Part 2: Background to the GDPR

The GDPR, which became effective on 25 May 2018, is applied to UK law through the Data Protection Act 2018. This means that, whether or not the UK is an EU member state, the provisions of the GDPR (with some small changes) have been implemented in UK law.

The GDPR sets out rules relating to the protection of the Personal Data of natural persons (called Data Subjects).

The GDPR protects the fundamental rights of Data Subjects, including specifically their right to the protection of Personal Data.

Important GDPR Definitions

The following definitions are used throughout the GDPR, and throughout the SWGfL GDPR guidance:

  1. Processing is any operation (including collection, recording, organising, storing, altering, using, and transmitting) performed on Personal Data.
  2. Personal Data is any information relating to a natural person (called a Data Subject) who can be (directly or indirectly) identified using that information.
  3. A Data Controller is a person, authority, agency or other body which determines the purposes and the means of Processing.
  4. A Data Processor is a person, authority, agency or other body which undertakes Processing on behalf of a Data Controller.

Does the GDPR apply to schools and colleges?

The GDPR does apply to schools and colleges in the UK.

All people or organisations that are Data Controllers or Data Processors (irrespective of those people or organisation’s main functions) are required to comply with the GDPR (set out in Article 3), where:

  1. The Data Controller is based in the EU;
  2. The Data Processor is based in the EU; or
  3. The Data Subject is based in the EU.

This means that the GDPR extends beyond the EU, as if the Data Subject is based in the EU but the Data Controller or Data Processor is not (e.g. in the US or India), the GDPR still applies.

There are some exceptions to the application of the GDPR, being:

  1. Data Processing for activities not covered by EU law;
  2. Data Processing for purely personal or household purposes; and
  3. Data Processing for the prevention, investigation or detection of crime.

So schools and colleges based in the UK are subject to the GDPR, and even schools and colleges outside the EU are subject to the GDPR if children using them are based in the EU.

The GDPR applies to Personal Data that is Processed electronically, and also to Personal Data held in hard copy (in most cases).

The GDPR does apply to schools, MATs and colleges.

Defining Personal Data

What is Personal Data? Personal Data is defined as any information relating to a natural person (called a Data Subject) who can be (directly or indirectly) identified using that information.

Examples of Personal Data include name; identification number (e.g. National Insurance Number), location data (e.g. address or GPS data); and online identifiers (e.g. IP address).

Under the Data Protection Act 1998, the concept of Sensitive Personal Data was applied to Personal Data that would likely result in greater harm to Data Subject if Processing was not undertaken in a compliant manner.

The GDPR replaces this with Special Category Personal Data (set out in Article 9.1), and it includes Personal Data revealing:

  1. racial or ethnic origin;
  2. political opinions;
  3. religious or philosophical beliefs; and
  4. trade union membership,

as well as:

  1. data concerning health, sex life or sexual orientation; and
  2. the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person.

Processing of Special Category Personal Data is prohibited (Article 9) unless certain conditions are met. More details on Special Category Personal Data under the GDPR are set out in part 7 of the SWGfL GDPR guidance.

The GDPR is concerned with Personal Data, which is data that identifies a living person (such as their name or email address) or allows them to be identified (such as their identification number, address, GPS data, or IP address)

Key GDPR Principles

The key principles of compliance (set out in Article 5) with the GDPR require that Personal Data shall be:

  1. Processed lawfully, fairly and transparently;
  2. Processed for limited purposes only;
  3. Minimised (such that it is adequate, relevant and limited to what is necessary);
  4. Accurate and kept up to date, and erased/rectified without delay;
  5. Retained for no longer than necessary; and
  6. Processed securely (using appropriate organisational and technical measures).