What data protection means for schools
Data protection legislation, and who and what it’s intended to protect.
Good data protection practices ensure that an organisation and the individuals within it can be trusted to collect, store and use our personal data fairly, safely and lawfully.
All those who process others’ personal data have to follow strict rules.
These rules are set primarily by:
The UK GDPR sets out 7 key principles that should guide you in processing personal data.
Those principles are:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- accuracy
- storage limitation
- integrity and confidentiality (security)
- accountability
You can read more about the personal data processing principles on the website of the Information Commissioner’s Office (ICO). The ICO is the independent body that upholds the UK’s information rights.
Personal data is information that relates to an identified or identifiable living individual.
In a school, examples of personal data include:
- identity details (for example, a name, title or role)
- contact details (for example, an address or a telephone number)
- information about pupil behaviour and attendance
- assessment and exam results
- staff recruitment information
- staff contracts
- staff development reviews
- staff and pupil references
Special category data is personal data that’s considered more sensitive and given greater protection in law.
Special category data includes:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade-union membership
- genetic information
- biometric information (for example, a fingerprint)
- health matters (for example, medical information)
- sexual matters or sexual orientation
In a school, it would be best practice to also treat as special category data any personal data about:
- a safeguarding matter
- pupils in receipt of pupil premium
- pupils with special educational needs and disability (SEND)
- children in need (CIN)
- children looked after by a local authority (CLA)
Criminal offence data is personal data that’s treated in a similarly sensitive way to special category data. It records criminal convictions and offences or related security measures.
Criminal offence data includes:
- the alleged committing of an offence
- the legal proceedings for an offence that was committed or alleged to have been committed, including sentencing
Schools process criminal offence data in storing the outcome of a Disclosure and Barring Service (DBS) check on their employees, non-employed staff and volunteers. As this data relates to criminal convictions, collecting and retaining it means the school is processing criminal offence data. This applies even though the check has not revealed any conviction.
You can read about handling DBS data in the statutory guidance on keeping children safe in education.
Schools collect, store and use personal data about a variety of individuals. In this context, those individuals are known as data subjects.
A school’s data subjects include:
- pupils and former pupils
- parents and carers
- employees and non-employed staff
- governors and trustees
- local-authority personnel
- volunteers, visitors and applicants
Schools hold personal data in several forms. These are collectively known as its data assets.
Data assets comprise:
- data items – single pieces of information
- data item groups – data items about the same process
- data sets – collections of related data that can be manipulated as a unit by a computer
- systems – administrative software
- system groups – the larger systems housing administrative software
A data breach is a security incident that results in personal data a school holds being:
- lost or stolen
- destroyed without consent
- changed without consent
- accessed by someone without permission
Data breaches can be deliberate or accidental. A breach is about more than just losing personal data.