GDPR recently celebrated its first anniversary, but there is still confusion in schools about data duties and obligations. Richard Skipper provides clarity on some common problems

May 25, 2019, marked the GDPR one-year anniversary. However, despite this milestone, there is still some confusion within schools over what exactly is expected of them with regard to data compliance – which is not all that surprising given the complexity of this area of law. Below are some of the common questions I come across and some quick advice.

Which lawful basis should I apply?

If you want to share any personal data, no matter how much data or how important it is, you have to identify a “lawful basis” (a legal reason) to do it. The available lawful bases, in summary, are:

  • Public task (you need to share this data for your school to run properly).
  • Legal obligation (you are required to share this data under law).
  • Fulfilling a contract (you are required to share this data as part of a contract).
  • Vital interests (you need to share this data in a life or death situation).
  • Legitimate interests (you are sharing this data outside the scope of your functions as a school, the person would reasonably expect you to share it, there is a minimal privacy impact, and you have a compelling justification).
  • Consent (you have received appropriate consent from the person the data is about; or, in the case of young children who are not mature enough to understand their data protection rights, their parents).

In the majority of cases, you can use the public task basis. If the data you are sharing is sensitive – known as “special category data” – you also need to decide on a “condition of processing”. Take particular care when establishing a lawful basis for sharing pupil and staff medical information and safeguarding information, as these are risky areas.

In all cases, it is up to you to decide which basis and condition to use because you need to justify and document your decision. When it comes to transferring data, there is no requirement to send the information through a certain method, nor is any method banned. However, you must make sure that any system you use has appropriate security measures put in place.

Can I display pupil names or photos?

While there is nothing stopping you from displaying personal data on a website or in your school, you need to identify a lawful basis, and sometimes a condition of processing for doing so – as explained above. This includes using names and photos on a display or on work books.

Typically, you will be using the public task basis or the consent basis, with the latter mostly reserved for using pupil data when promoting your school.

Even when you have a lawful basis, display the information in places where only the intended people can see it. For example, a pupil’s emergency medical care plan should be kept in a secure area like your staffroom, rather than in a school corridor.

How long should I keep hold of personal data?

Records containing personal data should be kept for “no longer than necessary”. Sometimes how long “necessary” is can be defined by separate legislation, but for most records it is up to you to figure out when you do not need it anymore.

You can refer to the Information Management Toolkit for Schools, published by the Information and Records Management Society, for a retention schedule that shows statutory and recommended retention periods for a range of school records.

When you are dealing with information related to pupils, you can normally dispose of it if the pupil has moved to a new school and you have sent over any information you need to. It is the responsibility of the school where the child reaches statutory school leaving age to retain their records for longer.

Dealing with requests to see personal data

Individuals have a right to see copies of the personal data you hold on them. When they ask to see copies of their data, this is called a subject access request. In most cases, you have to respond to these requests within a month of receiving them, and you cannot charge for this.

There are certain circumstances when you can extend the response deadline or refuse a request. Examples of requests that can be refused are those which are “manifestly unfounded or excessive” or when you believe sharing the data would be likely to cause serious harm to the physical or mental health of any individual.

It is important to note that even during school holidays like the summer break you are required to respond to subject access requests within a month, so you need to make sure you have a plan in place for this.

Can we still use educational apps?

You are allowed to use educational apps that are provided directly to pupils, such as a homework app. As explained above, you need to establish your lawful basis to share your pupils’ personal data with the providers of these apps. If you are using the app for educational purposes, the public task basis likely applies, and the consent basis if not.

If pupils are signing up to the service independently and you will not be receiving any data from the provider, such as if they are using a social media platform to research photos in class, then this is not your responsibility and you do not need to identify a lawful basis.

However, in these situations, you must not require pupils to use these services because they or their parents have the right to choose whether to give consent to the service provider.

  • Richard Skipper is senior content editor at The Key, which provides leadership and management support to schools. Visit https://thekeysupport.com

Further information & resources