The following definitions are used throughout the GDPR, and throughout the SWGfL GDPR guidance:
The protection of Personal Data in schools is a key priority.
Schools should take all reasonable steps to ensure the security of Personal Data and compliance with relevant legislation, including:
Note that there are changes expected to PECR in the near future.
Like the previous Data Protection Act 1998, which was the UK law corresponding to the EU Data Protection Directive, the Privacy and Electronic Communications Regulations 2003 is the UK law corresponding to the Privacy and Electronic Communications Directive 2002/58/EC.
Though compliance with the previous Data Protection Act 1998 will usually suggest an organisation such as a school will find compliance with the GDPR less challenging than an organisation that is less aware of their previous obligations, there are some key changes that the GDPR has brought in to effect, including:
Schools should understand the difference between the previous Data Protection Act 1998 and the GDPR (and Data Protection Act 2018).
At the core of data protection (and information security, or cyber security) is an effective risk management process.
Schools that have not identified and assessed their risks will be less likely to have effective controls in place that can mitigate them.
The risk, in this context, is where there is a threat posed to data and a vulnerability to that threat, where:
In risk assessment and analysis, it is also important to consider:
Data protections risks can be significant, both for the Data Subject and for the school.
Schools should take into account various factors in risk assessment and analysis, including:
Risks to data protection can be both internal and external, and both deliberate and accidental. Examples include:
Schools are ‘data rich’ and the introduction and widespread use of electronic storage, access to and transmission of data has created additional potential for the loss, damage or misuse of data.
Schools should implement an effective risk assessment and analysis process to understand and mitigate the risks associated with Processing.
Though compliance with the GDPR will require close and ongoing attention, and a good deal of expertise, there are ten steps below that all schools should take (or check they have taken), including:
Schools (as Data Controllers) will need to pay the data protection fee to the ICO.
An overview of Data Controller obligations and responsibilities is set out in part 5 of the SWGfL GDPR guidance, which can be found here.
In order to decide which lawful basis is applicable to a certain Processing activity, it is necessary to consider the purpose of that Processing and the relationship or connection with the Data Subject. As per the ICO’s guidance here, there are a number of elements to consider:
It should be noted that, if the purpose of the Processing changes, but the new purpose is compatible with the original purpose, it may be possible to continue processing under the original lawful basis.
Schools must identify and document the lawful basis for each Processing activity, and update and publish privacy information.
No one basis is better than another. The most appropriate lawful basis needs consideration in each case. A more detailed review of the six lawful bases is set out in part 3 of the SWGfL GDPR guidance, which can be found here.
See the ICO’s tool here or the SWGfL flow chart below for assistance in selecting the lawful basis that best fits the Processing.
Green arrows are for a ‘yes’ response and red arrows are for a ‘no’ response. Blue arrows in the lower layer of the flowchart indicate the conditions of the previous position.
A full-size PDF version of the flowchart is available here.
For many organisations, the legitimate interests basis is considered the most flexible, however:
For schools then, it is likely that legitimate interests will be less commonly used than it is by other organisations, but will still have a use.
Below are some common purposes for each of the six lawful bases:
Schools are likely to consider the ‘legal obligation’ and ‘public interests’ bases appropriate for much of their Processing, however assessment and analysis of each Processing activity is still required.
As set out above, the GDPR is not purely concerned with ‘consent’; in fact, the majority of Processing in schools is likely to use one of the other five lawful bases. However, some Processing may still take place using ‘consent’ as the lawful basis.
When Processing Personal Data using the ‘consent’ basis (as opposed to one of the other lawful bases set out in Part 3 which can be found here), there are specific conditions to observe (as also set out in Part 3):
Where ‘consent’ is the lawful basis, and the Data Subject is a child (e.g. a learner in a school), additional conditions apply.
This is one area in which the Data Protection Act 2018 differs from the GDPR. In the UK under the Data Protection Act 2018, a child is a person under 13 years old, whereas under the GDPR a child is under 16 years old.
These additional conditions are:
The ‘consent’ lawful basis may be useful to schools for certain Processing (e.g. marketing). Where it is used, schools must: