A teacher's guide to the General Data Protection Regulation and what it means for your school
The General Data Protection Regulation (GDPR) is the European Union’s new framework for data protection laws. It comes into effect on 25 May 2018 and applies to all organisations, including schools, which process (i.e. store, access and/or collect) personal data.
This document outlines what the GDPR is, and what it means for schools. It also sets out possible next steps to prepare your school for when it comes into force. This document does not constitute legal advice and should be used in conjunction with your own source of legal advice. No liability will be accepted in respect of use of this advice.
The GDPR defines data protection for all EU member states and sets out the rules around how to handle personal data. Each EU member state has a supervisory authority – an independent body that oversees data protection issues. In the UK this is the Information Commissioner’s Office (ICO).
Will it apply after the UK leaves the European Union?
Yes. Whilst the UK is leaving the EU and some of this process is still unclear, the UK government has confirmed that the GDPR will continue to apply after the UK leaves the EU.
Does it apply to my school?
Yes. Schools have always held personal data on the students in their care. This data is increasingly held digitally and accessible not just in school but also from remote locations. The GDPR applies to all forms of personal data, whether it is held electronically, in structured manual files, or in paper documents created with the intention that they will form part of a structured manual file.
What should my school do?
Every school is different so the steps you need to take may vary. Here are some of the key steps you need to be aware of – but bear in mind this is not a complete list:
1. Discuss GDPR
It is important your school’s Headteacher and their Senior Leadership Team understand how GDPR will apply to both learners’ data, and the large amount of staff personal data that your school processes. There is a variety of help and advice available online. Information provided by the Information Commissioners Office can help you take the first steps towards compliance.
2. Register as a data controller
As a school processing personal data, you must be registered with the ICO as a data controller.
3. Consider carrying out a data audit
Having a clear understanding of what data you have and where it is will allow you to ensure it is stored safely and appropriately.
4. Appoint a Data Protection Officer
This is a new requirement with GDPR. This guide helps explain this complex area.
5. Review consent
Consent is defined as a “freely given, specific, informed and unambiguous indication of the individual’s wishes… by a statement or by a clear affirmative action” (Data Protection Bill 2017, Chapter 1, Part 4, Clause 82 (2)). As a school, you need to review consent, and also be aware that consent is only one of six lawful bases for processing data.
6. Train staff
All staff should receive data protection training. Teachers and Support staff will come into contact with and process personal data. Make sure everyone is included and understands their obligations. The training provided to staff must be tailored to the data that they will be processing on a day to day basis. Training should happen regularly.
7. Check your data protection policy
A clear data protection policy that helps staff know what their obligations are and how to perform them can be invaluable in securely protecting your data. Do you have a policy? When was it last reviewed? Have all staff been trained on it? Have all staff read it?
8. Involve school governors
Governors can be a great source of support and expertise. As part of the senior leadership team, they also have a responsibility for school data.
9. Establish disaster-management and incident-recovery plans
Having good, well-tested and easy to follow incident-management and recovery plans can help your school recover quickly from data loss or a cyber attack. Better still, they can help prevent issues happening in the first place.
10. Support
There is a lot of information available about GDPR. We suggest that you start by reading the guidance available on the ICO's website. If you require additional support you should look to the local authority. If you do decide you need more specialist support (such as from lawyers or consultants), you should do some due diligence into their experience and knowledge before instructing them.
Consider the above list as a starting point to help you protect personal data processed by your school and get ready for GDPR. The current data protection act places a statutory requirement upon schools to comply and GDPR is an evolution of these requirements.
The 25 May 2018 should not be viewed as a finishing line, it is crucial that you take early action so that on this date you have already started to develop an accountability approach to data protection and started to change staff thinking to a world where data protection is a key consideration for everyone.