You are here:
Data protection and information management
7 articles
Collecting information
- Common transfer file: definition and contents Learn what data you should include in the common transfer file (CTF), and the ways in which you can send it. You'll also find out what action you should take if you haven't received a new pupil's CTF data.
- Inclusive recruitment and development: how to use data to improve your practice Get tips on how to collect and use data to help you determine where your HR practices could be more inclusive. Find out what steps to take to improve equality for your staff.
- Pupil record: contents and cover sheet Know what should be included in your pupil records, and what should be on the records' cover sheets. See as well what should be kept separate to the record.
- School admission registers Most schools need to hold an admission register. Find out what should be in it and see answers to frequently asked questions.
- School census: key dates and guidance Make sure you know the deadlines for submitting the census this school year, and find out where to go if you have any questions about completing it.
- Subject leader's file: checklist of contents Subject leader files can help you feel prepared for 'deep dives' in Ofsted inspections. Download our checklist to create effective files for primary and secondary subjects.
- Taking medical information on trips Taking pupils with medical conditions on trips requires a little extra preparation. This article looks at what medical information you should take with you and what you should be aware of when managing this situation.
35 articles
Data protection and sharing information
- 'Cheat sheet' for data protection officers There's lots of new information to absorb now that you've taken on the role of data protection officer (DPO). Print our 'cheat sheet' to help you remember the key UK GDPR principles, deadlines and definitions.
- Child protection records: transfer guidance Find out how to transfer safeguarding files securely, and what information you should include. We also look at communicating with other schools and parents.
- Data protection impact assessments UpdatedFind out what data protection impact assessments (DPIAs) are, when they must be done, and who should be involved. Download and adapt our DPIA template to save you time.
- Data protection impact assessments: template and checklist As the DPO, you must be consulted when staff are carrying out a data protection impact assessment (DPIA). Get clarity on your role in the process, and share our checklist and template to help your colleagues identify when a DPIA is needed and cover everything they're required to.
- DPO's report to governors: template Use our template to make sure you're giving your governors all the information they need to know about data protection and your school's compliance with the GDPR.
- Email security: sending personal data Any personal data you send by email must be kept secure. Use our tips to help you keep personal data safe in emails to ensure you’re doing everything you can in line with the GDPR to avoid a data breach.
- Freedom of information: responding to requests Know what to do if you receive a request for information under the Freedom of Information Act, including when you can charge for a response or refuse the request. Use our template letters to help you respond to requests.
- GDPR: at what age can pupils give consent? There's no statutory age at which pupils can give consent for data processing under the GDPR. Learn what age is usually appropriate, and how to manage issues around seeking pupils' consent.
- GDPR compliance for visiting staff You need to ensure GDPR compliance for your visiting staff who have access to personal data held by your school. Use the following guidance to help you determine their employment status and satisfy yourself that they’re compliant.
- GDPR jargon buster The world of data protection is filled with jargon and technical terms, but our GDPR glossary makes it accessible for you.
- GDPR mythbuster Avoid the scaremongering around the GDPR and use our mythbuster to separate the fact from the fiction when it comes to visitor books, photo archives, fines, consent and more.
- GDPR: personal data breach procedure Download our model procedure and use it in the event of a data breach at your school. If you have any data breaches, use our template to record the details.
- GDPR: seeking consent for processing personal data Use our process to help you work out whether you need to seek consent for processing personal data under the GDPR. If you do, download our template consent forms, or use our checklist to make sure your own forms meet the requirements.
- GDPR: sharing safeguarding information Be confident in how you share safeguarding information under the GDPR. Know the principles to follow, your legal reasons for sharing data, and your responsibilities for information sharing.
- Help your staff understand the GDPR: posters and handout Download our data protection cheat sheet for staff, and display these posters around your school to help everyone remember how to keep personal data safe day-to-day.
- How to respond to subject access requests in the summer holidays Schools must respond to SARs within 1 month, which could be more difficult over the summer. 42% of the DPOs we polled don't know how they'll manage this yet, so we've got you covered with practical solutions and a template letter to extend the deadline for 'complex' requests.
- International data transfers under the UK GDPR UpdatedUse this step-by-step guide to determine whether your school can lawfully share personal data with countries outside the UK. This includes sending it directly to an international organisation or to be kept on a server abroad.
- Parents' right to access their child's educational record Understand your responsibilities to allow parents to access their child's educational record so you can stay compliant with education law and the GDPR.
- Poll results: how is the DPO role taking shape? We asked 300 data protection officers (DPOs) in schools what their role looks like currently, now that the GDPR is in force. See how your school compares.
- Poll results: who are schools choosing as their data protection officer? Deciding who to appoint as a data protection officer is causing widespread confusion in schools. We asked 1,000 of our school leader community how their schools are responding - let them help you to make a call.
- Pupil records: transferring to other schools or providers See the rules on transferring pupil records when a pupil moves school, and get guidance on how to do this securely for digital and paper copies.
- Role of the data protection officer (DPO) UpdatedUnderstand the DPO's responsibilities, what experience they should have and training they may need. Plus, find out what to consider when determining how much time your DPO needs for their role.
- Schools' reporting requirements UpdatedBe clear on what you must report, share and publish to stay compliant, as a maintained school or academy.
- 'Special category' data under the UK GDPR UpdatedThe UK GDPR classifies some data as 'special category', meaning it's sensitive and needs more protection. Read on to find out what kind of data is defined this way in schools, and the conditions you can use to justify processing it.
- Subject access requests: guidance and template forms Individuals have the right to request access to the information your school holds about them, under the UK GDPR. Use this guidance and our template forms to help you comply with subject access requests and know when you can refuse them.
- Taking and displaying pupil photos and information There are no hard and fast rules under the GDPR specifically on displaying pupil photos or other information, but you must have a 'lawful basis' for using personal data, and seek consent where necessary. Use our practical examples to help you work out how to stay compliant in your specific circumstances.
- Taking documents home: securing personal data Personal data accessed by staff at home must be kept secure. With more staff than ever working remotely, take these steps to keep documents containing personal data safe, to avoid a data breach and stay compliant with the GDPR.
- The UK GDPR Read our one-page summary of the UK General Data Protection Regulation (UK GDPR) and download a copy to share with your colleagues.
- The UK GDPR: summary The UK General Data Protection Regulation (UK GDPR) determines how you must process and store personal data - understand what you have to do and how the data laws have changed since Brexit.
- UK GDPR audit UpdatedAudit your current data processing arrangements to make sure they comply with the UK GDPR and meet best practice. Check your records management practices and find out if you’re storing physical and electronic copies of personal data securely.
- UK GDPR: choose your ‘lawful basis’ for processing personal data UpdatedUnder the UK GDPR, you must identify a lawful basis (or legal reason) you can use to justify why you process personal data. Use our guidance to work out which of the 6 lawful bases to use and avoid wasting time seeking consent you don't need.
- UK GDPR: ensuring your suppliers are compliant UpdatedYou must make sure that any third parties that process personal data on your behalf will do so in line with the UK GDPR’s requirements. See the steps you'll need to take, and download our checklist to make sure you include the right details in your provider contracts.
- UK GDPR: template record of processing activities UpdatedUnder the UK GDPR, you must record how you process the personal data you hold. Use our template and guidance to help you comply with this requirement now and on an ongoing basis in your school.
- UK GDPR: using apps and online services with pupils UpdatedIf you're using educational apps or other online services with pupils, such as assessment platforms or homework portals, make sure you stay compliant with data protection law. Work through these questions before setting up a new app or service to figure out your responsibilities, then check your next steps.
- Using personal devices: securing personal data Personal data accessed by staff on their own devices, such as through remote working or BYOD policies, must be kept secure. Take these steps to ensure the security of personal devices and keep data safe, to avoid a data breach and stay compliant with the GDPR.
4 articles
Retaining records
- Child protection records: retention We summarise guidance on keeping child protection records, including the information on the pupil file, records of allegations made against members of staff, and records of court orders.
- GDPR: retention and disposal of records Find out how long you need to retain school records for, and why and how you should establish a retention schedule. Plus, learn how to dispose of data securely.
- Retaining first aid, accident and medical records Records relating to first aid, accidents and medicines have different retention requirements set by various pieces of legislation. Get the guidance all in one place to help you manage your records effectively.
- Staff personnel files: requirements and guidance Understand what you should include in staff personnel files and how long you should keep the information for, so you can make sure you're compliant.