Part 5: GDPR Rights and Obligations
This part of the SWGfL GDPR guidance explains two closely linked areas of the GDPR:
- the rights of Data Subjects
- the obligations of Data Controllers, including schools
In practice, this means understanding what individuals are entitled to ask for under the GDPR, and what schools must do in response.
Important GDPR Definitions
The following terms are used throughout the GDPR and throughout SWGfL GDPR guidance.
What is Processing?
Processing means any operation carried out on Personal Data.
This includes collecting, recording, organising, storing, altering, using and transmitting Personal Data.
What is Personal Data?
Personal Data means any information relating to a natural person, called a Data Subject, who can be identified directly or indirectly from that information.
What is a Data Controller?
A Data Controller is a person, authority, agency or other body that decides why Personal Data is processed and how that processing takes place.
For the purposes of this guidance, schools are Data Controllers.
What is a Data Processor?
A Data Processor is a person, authority, agency or other body that processes Personal Data on behalf of a Data Controller.
The Rights of Data Subjects
The GDPR expanded the rights of Data Subjects compared with the Data Protection Act 1998.
A Data Subject now has the following rights.
1. The right to transparency
Under Article 12, Data Controllers must provide information to Data Subjects in a transparent, easily accessible form, using clear and plain language.
This means schools should explain data protection information in a way that people can actually understand.
2. The right to be given information
Under Articles 13 and 14, Data Subjects have the right to be told key information about how their Personal Data is used.
This applies:
- when Personal Data is collected directly from the Data Subject, under Article 13
- when Personal Data is collected from another source, under Article 14
In both cases, the Data Controller must provide the required information set out by the GDPR.
3. The right of access
Under Article 15, a Data Subject can ask a Data Controller to:
- confirm whether their Personal Data is being processed
- confirm where that processing is taking place
- provide access to their Personal Data
- explain why the Personal Data is being processed
- confirm which organisations the Personal Data has been shared with, or will be shared with
- provide other related information required by the GDPR
This is often referred to in practice as the right to access Personal Data held about them.
4. The right to rectification
Under Article 16, a Data Subject can require a Data Controller to correct inaccurate Personal Data.
If information held about a person is wrong or incomplete, they have the right to ask for it to be put right.
5. The right to erasure
Under Article 17, a Data Subject can ask for Personal Data to be erased. This is often called the right to be forgotten.
A Data Subject can require erasure where:
- the Personal Data is no longer needed for the original purpose or purposes
- the Data Subject withdraws consent and there is no other lawful basis for processing
- the Data Subject objects to the processing
- there is no lawful basis for the processing
However, this right does not apply in every case. It does not apply where processing is necessary:
- to comply with the Data Controller’s legal obligations
- to perform tasks that the Data Controller must carry out in the public interest
- to perform tasks carried out under official authority vested in the Data Controller
For schools, this is an important limitation. A request to erase data does not automatically mean the school must delete it.
6. The right to restriction of processing
Under Article 18, a Data Subject can require a Data Controller to restrict processing where:
- the Data Subject disputes the accuracy of the Personal Data
- there is no lawful basis for the processing, but the Data Subject prefers restriction instead of erasure
- the Personal Data is no longer needed for the original purpose, but the Data Subject needs it for legal reasons
- the lawfulness of the processing is being challenged because the Data Subject has objected under Article 21
Restriction means the data is not used in the usual way while the issue is being considered or resolved.
7. The right to be notified
Under Article 19, where a Data Controller has carried out:
- rectification under Article 16
- erasure under Article 17
- restriction under Article 18
the Data Subject must be informed.
In other words, if action has been taken in response to a request, the individual should be told.
8. The right to data portability
Under Article 20, a Data Subject can ask for their Personal Data to be provided in a structured, commonly used and machine-readable format.
This right applies where:
- the processing is based on consent or contract
- the processing is carried out by automated means
This right is designed to help individuals reuse or move their data between services.
9. The right to object
Under Article 21, a Data Subject can object to processing where the lawful basis is public interest or legitimate interests.
In those circumstances, the Data Controller must stop the processing unless it can show compelling legitimate grounds to continue.
10. Rights relating to automated decision-making and profiling
Article 22 gives Data Subjects additional protection where decisions are made solely by automated processing and those decisions significantly affect them.
In these situations, a Data Subject can require that the decision is not based only on automated processing.
This means they can require human involvement in the decision-making process.
What do these rights mean for schools?
Schools should consider these rights carefully.
Failing to respect the rights of Data Subjects can expose a school to the higher levels of investigative, corrective, authorisation and advisory action available to the Information Commissioner’s Office, including administrative fines.
In practical terms, schools must be ready to recognise, respond to and support the rights of Data Subjects. This includes the right to:
- receive information in a clear and understandable way
- be given information about how Personal Data is collected and used
- access their Personal Data
- have inaccurate Personal Data corrected
- have Personal Data erased where the law allows
- restrict processing in certain circumstances
- be told when rectification, erasure or restriction has taken place
- receive Personal Data in the correct format where data portability applies
- object to processing in certain circumstances
The Data Subject’s right to be given information
When collecting Personal Data, whether directly from the Data Subject or from another source, Data Controllers must provide Data Subjects with information about that processing.
This is a core part of fairness and transparency under the GDPR.
In simple terms, people have the right to know:
- who is using their Personal Data
- why it is being used
- where it came from, if it was not collected directly from them
- what happens to it next
For schools, this means privacy information must be clear, accessible and provided at the right time.
| Collecting Personal Data from Data Subject (Article 13) | Collecting Personal Data from another source (Article 14) | |
| The name and contact details of the Data Controller and the Data Controller’s representative | ✔ | ✔ |
| The contact details of the Data Protection Officer | ✔ | ✔ |
| The purposes of the Processing and the lawful basis for the Processing | ✔ | ✔ |
| The categories of Personal Data to be collected | ✔ | |
| The legitimate interests pursued (where the Processing is based on legitimate interests) | ✔ | ✔ |
| The recipients (or categories of recipients) of the Personal Data | ✔ | ✔ |
| Details of any intended transfers of the Personal Data outside the EU | ✔ | ✔ |
| The retention period for the Personal Data | ✔ | ✔ |
| The Data Subject’s rights | ✔ | ✔ |
| The Data Subject’s right to withdraw their consent (where the Processing is based on consent) | ✔ | ✔ |
| The right to complain to the ICO (or another supervisory authority) | ✔ | ✔ |
| The source of the Personal Data | ✔ | |
| Whether the Data Subject is required to provide the Personal Data under a statutory or contractual obligation | ✔ | |
| The details of any automated decision-making (including profiling) | ✔ | ✔ |
Data Controller Obligations and Responsibilities
Data Controller obligations and responsibilities
Schools are Data Controllers. That means they are responsible for making sure Personal Data is handled in line with the GDPR.
This section explains the main responsibilities that sit with Data Controllers, including schools, and also sets out what schools need to do when they use Data Processors.
What are Data Controllers required to do?
In addition to the responsibilities already covered in earlier parts of this guidance, Data Controllers must meet a number of core GDPR requirements.
Pay the data protection fee
Data Controllers must have the appropriate registration with the ICO and pay the data protection fee.
Comply with the GDPR principles
Under Article 5, all Processing, including the storage of Personal Data, must meet the core data protection principles.
This means Personal Data must be:
- processed lawfully, fairly and transparently
- collected for limited purposes only
- adequate, relevant and limited to what is necessary
- accurate and kept up to date
- kept for no longer than necessary
- processed securely using appropriate organisational and technical measures
Be able to demonstrate compliance
Under Article 5.2, Data Controllers are not only responsible for complying with the GDPR, but also for being able to show that they comply.
This is often referred to as accountability.
Only carry out lawful Processing
Under Article 6, Processing must only take place where there is a lawful basis.
The original lawful bases listed here are:
- the Data Subject has given explicit consent
- the Processing is necessary for the performance of a contract
- the Processing is necessary to comply with a legal obligation
- the Processing is necessary to protect someone’s vital interests
- the Processing is necessary for the performance of a public task
- the Processing is necessary for the purposes of legitimate interests pursued
In practice, schools need to make sure that every use of Personal Data is supported by an appropriate lawful basis.
Observe the rights of Data Subjects
Data Controllers must respect the rights of Data Subjects under Articles 12 to 22.
This includes responding to Subject Access Requests and supporting the other rights explained earlier in this guidance.
Additional GDPR obligations for Data Controllers
The GDPR also requires Data Controllers to take a number of practical and organisational steps.
Take appropriate measures
Under Article 24, Data Controllers must put in place appropriate technical and organisational measures to ensure, and demonstrate, compliance with the GDPR.
This includes having suitable data protection policies.
Apply data protection by design and by default
Under Article 25, Data Controllers must build data protection into systems, procedures and ways of working.
They must also make sure that, by default, only the Personal Data that is necessary for each purpose is processed.
This includes limiting:
- how much data is collected
- how widely it is used
- how long it is kept
Keep records of Processing activities
Under Article 30, Data Controllers must maintain records of their Processing activities.
These records should include:
- the name and contact details of the Data Controller, the Data Controller’s representative and the Data Protection Officer
- the purposes of the Processing and the lawful basis for it
- the categories of Data Subjects and categories of Personal Data
- the recipients, or categories of recipients, of the Personal Data
- details of any intended transfers of Personal Data outside the EU
- the retention period for the Personal Data
- the general technical and organisational security measures used
As schools are Data Controllers, they need to meet these obligations.
When do record-keeping requirements apply?
The guidance notes that the Article 30 record-keeping requirement described above applies only to Data Controllers with more than 250 employees, or where the Processing:
- is considered high risk
- is regular and ongoing
- includes Special Category Personal Data
For schools, this is an important practical point because even smaller organisations may still need to keep records if their processing falls into one of those categories.
What does this mean for schools?
As Data Controllers, schools must meet the requirements of the GDPR. This includes:
- paying the data protection fee
- ensuring all Processing meets the six principles in Article 5
- demonstrating compliance with the GDPR
- ensuring all Processing has consent or another necessary lawful basis under Article 6
- observing the rights of Data Subjects
- taking appropriate steps to ensure compliance
- building data protection into systems, procedures and practices
- keeping records of Processing where required
In simple terms, schools need to make sure data protection is built into everyday practice, not treated as a separate or one-off task.
Data Processors
A Data Processor is a person, authority, agency or other body that processes Personal Data on behalf of a Data Controller.
Schools often use Data Processors when they rely on third-party providers to handle Personal Data for them.
What responsibilities do schools have when appointing Data Processors?
Where a school appoints a Data Processor, the school still has responsibilities.
Choose a compliant Data Processor
A Data Controller may only use a Data Processor that can guarantee it will put in place the technical and organisational measures needed to comply with the GDPR.
This means schools should carry out appropriate checks before appointing a provider.
Control the appointment of sub-processors
A Data Processor may only appoint another Data Processor with the written authorisation of the Data Controller.
This means a school should know if another organisation will also be involved in handling the data.
Put a contract in place
The Processing must be governed by a contract between the Data Controller and the Data Processor.
This is often called a Data Processing Agreement.
What records must Data Processors keep?
Under Article 30, Data Processors must also maintain records of Processing activities.
These records should include:
- the name and contact details of each Data Processor, and of the Data Controller, the Data Controller’s representative and the Data Protection Officer
- the categories of Processing
- details of any intended transfers of Personal Data outside the EU
- the general technical and organisational security measures used
The guidance notes that this requirement applies only to Data Processors with more than 250 employees, or where the Processing:
- is considered high risk
- is regular and ongoing
- includes Special Category Personal Data
What should schools check when using Data Processors?
Schools using Data Processors should ensure that:
- the Data Processor has measures in place to comply with the GDPR
- no further Data Processor will be appointed without the school’s authorisation
- a suitable Data Processing Agreement is in place
- the Data Processor will maintain appropriate records where required
Data Processing Agreements
A Data Processing Agreement is required by Article 28.
It must be binding on the Data Processor and must describe the Processing clearly. This includes the subject matter, duration, nature and purpose of the Processing, the type of Personal Data, the categories of Data Subjects, and the obligations and rights of the Data Controller.
A Data Processing Agreement should also set out:
- that Processing will only be carried out in line with the written instructions of the Data Controller, as also reflected in Article 29
- that staff working for the Data Processor are subject to confidentiality obligations
- that the Data Processor will put in place appropriate technical and organisational measures to provide an appropriate level of security, including matters such as encryption, backup and restore, and security testing processes
- the rules for appointing another Data Processor
- the support the Data Controller may need in responding to Data Subject requests
- the support the Data Controller may need in maintaining security, managing personal data breaches and carrying out data protection impact assessments
- that the Data Controller may require the Data Processor to delete or return all Personal Data when the Processing ends
- the support the Data Controller may need in demonstrating GDPR compliance and in contributing to audits and inspections
- that the Data Processor must immediately tell the Data Controller if it believes an instruction infringes the GDPR
What this means in practice
For schools, these obligations mean more than simply having policies in place.
They mean making sure that Personal Data is used lawfully, kept secure, handled only where necessary, and supported by clear documentation. They also mean carrying out proper checks on third-party providers and making sure contracts with those providers contain the protections required by the GDPR.
Put simply, if a school decides why and how Personal Data is used, it is responsible for making sure that use is compliant, whether the processing is carried out internally or by a supplier.