The General Data Protection Regulations (GDPR) came into effect on 25th May 2018. It brought higher standards for handling data and greater expectations for improved transparency, enhanced data security and increased accountability for processing personal data. Schools will have a legal duty to comply with the GDPR.
What does GDPR mean for schools?
A great deal of the processing of personal data undertaken by schools will fall under a specific legal basis, ‘in the public interest’. As it is in the public interest to operate schools successfully, it will mean that specific consent will not be needed in the majority of cases in schools. GDPR will ensure data is protected and will give individuals more control over their data, however this means schools will have greater accountability for the data. Under GDPR, consent must be explicitly given to anything that isn’t within the normal business of the school, especially if it involves a third party managing the data. Parents (or the pupil themselves depending on their age) must express consent for their child’s data to be used outside of the normal business of the school.
The categories of pupil information that we collect, hold and share include:
- Personal information (such as name, unique pupil number and address)
- Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
- Attendance information (such as sessions attended, number of absences and absence reasons)
- Assessment information
- Relevant medical information
- Special Educational Needs information
- Exclusions/behavioural information
Why we collect and use this information
We use the pupil data:
- To support pupil learning
- To monitor and report on pupil progress
- To provide appropriate pastoral care
- To assess the quality of our services
- To comply with the law regarding data sharing
- To assist with our administration and communication systems – for example, text messaging in school
The lawful basis on which we use this information
We collect and use pupil information in accordance with the lawful basis for collecting and using pupil information specified in the GDPR (Articles 6 and 8).
Processing is necessary for compliance with a legal obligation – an example is Education Act 1996 census – this information can be found in the census guide documents on the following website https://www.gov.uk/education/data-collection-and-censuses-for-schools
For more details on GDPR and how we manage personal data in school please see our Data Protection Policy or speak to Mrs Chapman the Office Manager.