Sharing personal data

Who you can share personal data with and what consent you need to get – for example, when publishing exam results, taking photos in school and for immunisation programmes.

To keep children and young people safe in school, you need to share information appropriately, so the correct decisions can be made to protect them.

You must have a compelling reason to share their personal data. Sharing children’s data with third parties can expose them to unintended risks if not done properly. You should carry out a data protection impact assessment to assess any risk before sharing personal information about your pupils.

The Information Commissioner’s Office website includes further guidance on data sharing. Any data you share must comply with their data sharing code of practice.

Safeguarding

To keep children safe and make sure they get the support they need, you can share information with other schools and children’s social care teams. It’s not usually necessary to ask for consent to share personal information for the purposes of safeguarding a child.

Your designated safeguarding lead will decide if personal data needs to be shared. They should make sure they record:

  • who they’re sharing that information with
  • why they’re sharing the data
  • whether they have consent from the pupil, parent or carer

Read working together to safeguard children to find out more information about sharing a pupil’s safeguarding file. You should also refer to the safeguarding section of keeping children safe in education.

Sharing data with local authorities and government

Occasionally, you may need to share personal information about your pupils with local authorities, other schools or children’s services. For example:

  • if a pupil shows signs of physical or mental abuse, you may need to pass this information on to children’s services
  • another school may need to know which pupils will be at their sports day or on a joint school trip

Sharing information can help provide appropriate services that safeguard and promote the welfare of children. The Data Protection Act 2018 and UK GDPR provides a framework to make sure that personal information is shared appropriately.

Before you share any data, you must:

  • consider all the legal implications
  • check if you need permission to share the data
  • confirm who needs the data, what data is needed and what they’ll use it for
  • make sure that you have the ability to share the specified data securely
  • check that the actions cannot be completed or verified without the data

You also have a statutory requirement to share personal data about your pupils with DfE through the school census. You do not need to get consent from pupils, parents or carers to share this data with us. You should provide information about what data you share in your school’s privacy notice. Privacy notice model documents suggest wording to explain to staff, parents, carers and pupils what data you’re collecting and sharing.

Schools may also need to share personal data about their staff with the local authority.

Sharing data with other schools

If a pupil moves to another school, you should transfer their records to the new school. This includes the pupil’s common transfer file and educational record. You must:

  • make sure you transfer the data securely
  • transfer the record within 15 days of getting confirmation the pupil is registered at another school
  • be able to trace the record during the transfer

To securely share and transfer pupil records, you could:

  • use the school to school (S2S) system
  • send them to a named person using an encrypted email
  • ask your local authority to transfer them
  • deliver any paper records in person or ask the new school to collect them

If you’re organising a school trip with another school, you’ll need to share data with them to confirm which pupils are going. You may also need to share details such as dietary requirements or medical information to make sure pupils are safe. Where you already have consent for the information, make sure this also covers sharing it.

Before sharing any personal data, you need to identify the lawful basis. This may be consent from the individual. There may be some circumstances where it may not be appropriate to ask for consent, however. For example:

  • if the individual cannot give consent
  • it’s not reasonable to ask for consent
  • when there’s a safeguarding concern

You’ll usually need to get the pupil’s consent to share their data if they’re aged 13 or over. If they’re under 13, you must get consent from whomever holds parental responsibility for the child.

Guidance on understanding and dealing with issues relating to parental responsibility is also available. The Information Commissioner’s Office has guidance to help you understand a child’s rights over their personal data.

You can get consent in different ways. It must be clear that the individual agrees to share their personal data and understands what they’re agreeing to. Do not use pre-ticked boxes or add disclaimers that state that, by not responding, they are agreeing to share their data. You should keep a record of:

  • the consent
  • when you got the consent
  • how you got the consent – for example, keeping the letter you sent to parents or carers

When getting consent, you need to explain:

  • what personal information you’re sharing
  • why you’re sharing it
  • who you’re sharing it with and what they’ll use it for
  • how you’ll share their information
  • the process for withdrawing consent

Any letters you send to parents or carers that ask for a reply slip that includes personal data should have a data protection statement. This could mean linking to a privacy notice or including information within the letter.

If you’re asking for consent from a pupil aged 13 or over, you must write your request so they can understand it and are clear about what they’re agreeing to.

Case study: ensuring data subjects have their rights respected when using biometric data

If you use pupils’ biometric data as part of an automated biometric recognition system, such as using fingerprints to receive school meals instead of paying with cash, you must comply with the requirements of the Protection of Freedoms Act 2012.

That means following these steps.

  1. In accordance with the child’s age or capacity, get written consent from at least one parent or carer before you take and process any biometric data from their child. See the section on consent over age of 13.

  2. Provide an alternative means to access the relevant services for any pupil from whom you do not have consent. For example, pupils must be able to pay for school meals using cash at each transaction, if they wish.

  3. Delete any relevant data already captured, if a parent or carer withdraws their consent.

If a pupil does not want their biometric data processed, you must not process it even if their parent or carer has given consent. This is required by law.

You also need to get consent from any staff members using the school’s biometric system. Staff can withdraw their consent at any time and you must then delete any relevant data already captured.

Guidance is available on protecting children’s biometric information in school.

Taking and using photos in school

Photos are used in school for many different reasons. You’ll need to identify the lawful basis for each different use of a photograph.

You should have a clear photo policy published alongside your privacy notice and provide copies of both to parents and carers.

You may be able to use photos in printed materials such as a prospectus or marketing materials under the lawful basis of legitimate interest. However, you need to provide pupils, parents or carers with an opportunity to object before you go to print.

You must get consent to share photos on your school’s social media channels or elsewhere online.

If you’re using a photo of a pupil, do not include their name unless you have specific consent to do so.

You should only use a photo in line with the consent provided. When you’re asking for consent, you should make it clear for how long you’ll use the photograph.

Photos used in identity management systems may be essential for performing the public task of the school, but you should delete them once a child is no longer a pupil at your school.

The Information Commissioner’s Office provides further guidance on taking photos in school.

Download an example template for a letter to parents and carers about consent. This includes a section on taking and using photos of pupils in school.

Publishing exam results

UK GDPR does not stop schools from publishing exam results online or in the local press.

You do not need to get consent from pupils, parents or carers to publish exam results. However, you should tell pupils where and how their results will be published before they’re published. This gives them an opportunity to ask you to remove their results from the list should they wish to.

The Information Commissioner’s Office has more information about exam results and data protection.

School immunisation programmes

You will need to provide data to support immunisation programmes in your school. This includes: 

  • sharing information leaflets and consent forms with parents or carers
  • providing a list of eligible children and young people, and their parent’s or carer’s contact details to the School Age Immunisation Service (SAIS) team

Sharing these contact details does not mean that a vaccine will be given. A parent or carer will need to give their consent for a vaccine to be given to their child.

There is a lawful basis for you to share information with school immunisation teams under article 6(1)(e) of UK GDPR. This states that the information can be shared if “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller ”.

This means that the school can share this information with immunisation programmes as it is in the public interest.

Sharing information with immunisation programmes is part of the exercise of a school’s official authority. Schools also have a duty to support wider public health.

Data protection laws do not prevent you from sharing personal data where it is appropriate to do so in a fair and lawful way, and in this instance it is beneficial to do so.