Responsibilities
Who is responsible for making sure data is processed securely in a school.
Everyone in your school is responsible for protecting personal data. There are some key roles and responsibilities for data protection compliance.
For most of the personal data you collect, store and use, the school or the multi-academy trust is the data controller. This means it’s responsible under the Data Protection Act 2018 for protecting data in every situation where it decides:
- whose information to collect
- what types of data it needs
- why it needs it
- whether the information can be shared with a third party
- when and where data subjects’ rights apply
- for how long to keep the data
As a data controller, your school needs to register with the Information Commissioner’s Office.
Where, for example, a school is required to supply a copy of some personal data to the Department for Education (DfE), DfE also becomes an independent data controller of the copy it receives.
The responsibility and accountability for compliance sits with governors and trustees. Schools and multi-academy trusts risk getting a fine if they don’t comply.
Governors and trustees check that the school:
- monitors their data protection performance
- supports the data protection officer
- has good network security infrastructure to keep personal data protected
- has a business continuity plan in place that includes cyber security
Senior leaders are accountable for:
- deciding how the school uses technology and maintains its security
- deciding what data is shared and how
- setting school policies for the use of data and technology
- understanding what UK GDPR and the Data Protection Act covers and getting advice from the data protection officer, as appropriate
- assuring governors and trustees that the school has the right policies and procedures in place
- making sure any contracts with third-party data processors cover the relevant areas of data protection
- making sure staff receive training on data protection every 2 years (we recommend annually as best practice)
Staff training on data protection should include training on specific school processes such as:
- personal data breach reporting processes
- the escalation of information rights requests
All staff should be aware of what:
- personal data is
- ‘processing’ means
- their duties are in handling personal information
- the processes are for using personal information
- is permitted usage of that data
- the risks are if data gets into the wrong hands
- their responsibilities are when recognising and responding to a personal data breach
- the process is for recognising and escalating information rights requests
This includes:
- teaching staff
- catering staff
- welfare supervisors
- library staff
- cleaners
- first-aiders
- governors and trustees
- volunteers
There are extra requirements for any staff in school who:
- create and store data
- enter data into applications or software
- decide if and when they’ll process certain data
- handle paper documents
Staff who collect, store or view personal data are responsible for:
- making sure they have a legitimate need to process the data
- checking that any data they store is needed to carry out necessary tasks
- identifying any risks
- understanding the governance arrangements that oversee the management of risks
Staff are responsible for making sure that pupils using personal data for projects or coursework do so appropriately. This includes being compliant when storing data.
The Information Commissioner’s Office has guidance on training for staff. It also produces resources to help you promote good data protection practice in your school.