personal data your school shares with DfE.

Model privacy notices for schools to issue to staff, parents, carers and pupils about the collection of data are available.

A privacy notice can be in any format, provided it is accessible. For example, you can take a layered approach, where you provide a short version of your privacy notice, along with details of how to view further information.

Data subjects’ rights

Data subjects have rights and control over the use of their personal data. These rights are:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• rights in relation to automated decision-making and profiling

Your privacy notice should include:

• what personal data is being processed
• why their personal data is being processed
• on what lawful basis their personal data is being processed
• with whom their personal data will be shared and why
• how and for how long their personal data will be stored
• how they can exercise their rights over their personal data
• whom to contact if they have any questions or concerns, including your data protection officer and the ICO

The information in your record of processing activities will be a useful source of information in this regard.

Inform data subjects about their privacy rights

Privacy notices are the most common way of complying with data subjects’ right to be informed.

There are a number of ways you can keep data subjects informed about how your school deals with their personal data.

For pupils, these include sharing the school’s privacy notice:

• in an induction pack, when joining the school
• at the start of each school year
• when they provide extra personal data during the school year
• through the school website

For staff, these include:

• when they apply for a role, accept a contract, are appraised, or leave the school
• ensuring existing staff members are made aware of the privacy notice at the start of each school year
• making the notice visible on the staff notice board and intranet

For pupils and staff, you must make sure the privacy notice is accessible at all times.

Download this example template (MS Word document, 30KB) which offers a simple way for a school to seek  parents’ and carers’ consent to process children’s personal data at the same time as they ask them to confirm or amend it.

Children have the same rights over their personal data as adults. Schools can be inventive in the way they present child-friendly privacy rights information, using diagrams, graphics, comic strips, videos and so on.

For example, DfE has a privacy notice specifically for children and young people.

Introducing the idea of data privacy within wider online safety lessons will allow teachers to use age-appropriate language, ensure understanding and encourage pupils to ask questions.

Personal information shared with DfE

DfE collects personal information from educational settings, local authorities, and other organisations, via various statutory data collections. Each data collection or census guide contains the legislation detailing the lawful basis for collection.

This data is used for many purposes, including to inform funding, monitor education policy and school accountability, and to support research.

Your school’s privacy notice must include what personal data is shared with DfE. You can read examples of this text in  DfE’s privacy notice model documents.

Cyber security and safeguarding

It’s essential to ensure critical data is protected from cyber-attacks and unauthorised access. You should be aware of what personal data you store within your school network, and what’s stored outside of your direct control. Both locations must have in place good security settings, including encryption and access control, and all those processing personal data should be trained in keeping data safe.

DfE has guidance to help schools keep people and their personal data safe when using digital technology, and on meeting ICT service and equipment standards.

The government’s National Cyber Security Centre has resources to improve cyber resilience. They include:

• information about better protection in cyberspace
• device security guidance
• cloud security principles
• tools to strengthen cyber defence
• cyber security training for staff
• home learning technology advice
• data security tips

The police service’s regional cyber protect officers provide free advice and training to schools.