The General Data Protection Regulation (GDPR) and what it means for schools

Following Matt Dunkley’s item on GDPR before Easter, this is an additional update to support you in your preparations for GDPR, which will come into force on 25 May 2018.

The exemplar privacy notice is now finalised and available on the GDPR page on Kelsi for you to tailor and use with your parents and pupils. A separate one is available for your school workforce. The privacy notices cover all the standard collection and sharing that complies with your legal obligations, and to carry out your tasks in the public interest. They do not provide the school-specific detail around consent for third-party sharing, and these areas are highlighted in red and will need further development to cover your own arrangements.

If your information mapping and review of both contracts and consent has been completed, then you will be well placed to update and issue your privacy notice to your current school population, and plan to sharing it with your new intakes going forward.

Good examples of areas that are likely to require further scrutiny are school photographers and school caterers. You should have consent from parents to have their photo taken by the external school photographer, and you should review your contract with them, so you are clear on how they store your pupils’ names and photographs, and how long they retain them. School caterers often require pupil information and photos to support the management of food allergies or any other requirements or conditions. Do parents understand that this happens and consent to it, and are the areas where this information is held or displayed appropriately secure?

The DfE has recently issued a data protection toolkit for schools. It is currently a Beta version but contains a wealth of useful information to inform your planning and implementation. The table on page 15 gives some useful pointers for mapping your data across a range of themes, and the table in Annex 2.1, om page 50, gives a useful list of the different types of personal information that you probably hold and share, which will support you in identifying any gaps in your current planning.

Some schools have established their own GDPR Working Groups to bring together representation across the school to map data, identify risks, and plan actions and next steps. This is a helpful approach as it supports readiness and builds awareness and shared responsibility.

For further useful information, plus who to contact if you need advice or guidance, please refer to Kelsi.