Schools and other educational institutes are required to process vast amounts of personal data. They usually need information on pupils and parents, including safeguarding, contact information and in some cases financial details.
It’s therefore essential that schools have appropriate data privacy measures in place. The failure to do so could lead to a risk to pupils or students, penalties under the GDPR (General Data Protection Regulation) and create significant reputational damage.
In this blog, we explain why this is a significant issue, and help you understand the steps you can take to bolster data privacy in the education sector.
What are the data privacy challenges facing schools?
Schools use personal data for any number of purposes. The most common types include:
- Contact information about pupils, students, staff, volunteers and carers;
- Health information;
- Employee references;
- Safeguarding information about individuals;
- Pupil exam references and results
- Staff HR information; and
- DBS information
Whenever this information is processed, schools face data privacy risks. In this section, we’ll explain some of those risks using examples.
Let’s start by looking at the use of photographs to help staff identify students. Photographs can be considered personal data, and if they’re used for the purpose described above, there is a valid reason for storing them.
Provided you correctly document the purpose of the data processing, you’re permitted to use photographs in this way.
However, you must acknowledge that storing pupils’ photographs alongside their names comes with data privacy risks. If unauthorised individuals access these documents, they too would be able to identify students by name.
To take another example, let’s consider after-school clubs and other extra-curricular activities. Although they may be beneficial for a pupil’s education, they aren’t essential activities, so you must be careful about the way you use personal data.
In most cases, including our previous examples, schools that are subject to the GDPR can use the lawful basis of processing in the public interest.
Schools can use this basis if they are:
- Carrying out a specific task in the public interest that’s laid down in law; or
- Exercising official authority (such as a public body’s tasks, functions, duties or powers) that’s laid down in law.
But with extra-curricular activities, neither of these applies. As such, schools must find a different lawful basis to process information. In this case, legitimate interest is most likely to apply.
However, before organisations can use this lawful basis, they must complete a legitimate interest assessment.
Another significant data privacy risk that schools must address involves the use of third-party services.
For example, if your school uses an online subscription service that you use to purchase study materials.
The transactions are conducted under the school’s budget, and students visit the site to register and access the study materials.
This creates an increased data privacy risk, because the supplier has obtained students’ names and contact details.
To take another example, let’s look at off-the-shelf software that shows staff information about students, such as the books and resources they have accessed.
The same issue presents itself, because even though the service is used by students and staff, the supplier is still processing the data.
This is why schools need to be cautious about using third-party services that process personal information.
You should have contractual agreements regarding the use of that information, document the data sharing internally and ensure that the practice is appropriate to the lawful basis you have documented.
How schools can bolster data privacy
There are several ways that schools must address data privacy. In this section, we look at some essential first steps.
The privacy notice is a public document that helps data subjects – and their parents or guardians – understand personal data processing.
This includes information on the data that’s being processed, how and why it is processed, where it came from (if it wasn’t from the data subject), how long it will be kept and what rights the data subjects have over it.
The exercise of compiling the notice also helps the school assess the data it holds and whether adequate protections are in place.
Depending on the age range of your students or pupils, you may need to consider an age-appropriate privacy notice.
Whenever you share personal data with a third party, they must agree in writing to the measures that both you and the supplier will take to protect your sensitive information.
The contract must stipulate that the supplier will act only on your documented instructions, that it won’t hire a sub-processor without your prior approval, and that it will delete or return personal data at the end of the contract.
A DPIA (data protection impact assessment) helps you to identify and minimise the data protection risks posed by a project.
Processing activities that require a DPIA are likely to include things like implementing new software that processes personal data.
The DPIA looks at this processing to assess the risks to the personal data and therefore to data subjects, how likely it is that they might be harmed, and the extent of that possible harm.
For processing activities that the DPIA reveals a high level of risk, you must take steps to reduce it. You could do this by stopping that processing activity, but if you’ve shown that processing is necessary and proportionate, you’ll more likely to implement technical and/or organisational measures to lower the risk.
Possible technical measures include anonymising or pseudonymising the data being processed, using a different technology to conduct the processing, or applying additional security controls (such as more granular access controls or providing secure paper shredding).
Technical measures will need to be backed with organisational ones, such as:
- Additional policies and procedures;
- Providing extra staff training;
- Reviewing privacy notices; and
- Updating contracts.
Learn more about data privacy
If you’re looking for more help meeting your data protection requirements, GPDR.co.uk is here to assist.
Our GDPR for Schools compliance platform contains everything you need to shore up your defences and complete your documentation requirements.
This tool was developed by data protection and cyber security experts with more than 15 years’ data privacy and cyber security experience, and now comes with a free two-week trial.