You are here:
GDPR compliance for visiting staff
You need to ensure GDPR compliance for your visiting staff who have access to personal data held by your school. Use the following guidance to help you determine their employment status and satisfy yourself that they’re compliant.
Speak to the staff member to determine their status
You need to ensure that visiting staff understand their obligations under the GDPR. This is because visiting staff, such as counsellors, educational psychologists or peripatetic teachers, may have access to personal data through the work they do in your school.
The Information Commissioner's Office (ICO) explained that as your school is the data controller, you make the decision on how data is processed by the visiting staff member. This is the case even if you determine that they are external and have their own GDPR processes in place.
You should speak to the staff member concerned to confirm what their employment status is. Use the following questions to help do this.
Is the staff member classed as self-employed?
As part of your due diligence process, you should ask a self-employed member of staff to provide you with evidence that they are compliant with the GDPR, for example, by giving you their own privacy notice.
As the data controller, you'll then need to decide if this is acceptable or if you wish to issue your own for the staff member to agree to and work under.
Is the staff member a temporary member of staff (is there some form of contract in place between your school and the individual)?
If the staff member is contracted to your school then they should fall under your school’s remit. You should ensure they process personal data according to your rules.
Is the staff member unsure of their status?
If the staff member is unsure of their employment status with the school, they may fall under your school’s remit. To be on the safe side, you should ensure they process personal data according to your rules.
Document your compliance
Once you’re satisfied with the due diligence you’ve completed for the staff member, show your compliance by documenting it.
Your file for a self-employed individual could include a record saying, for example, that:
- They’ve provided you with their privacy notice
- You’re happy they understand their obligations under the GDPR
- 'Cheat sheet' for data protection officers
- Child protection records: transfer guidance
- Data protection impact assessments
- Data protection impact assessments: template and checklist
- Data protection officer: who can it be?
- Data sharing agreements
- DPO's report to governors: template
- DPOs: what your school must do for you
- Email security: sending personal data
- Fingerprint scanning: seeking consent
- Freedom of information: responding to requests
- GDPR: at what age can pupils give consent?
- GDPR audit
- GDPR: contacting parents
- GDPR: ensuring your suppliers are compliant
- GDPR jargon buster
- GDPR: managing your photo archives
- GDPR: most common questions one year on
- GDPR mythbuster
- GDPR: personal data breach procedure
- GDPR: seeking consent for processing personal data
- GDPR: sharing medical information
- GDPR: sharing safeguarding information
- GDPR: template record of processing activities
- GDPR: using apps and online services with pupils
- Help your staff understand the GDPR: posters and handout Updated
- How to choose which ‘lawful basis’ to use under the GDPR
- How to comply with the General Data Protection Regulation
- How to respond to subject access requests in the summer holidays
- Information audit: template
- International data transfers under the GDPR
- MATs: getting GDPR-compliant across your trust
- Parents' right to see their child's educational record
- Poll results: how is the DPO role taking shape?
- Poll results: who are schools choosing as their data protection officer?
- Pupil records: transferring to other schools or providers
- Recording and managing consent under the GDPR
- Requests for information: guidance and template record
- Requests from parents to see pupils' information: FAQs
- Schools' reporting requirements
- Sending personal data home with pupils
- 'Special category' data under the GDPR
- Subject access requests: guidance and template forms
- Taking and displaying pupil photos and information
- Taking documents home: securing personal data
- The General Data Protection Regulation explained
- QuickRead: The General Data Protection Regulation (GDPR)
- The role of the data protection officer (DPO)
- Using personal devices: securing personal data
More from The Key
Pupil mental health: deepening understanding
Are you looking to deepen your staff's understanding of mental health, including anxiety, depression, self-harm and suicidal ideation? Safeguarding Training Centre has the resources you need.
Evidence-led training courses that make it easy to upskill staff, anytime, anywhere.
CPD Toolkit is the most effective way to virtually deliver evidence-led training and support the professional development of your staff. Downloadable courses and online 5-minute summaries provide flexibility for training, whether staff are participating as skeleton staff in-school, via video call or individually at their own pace.
- In the news: Your weekly round-up for 13 - 20 November 2020 20 Nov 2020 08:00
- In the news: Your weekly round-up for 6 - 13 November 2020 13 Nov 2020 08:00
- In the news: Your weekly round-up for 30 October - 6 November 2020 6 Nov 2020 08:00
- In the news: Your weekly round-up for 23 - 30 October 2020 30 Oct 2020 08:00
- In the news: Your weekly round-up for 16 - 23 October 2020 23 Oct 2020 08:00
- Remote learning: self-evaluation form (SEF) New
- 6 ways to bring your school community together this Christmas New
- Preparing for senior leadership: what to expect in an interview New
- Remote learning: how to support disadvantaged pupils New
- How to run remote provision on a skeleton staffing structure New
The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.