A Quick Guide to the GDPR for Schools and Colleges

The GDPR (General Data Protection Regulation) and its UK version have been in effect for several years now, but its requirements remain as prescient as ever. The threat of cyber attacks and data breaches continues to grow, with a 2021 UK government report finding that 39% of organisations came under attack in the previous year.

Security incidents can create major operational headaches for schools, while a breach of student or staff data will result in the further problems.

The GDPR’s requirements help mitigate these risks and provide a framework of what to do in the event of a security incident. Unfortunately, with a complex set of rules to meet, many organisations – and schools especially – struggle to implement and maintain its requirements.

But compliance is essential, not only because it helps prevent security incidents but also because it ensures that data processing practices are responsible and efficient.

What does the GDPR mean for schools?

The education sector has a harder time than most when it comes to the GDPR, because children’s data merits extra protection and schools and colleges often work with tight budgets.

Likewise, because new students are admitted each year – and there is is a legal requirement to retain their personal data for years after they leave – educational institutions will typically possess a large cache of personal data.

The good news is that the GDPR is beneficial to schools in the long term, because it ensures that they reduce the amount of personal data they process and implement measures that will save money.

For example, the GDPR states that organisations must have greater accountability over the data they collect.

This means, in part, that they only collect data when necessary (what the Regulation refers to as ‘data minimisation’) and when appropriate technical and organisational controls are in place.

For schools, this means giving students – or, in some cases, those with parental responsibility – the right to access and review information that the school stores on them.

Doing this reassures individuals that you are only collecting a reasonable amount of personal information, and it gives them the opportunity to query anything they’re unhappy about or amend records that are inaccurate or incomplete.

---

Another thing to know about GDPR compliance is that its rules don’t necessarily restrict the way organisations process personal data.

This is one of the biggest myths surrounding the Regulation, with people frequently asking us whether they are still allowed to use information in certain ways.

The reality is that all organisations, including schools, can process personal data provided that they document a legal basis for doing so.

For schools, most processing can be justified on the grounds of public interest. This refers to any activity that’s necessary to carry out a specific task that ensures the welfare of the general public or to exercise official authority.

You need to be careful that the data you process is proportionate to your aims (i.e. don’t collect any more information than you need), but by following these rules, you can avoid the complexities that come with getting and obtaining consent.

Who is responsible for GDPR compliance in schools?

Under the GDPR, the act of obtaining personal data is split into two roles – the data processor and the data controller – and these come with different responsibilities.

In most data processing activities, the educational institute will be the data controller. This means it determines whose information to collect, what types of data they need and why it’s necessary.

Data controllers must also determine:

• Whether the information will be shared with a third party and, if so, which one(s);
• When and where data subjects’ rights apply;
• How long the data will be retained; and
• Whether to make non-routine amendments to the data.

By contrast, data processors are the people or organisations collecting the information. They are responsible for:

• Overseeing the logistics of data processing;
• Ensuring that the data is stored securely;
• Implementing necessary controls for personal data transfers;
• Ensuring that a retention schedule is adhered to; and
• Disposing of sensitive data when it’s no longer needed.

The data processor may be a third-party supplier that the school has hired to complete these tasks, or it may be a department within the school itself.

Data controllers and data processors are equally responsible for GDPR compliance, which means that both parties could face disciplinary action in the event of a data breach.

It’s therefore essential that when schools hire a third-party data processor, they create legally binding contracts that clearly outline how the data processor will meet its requirements.

This helps both parties understand exactly what’s expected of them, and will mitigate the school’s responsibility should a data breach occur.

At what age can pupils be consulted over their personal data?

The GDPR states that, with one exception, organisations cannot legally obtain consent from minors. The threshold for a ‘minor’ is defined by each country; in the UK, it’s 13.

If the data subject is younger than that, the organisation must seek the approval of a person holding “parental responsibility”, and make “reasonable efforts” to verify that the person providing the consent is indeed a parental figure.

If the data subject is 13 or older, the organisation is free to seek consent in the same way it would with anyone else.

However, you must remember that the GDPR requires that any communication (including consent requests) must be written in such a way that it can be easily understood by data subjects.

When you are communicating with children, you must make sure that the language is appropriate.

---

As we mentioned, there is one set of circumstances where these rules don’t apply: information collected for preventive or counselling services offered directly to the child.

This includes child protection programmes, therapy and services related to health and wellbeing.

When it comes to personal data collected for these purposes, you are permitted to seek the child’s consent directly without needing the approval of someone with parental responsibility.

In many cases, there is a reason the child has sought outside help rather than speaking to a parent, so it makes sense for the organisation to not only bypass their approval but also to keep such records separate from the rest of the data subject’s files.

This ensures that, should the parental figure submit a data subject access request, they wouldn’t receive the information collected as part of these services.

What happens if a school breaches the GDPR?

If a school learns that it has suffered a data breach, it must investigate the incident immediately.

Your aim is to determine whether you are required to report the incident needs to your supervisory authority, which will be the case if it “pose[s] a risk to the rights and freedoms of natural living persons”.

This generally refers to the possibility of affected individuals facing economic or social damage (such as bullying), reputational damage or financial losses.

But how do you know when that’s the case? Here are some examples:

• Social damage

This applies when the breached records include special needs information, staff and pupil records, child protection records, staff pay scale and payroll information, and pupil progress and attainment records.

• Identity theft or fraud

This applies when names, dates of birth and addresses are all compromised, or when completed pupil data collection sheets are breached.

• Financial loss

This applies when banking information from payroll data or recruitment forms is breached, or when unauthorised parties access payment software, billing information or bank accounts.

• Reputational damage

This applies when the breached information contains staff or pupil performance management records, or child protection records.

How should schools report data breaches?

If you determine that the data breach does meet the GDPR’s notification requirements, you have 72 hours from the time you discovered the breach to report it to your supervisory authority – which, in the UK, is the ICO (Information Commissioner’s Office).

Organisations are expected to provide a detailed account of the incident, including:

• The extent of the damage;
• When and how you learned about the breach;
• When the breach happened;
• What data protection training the relevant staff have received;
• Whose data has been affected;
• How you are responding to the incident; and
• Who the ICO should contact if it needs more information.

The ICO won’t expect a comprehensive analysis, given the limited time you have. However, it will expect you to demonstrate an awareness of what’s happened and how the damage should be addressed.

Once you’ve notified the ICO, it will confirm receipt, and the incident will go on a list of active cases. You will generally hear back within a few weeks if the investigators are happy with your actions.

But if the ICO suspects a GDPR violation, it may begin a formal investigation, which can take several months to complete.

How GDPR.co.uk can help

If you’re looking for more advice on how to better protect your organisation’s sensitive data, GDPR.co.uk is here to help.

Our GDPR for Schools platform provides specific, tailored guidance for educational institutes. You’ll discover how to perform essential data protection practices, such as data protection impact assessments, staff awareness training and incident reporting.

Our tool was developed by data protection and cyber security experts with more than 15 years’ data privacy and cyber security experience, and now comes with a free two-week trial.

---

A version of this blog was originally published on 23 October 2020.