Part 4: GDPR Guidance for Schools

It is anticipated that schools, Multi Academy Trusts (MATs) and colleges will use this advice and guidance alongside their own policies. It is intended to assist schools, MATs and colleges with understanding the GDPR and with identifying steps that can be taken to improve data protection; it is not intended to provide legal advice and schools, MATs and colleges should seek their own legal advice when considering the management of Personal Data.

The term “school” is used to refer to a range of educational establishments (including MATs and colleges) and the term “learner” to refer to the children or young people at the school.

Parts 1, 2 and 3 of the SWGfL GDPR Guidance introduce aspects of the GDPR. This part 4 covers some key areas that schools need to focus on, including changes that the GDPR has brought in, risk management, deciding what lawful basis applies to Processing, and how to manage 'consent' in schools. For more detailed, specific aspects of the GDPR, the remaining parts of the SWGfL GDPR Guidance can be used.

Important GDPR Definitions

The following definitions are used throughout the GDPR, and throughout the SWGfL GDPR guidance:

  1. Processing is any operation (including collection, recording, organising, storing, altering, using, and transmitting) performed on Personal Data.
  2. Personal Data is any information relating to a natural person (called a Data Subject) who can be (directly or indirectly) identified using that information.
  3. A Data Controller is a person, authority, agency or other body which determines the purposes and the means of Processing.
  4. A Data Processor is a person, authority, agency or other body which undertakes Processing on behalf of a Data Controller.

Introduction to Data Protection Legislation

The protection of Personal Data in schools is a key priority.

Schools should take all reasonable steps to ensure the security of Personal Data and compliance with relevant legislation, including:

  1. the Data Protection Act 2018;
  2. the General Data Protection Regulation (EU) 2016/679 (GDPR);
  3. the Freedom of Information Act 2000 (FOIA); and
  4. the Privacy and Electronic Communications Regulations 2003 (PECR).

Note that there are changes expected to PECR in the near future.

Like the previous Data Protection Act 1998, which was the UK law corresponding to the EU Data Protection Directive, the Privacy and Electronic Communications Regulations 2003 is the UK law corresponding to the Privacy and Electronic Communications Directive 2002/58/EC.

And like the GDPR, a regulation which replaced the previous directive, the ePrivacy Regulation (ePR) will repeal the Privacy and Electronic Communications Directive and operate alongside the GDPR, regulating such areas as requirements for consent to the use of cookies and opt-out options.

Changes to data protection with the GDPR

Though compliance with the previous Data Protection Act 1998 will usually suggest an organisation such as a school will find compliance with the GDPR less challenging than an organisation that is less aware of their previous obligations, there are some key changes that the GDPR has brought in to effect, including:

  1. What Personal Data is: the definition of Personal Data has changed under the GDPR, as technology and it’s use has moved on massively in the 20 years between them;
  2. The rights of Data Subjects: the GDPR gives the individual (or Data Subject) greater rights;
  3. Explicit consent: the GDPR requires that consent be a deliberate, explicit ‘opt-in’ (rather than a failure to opt-out);
  4. Data Processor obligations: the GDPR applies to both Data Controllers and Data Processors (while the Data Protection Act 1998 applied only to Data Controllers);
  5. Security: the GDPR expects security controls will be in place, and specifically mentions encryption and pseudonymisation (as these are considered affordable, accessible and effective means of protecting data);
  6. Risk management: the GDPR sets out a number of specific situations in which the risk of Processing must be assessed;
  7. Data breach management: the GDPR obligates Data Controllers to notify their Supervisory Authority (being the ICO in the UK) of data breaches within 72 hours;
  8. Data Protection Officer (DPO): public authorities and large organisations are required under the GDPR to appoint a DPO;
  9. Administrative fines: the GDPR allows a Supervisory Authority (the ICO) to issue fines of up to 20 million euros (roughly £17 million) or 4% of annual turnover, while the Data Protection Act 1998 was limited to £0.5 million; and
  10. Geographical application: the GDPR applies where the Data Controller, the Data Processor, or the Data Subject is based in the EU.

Schools should understand the difference between the previous Data Protection Act 1998 and the GDPR (and Data Protection Act 2018).

Risk Management

At the core of data protection (and information security, or cyber security) is an effective risk management process.

Schools that have not identified and assessed their risks will be less likely to have effective controls in place that can mitigate them.

The risk, in this context, is where there is a threat posed to data and a vulnerability to that threat, where:

  • a vulnerability is a weakness that could allow a threat to compromise data; and
  • a threat is the danger that a vulnerability may be exploited.

In risk assessment and analysis, it is also important to consider:

  • the likelihood (or probability) of the threat; and
  • the impact of the exploit occurring.

Data protections risks can be significant, both for the Data Subject and for the school.

Schools should take into account various factors in risk assessment and analysis, including:

  1. loss of or damage to data (e.g. data breaches);
  2. reputational damage following a data breach; and
  3. being subject to the investigative, corrective, and authorisation and advisory powers (including administrative fines) of the supervisory authority (being the Information Commissioner’s Office (or ICO) in the UK).

Risks to data protection can be both internal and external, and both deliberate and accidental. Examples include:

  1. theft (e.g. a hardware device containing Personal Data being stolen);
  2. a deliberate attack on school systems (e.g. by an external attacker);
  3. unauthorised or malicious use of Personal Data (e.g. by a member of staff);
  4. accidental loss (e.g. a portable storage device being lost); and
  5. equipment failure (e.g. a disk failure in a server).

Schools are ‘data rich’ and the introduction and widespread use of electronic storage, access to and transmission of data has created additional potential for the loss, damage or misuse of data.

Schools should implement an effective risk assessment and analysis process to understand and mitigate the risks associated with Processing.

Key Areas for Schools to Focus on

Though compliance with the GDPR will require close and ongoing attention, and a good deal of expertise, there are ten steps below that all schools should take (or check they have taken), including:

  1. Policies: it is important that clear and well understood policies are in place to minimise risk by correctly directing Processing activities. Review and update your policies;
  2. Data mapping: if you don’t know where your data is, you cannot secure it against loss, damage or misuse, and you cannot be sure it is being Processing in compliance with the GDPR. Create and maintain a data map;
  3. Management (or administrative) controls: in addition to and supported by policies, effective processes and procedures should ensure that Personal Data is Processed in the manner the school expects and requires (as set out in the policies). Design and put in place appropriate management controls;
  4. Logical (or technical) controls: schools should have appropriate software and hardware in place to allow Processing to be undertake in compliance with the GDPR. Design and put in place appropriate logical controls;
  5. Operational (or physical) controls: in addition to logical controls, should should have in place suitable operational controls to help secure Processing (e.g. locking doors or storage areas where Personal Data is kept). Design and put in place appropriate operational controls;
  6. Training: regular staff training is an important component in mitigating risk and achieving and maintaining compliance with the GDPR. Provide regular staff training;
  7. Records: the GDPR requires Data Controllers to be able to demonstrate compliance, which requires records to be kept in relation to Processing activities (including the purpose of Processing and the applicable ‘lawful basis’). Maintain effective Processing records;
  8. Information assets: schools are generally good at monitoring physical assets (like laptops), but less so at monitoring ‘information assets’. An information asset can be defined as “a body or item of information, or an information processing or storage system, to which the school attaches value”. Monitor information assets;
  9. Retention: as storage of data is part of Processing, it is important to establish how long Personal Data will be retained. Create and implement a data retention policy.
  10. Decide on the DPO: as schools are public authorities for the purposes of the GDPR, schools are required to have a Data Protection Office (DPO). More details on the DPO can be found in part 9 of the SWGfL GDPR guidance, which can be found hereDecide on a DPO.

Schools should:

  1. Review and update relevant policies;
  2. Create and maintain a data map;
  3. Put in place ‘management’ controls;
  4. Put in place ‘logical’ controls;
  5. Put in place ‘operational’ controls;
  1. Provide regular staff training;
  2. Maintain records of Processing;
  3. Monitor ‘information assets’;
  4. Implement a data retention policy; and
  5. Decide on a DPO.

Schools are Data Controllers

Schools, MATs and colleges are Data Controllers. Schools should therefore have the appropriate registration with the ICO, which can be viewed here. Some exemptions apply, noted here.

Schools (as Data Controllers) will need to pay the data protection fee to the ICO.

An overview of Data Controller obligations and responsibilities is set out in part 5 of the SWGfL GDPR guidance, which can be found here.

Which Lawful Basis to use

In order to decide which lawful basis is applicable to a certain Processing activity, it is necessary to consider the purpose of that Processing and the relationship or connection with the Data Subject. As per the ICO’s guidance here, there are a number of elements to consider:

  1. If the Processing is not necessary, most lawful bases will not be applicable. If the purpose can be achieved without the Processing, it will not be supported by a lawful basis;
  2. The lawful basis must be determined before Processing commences, and should be documented;
  3. Selecting the most appropriate lawful basis at the start is important, as changing it after Processing has commenced is not advisable (and is not usually possible if the original basis was ‘consent’);
  4. The published privacy information should set out the lawful basis being used and the purposes of the Processing; and
  5. Where Special Category Personal Data, criminal conviction data or data about offences, is Processed, in addition to a lawful basis an additional condition must be satisfied. An overview of Special Category Personal Data is set out in part 5 of the SWGfL GDPR guidance, which can be found here.

It should be noted that, if the purpose of the Processing changes, but the new purpose is compatible with the original purpose, it may be possible to continue processing under the original lawful basis.

Schools must identify and document the lawful basis for each Processing activity, and update and publish privacy information.

No one basis is better than another. The most appropriate lawful basis needs consideration in each case. A more detailed review of the six lawful bases is set out in part 3 of the SWGfL GDPR guidance, which can be found here.

Selecting a Lawful Basis

See the ICO’s tool here or the SWGfL flow chart below for assistance in selecting the lawful basis that best fits the Processing.

Green arrows are for a ‘yes’ response and  red arrows are for a ‘no’ response. Blue arrows in the lower layer of the flowchart indicate the conditions of the previous position.

A full-size PDF version of the flowchart is available here.

Example Uses for each Lawful Basis in Schools

For many organisations, the legitimate interests basis is considered the most flexible, however:

  1. it is not applicable to Processing carried out by public authorities (those subject to the Freedom of Information Act 2000 (FOIA) or the Freedom of Information Act (Scotland) 2002 in Scotland) in the performance of their public tasks;
  2. Data Controllers have additional responsibility for considering Data Subject rights and interests, and for justifying the Processing. If a Data Subject would not expect the Processing, or it causes them harm, their interests may override the legitimate interests of the Data Controller; and
  3. Data Controllers should keep a record of their ‘Legitimate Interests Assessment (LIA) as part of demonstrating compliance, and include the details of the legitimate interests they are pursuing in published privacy information.

For schools then, it is likely that legitimate interests will be less commonly used than it is by other organisations, but will still have a use.

Below are some common purposes for each of the six lawful bases:

  1. Consent: schools may find this useful for marketing. Note that this ‘consent’ is different to the consent schools may use for other operational purposes (e.g. parental consent for a learner to attend a school visit).
  2. Contract: schools are not likely to use ‘necessary for contract’ as often as other lawful basis. The contract basis is appropriate when there will be a contract between the school and the Data Subject. It may be appropriate where contracts are formed between the school and parents for certain purposes (e.g. an after-school club or trip).
  3. Legal obligation: there are a range of legal obligations that schools are required to comply with, set out in law or statutory guidance. Where this is the case, it may be appropriate to use the ‘necessary for legal obligation’ lawful basis for the required Processing.
  4. Vital interests: as this lawful basis is concerned with the protection of life where the Data Subject is unable to provide consent, it is conceivable that schools might rely upon it for the provision of emergency medical care (e.g. where a learner has had a serious accident, and Personal Data (such as medical records) needs to be provided to ambulance staff).
  5. Public interests: the Education Act 1996 requires that schools operate and that children in England and Wales aged five to 16 receive full-time education. Schools are therefore undertaking a public task (defined in the GDPR (Article 6e) as “a task carried out in the public interest or in the exercise of official authority vested in the school”), and it is likely that a considerable proportion of Processing in schools – providing of course that it is necessary for this ‘public task’ purpose – would be supported by the ‘public interests’ lawful basis.
  6. Legitimate interests: where schools undertake activities that are not fundamental education activities, such as letting out school facilities, arranging or facilitating after-school or extra-curricular activities, or sporting events not part of taught sports in the school, it could be that the school would have a legitimate interest in undertaking Processing of Personal Data.

Schools are likely to consider the ‘legal obligation’ and ‘public interests’ bases appropriate for much of their Processing, however assessment and analysis of each Processing activity is still required.

Managing Consent in Schools

As set out above, the GDPR is not purely concerned with ‘consent’; in fact, the majority of Processing in schools is likely to use one of the other five lawful bases. However, some Processing may still take place using ‘consent’ as the lawful basis.

When Processing Personal Data using the ‘consent’ basis (as opposed to one of the other lawful bases set out in Part 3 which can be found here), there are specific conditions to observe (as also set out in Part 3):

  1. The Data Controller must be able to demonstrate (or prove) that the Data Subject has provided consent (Articles 5.2 and 7.1);
  2. When requesting consent, Data Controllers must do so in an easily accessible form using plain and clear language;
  3. The Data Subject must be able to withdraw consent at any time, as easily as they provided it; and
  4. Consent must be freely given and not as a condition of providing something (e.g. a service).

Where ‘consent’ is the lawful basis, and the Data Subject is a child (e.g. a learner in a school), additional conditions apply.

This is one area in which the Data Protection Act 2018 differs from the GDPR. In the UK under the Data Protection Act 2018, a child is a person under 13 years old, whereas under the GDPR a child is under 16 years old.

These additional conditions are:

  1. that consent is given or authorised by the holder of parental responsibility over the child; and
  2. that the Data Controller takes reasonable steps to verify that consent is so given or authorised.

The ‘consent’ lawful basis may be useful to schools for certain Processing (e.g. marketing). Where it is used, schools must:

  1. prove the consent was given (i.e. keep a record of it);
  2. request the consent in a simple way;
  3. allow the consent to be withdrawn, also in a simple way; and
  4. make sure the consent is freely given (i.e. not a condition of something else).