What documentation do you need to support your school’s GDPR compliance?

In this blog series, we outline which documents your school should have to support its GDPR compliance, their purpose and what they should contain. In the first blog, we outline privacy notices.

Privacy notices

Why you need a privacy notice

The privacy notice is a public document that helps data subjects – and their parents or guardians – understand what personal data you process, how and why it is processed, where it came from if it wasn’t from them, how long it will be kept and what rights the data subjects have over it. The exercise of compiling the notice also helps the school assess the data it holds and whether adequate protections are in place.

How to write a privacy notice

It is important to remember that the privacy notice is for the benefit of the data subjects and must be written in a way that they understand, in clear and plain language, and be easily accessible. Schools will have separate privacy notices for staff and pupils, and imagery can be added to make either notice easier to understand. 

What should the privacy notice include?

The GDPR outlines the contents of the privacy notice and there is no requirement for the information to be in any specific order.

• Contact details
  The notice needs to include your school and data protection officer’s (DPO) contact details: school name, address, email address and telephone number. There should be separate contact details for the DPO. If the DPO is outsourced, then also add details of the organisation they work for.

• The types of personal data you process
  You need to detail the type of personal data processed and where it was obtained from, if not from the data subject themselves. It is important to be as specific as possible about the type of data and how it was obtained.

• Lawful basis for processing personal data
  For each processing purpose, the lawful basis should be specified. Much of the processing of pupil data in schools will fall under performing the public task of running the school, while staff data is mainly collected to fulfil the contract of employment. Where data is processed for legal or contractual reasons, the privacy notice should explain the possible consequences of not providing this data.
  
  In some cases, such as sharing pupil or staff photographs with local press, consent is the lawful basis and the privacy notice should highlight that this consent can be withdrawn at any time.

• Anyone else with access to the personal data
  You will need to explain whether any of the data is transferred to third parties and how this data is protected, especially if it is shared outside of the EU. This includes software suppliers that store your data outside of the EU (such as Cloud providers). These companies should outline this information in contracts and in their own privacy notices.

• How long the data is kept
  It is important to understand how long different types of personal data can be kept and to detail this. Legally, some data needs to be kept for specific lengths of time. In some cases, records can be kept for historical and archiving reasons as part of the school fulfilling its duties as a public body, such as names, photographs, academic records, and dates recording when pupils attended school or staff worked there.
  
  Whatever the reason for keeping the data, this should be specified in the privacy notice and a data retention schedule. It is advisable to review your data retention schedule annually. Staff should also understand how long they should be keeping data and ensure they are following the school’s retention policy.

The rights data subjects have over their personal data

At its heart, the GDPR is there to protect the data subjects and outlining their rights over the data you hold is important.

Right to be informed
The privacy notice supports the data subjects’ right to be informed by explaining what data you process and why, how long it will be kept and who it is shared with.

Right of access
Data subjects and their representatives can ask to see a copy of the data you hold on them or their child. This is called a ‘data subject access request’.

Right of rectification
The school must take reasonable steps to keep the data it holds up to date and accurate, and where a data subject sees that their data is inaccurate, they can ask for it to be updated. Managing data accuracy can be done through the annual data collection sheets or a parent portal where they can request updates.

Right to be forgotten
This is an individual’s right to have their data erased. For legal and contractual reasons, much of the data a school holds cannot be deleted, which you will need to explain to the data subject if they ask to have such data erased.

Right of portability
The right of individuals to be able to move their data from one organisation to another is a right that relates more to companies like banks and similar service providers than schools.

Right to restrict processing
In some circumstances, an individual can request that the school stops processing their data. This right usually applies if the processing goes beyond its normal remit. For instance, if the data is used for a new purpose without notifying the data subject or under the wrong lawful basis, or if the data is inaccurate. Any request to restrict processing should be investigated to see if it applies in that instance.

Right to object
Individuals can object to certain types of processing; in schools, this applies where the lawful basis is public interest or legitimate interests.

Rights related to automated decision making, including profiling
If the school makes decisions through automated profiling, maybe to put pupils in certain classes, individuals can ask to see how the decisions are made and to have those decisions made by an individual and not automatically.

When is the privacy notice shared with data subjects?

The privacy notice should be shared when you are collecting the data subjects’ personal information. This could be in the form of a website link on the data collection sheet or job application form.

If the school obtains personal data from a third party, you must share the privacy notice with data subjects within one month of having their data or the first time you contact them.

IT Governance Publishing’s templates included within GDPR.co.uk

We include document templates from our sister company IT Governance Publishing within the GDPR.co.uk software, including the privacy notice.