'Cheat sheet' for data protection officersThere's lots of new information to absorb now that you've taken on the role of data protection officer (DPO). Print our 'cheat sheet' to help you remember the key UK GDPR principles, deadlines and definitions.
Data protection impact assessmentsUpdatedFind out what data protection impact assessments (DPIAs) are, when they must be done, and who should be involved. Download and adapt our DPIA template to save you time.
Data protection impact assessments: template and checklistAs the DPO, you must be consulted when staff are carrying out a data protection impact assessment (DPIA). Get clarity on your role in the process, and share our checklist and template to help your colleagues identify when a DPIA is needed and cover everything they're required to.
Data sharing agreementsIf there is a risk to sharing data with an organisation, it is recommended that you have a data sharing agreement in place. Understand when you might have one and which organisations you may have one with.
DPO's report to governors: templateUse our template to make sure you're giving your governors all the information they need to know about data protection and your school's compliance with the GDPR.
Email security: sending personal dataAny personal data you send by email must be kept secure. Use our tips to help you keep personal data safe in emails to ensure you’re doing everything you can in line with the GDPR to avoid a data breach.
Freedom of information: responding to requestsKnow what to do if you receive a request for information under the Freedom of Information Act, including when you can charge for a response or refuse the request. Use our template letters to help you respond to requests.
GDPR: at what age can pupils give consent?There's no statutory age at which pupils can give consent for data processing under the GDPR. Learn what age is usually appropriate, and how to manage issues around seeking pupils' consent.
GDPR compliance for visiting staffYou need to ensure GDPR compliance for your visiting staff who have access to personal data held by your school. Use the following guidance to help you determine their employment status and satisfy yourself that they’re compliant.
GDPR: ensuring your suppliers are compliantYou must make sure that any third parties who process personal data on your behalf are GDPR compliant. See the steps you'll need to take, and download our checklist so you know what details you must include in your contracts with these providers.
GDPR jargon busterThe world of data protection is filled with jargon and technical terms, but our GDPR glossary makes it accessible for you.
GDPR mythbusterAvoid the scaremongering around the GDPR and use our mythbuster to separate the fact from the fiction when it comes to visitor books, photo archives, fines, consent and more.
GDPR: personal data breach procedureDownload our model procedure and use it in the event of a data breach at your school. If you have any data breaches, use our template to record the details.
GDPR: seeking consent for processing personal dataUse our process to help you work out whether you need to seek consent for processing personal data under the GDPR. If you do, download our template consent forms, or use our checklist to make sure your own forms meet the requirements.
GDPR: sharing medical informationLearn under what circumstances you can share pupil and staff medical data under the GDPR. We set out what lawful bases you can typically rely on, and outline good practice on sharing information with staff so that they're prepared for emergencies but the data is kept secure.
GDPR: sharing safeguarding informationBe confident in how you share safeguarding information under the GDPR. Know the principles to follow, your legal reasons for sharing data, and your responsibilities for information sharing.
GDPR: using apps and online services with pupilsIf you're using educational apps or other online services with pupils, like assessment platforms or homework portals, make sure you stay compliant with data protection law. Work through these questions before setting up a new app or service to figure out your responsibilities, then see what you need to do next.
How to choose which ‘lawful basis’ to use under the GDPRUnder the GDPR, it’s crucial to identify the lawful basis (or legal reason) you can use to justify why you process personal data. Use the process below to work out which of the 6 lawful bases to use for each of your data processing activities, and avoid wasting time seeking consent that you don't need.
How to respond to subject access requests in the summer holidaysSchools must respond to SARs within 1 month, which could be more difficult over the summer. 42% of the DPOs we polled don't know how they'll manage this yet, so we've got you covered with practical solutions and a template letter to extend the deadline for 'complex' requests.
International data transfers under the UK GDPRUpdatedUse this step-by-step guide to determine whether your school can lawfully share personal data with countries outside the UK. This includes sending it directly to an international organisation or to be kept on a server abroad.
Recording and managing consent under the GDPRRead this article for guidance on recording consent to process pupils’ personal data under the GDPR. You can also see examples of how two schools are managing consent, plus some top tips to help you manage your consent procedures efficiently.
'Special category' data under the GDPRThe GDPR classifies some data as 'special category', meaning it's sensitive and needs more protection. Read on to find out what kind of data is defined this way in schools, and the conditions you can use to justify why you need to process it.
Subject access requests: guidance and template formsUpdatedIndividuals have the right to request access to the information your school holds about them, under the UK GDPR. Use this guidance and our template forms to help you comply with subject access requests and know when you can refuse them.
Taking and displaying pupil photos and informationThere are no hard and fast rules under the GDPR specifically on displaying pupil photos or other information, but you must have a 'lawful basis' for using personal data, and seek consent where necessary. Use our practical examples to help you work out how to stay compliant in your specific circumstances.
Taking documents home: securing personal dataPersonal data accessed by staff at home must be kept secure. With more staff than ever working remotely, take these steps to keep documents containing personal data safe, to avoid a data breach and stay compliant with the GDPR.
The role of the data protection officer (DPO)Schools must appoint a data protection officer under the General Data Protection Regulation. We explain the duties of the role, what experience they should have, and what training they may need. You can also download and adapt our template job description and person specification.
The UK GDPRUpdatedRead our one-page summary of the UK General Data Protection Regulation (UK GDPR) and download a copy to share with your colleagues.
The UK GDPR: summaryUpdatedThe UK General Data Protection Regulation (UK GDPR) determines how you must process and store personal data - understand what you have to do and how the data laws have changed since Brexit.
UK GDPR auditUpdatedAudit your current data processing arrangements to make sure they comply with the UK GDPR and meet best practice. Check your records management practices and find out if you’re storing physical and electronic copies of personal data securely.
UK GDPR: template record of processing activitiesUpdatedUnder the UK GDPR, you must record how you process the personal data you hold. Use our template and guidance to help you comply with this requirement now and on an ongoing basis in your school.
Using personal devices: securing personal dataPersonal data accessed by staff on their own devices, such as through remote working or BYOD policies, must be kept secure. Take these steps to ensure the security of personal devices and keep data safe, to avoid a data breach and stay compliant with the GDPR.