Read our 7-step checklist covering key areas to help your school or trust achieve GDPR compliance.
You must appoint a DPO if you are a public authority. Some schools share a DPO via their multi-academy trust or in a federation with other schools. Each school must (whether they have their own DPO or not) have sufficient staff and skills to discharge obligations under the GDPR.
The privacy notice discloses how a school gathers, uses, discloses, and manages a child/Parent/Guardian’s data. It fulfils a legal requirement to protect privacy. The GDPR sets out the information you should supply and when individuals should be informed. You can find privacy notice model documents for schools on gov.uk.
The regulations require that all the personal data you hold in your school is processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and accidental loss, destruction or damage. More guidance is available on the ICO website.
A personal data breach is where a lapse in security leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. If there is a personal data breach, you must report it to the Information Commissioner’s Office within 72 hours of becoming aware of the breach. If there is a high risk to an individual, you should also inform the individual right away.
Make sure that you have a process in place to detect, investigate and report breaches, and keep records of any violations that do occur. You can find more information on personal data breaches on the ICO website.
People can now ask for access to personal data about them that your school holds. This can be a verbal or written request to any person within your school, and you must respond within one month. Whereas previously you could charge for this service, in most circumstances this is now not the case.
In summary, people can expect to receive the following:
You can read more about rights of access on the ICO website.
Third parties who manage data can include web uniform providers, school photographers and even website providers! Whenever you use third parties who handle data, you must have a written contract (also known as a data processor agreement) that outlines the responsibilities of both parties when handling personal data.
You can find out more about contracts on the ICO website.
Schools need to publish a statement of compliance outlining what they are doing to achieve GDPR compliance. This should be clear and visible on your website.
For more information, please refer to the ICO website.