Data protection in schools and educational institutes

Data protection means safeguarding important information from corruption, compromise or loss. As the amount of data we create and store continues to grow, it’s becoming more important to have the right systems and processes in place.

Data protection in schools, academies, and other educational institutions

You will hold many types of personal information about your staff, pupils, alumni and third parties with whom you engage. Ensuring that you and your staff understand your duties and obligations as guardians of this data is an essential part of any successful education setting. 

The Data Protection Act 1998 has been superseded by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, which took effect in May 2018. This new regime has revolutionised data protection law and information rights, acting as a catalyst for a new culture of privacy that you must embed within your school, academy, or organisation through effective policies and procedures. 

“The use of data across our sector and beyond has developed significantly in recent years. And so it is right that the law, processes and skill sets associated with being effective guardians of children’s data are brought up to date and fit for the modern era….If our sector is to be entrusted to hold sensitive data about children across the country and exploit the benefits modern data technologies enable us, then they are both to be welcomed.”

Neil McIvor, Chief Data Officer, Department for Education

Data protection and information sharing in education

Our team’s understanding of how the new regime impacts the education sector allows us to work closely with schools, academies, and other education providers to help them manage their data protection compliance programmes. We can guide you on data protection and how to handle and share information to ensure compliance with the new regime.

The GDPR states that you must make sure the information you hold is:

• used fairly, lawfully and transparently
• used for specified, explicit purposes
• used in a way that is adequate, relevant and limited to only what is necessary
• accurate and, where necessary, kept up to date
• kept for no longer than is necessary
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

There is stronger legal protection for more sensitive information, such as:

• race
• ethnicity
• political opinions
• religious beliefs
• trade union membership
• genetics
• biometrics (where used for identification)
• health
• sex life or orientation

There are additional safeguards for personal data relating to criminal convictions and offences.

Under the new regime, everyone has the right to find out what information you hold about them. These include the right to:

• know how you use their data
• access personal data
• have incorrect data updated
• have data erased
• stop or restrict the processing of their data
• data portability
• object to how their data is processed in certain circumstances

Data protection advice for schools, academies, and other educational institutions

Our team of experts can help to guide you through this regulatory maze, advising you on the best approach for capturing, handling and sharing information within your organisation so that you don’t fall short of your obligations. We can help you identify risks that could result in data breaches, penalties and reputational damage, and put plans in place to mitigate and manage them if they happen.

We advise schools, academies, and education providers on all areas of data protection and information law compliance, as well as providing guidance on freedom of expression, privacy, reputation and information rights generally. We can help you with the following:

• Drafting and reviewing data protection compliance documentation – including the data protection policy for schools, academy, or organisation. We support our education clients in drafting and reviewing contracts, data sharing agreements and compliance documents, such as data protection and retention policies, privacy notices and impact assessments.

• Data breach management – We can provide training, advice and guidance to those who deal with data within their role, to prevent personal data breaches. However, in the event of a breach, our lawyers can assist with and advise on the appropriate course of action to ensure that you not only comply with data protection legislation, but you limit any reputational damage and any punitive action from the Information Commissioner’s Office.

• Responding to data subject access requests – We can advise on managing subject access requests and how to respond to them.

• Training and updates – We offer data protection training to staff (either at your location or our offices), tailored to the needs of your school, academy, college or university, on data protection, privacy, reputation and information rights issues and developments. To receive invitations to our events, as well as information and articles on legal issues and sector developments that are of interest to you, sign up to Newsroom.

For more information about data protection for schools, academies, colleges and universities, please contact Clare Paterson.

You may also be interested in

Income generation

View

Commercial contracts

View