You are here:

Last reviewed on 8 June 2018
Ref: 35177
School types: All · School phases: All

You need to ensure GDPR compliance for your visiting staff who have access to personal data held by your school. Use the following guidance to help you determine their employment status and satisfy yourself that they’re compliant.

Speak to the staff member to determine their status 

You need to ensure that visiting staff understand their obligations under the GDPR. This is because visiting staff, such as counsellors, educational psychologists or peripatetic teachers, may have access to personal data through the work they do in your school. 

The Information Commissioner's Office (ICO) explained that as your school is the data controller, you make the decision on how data is processed by the visiting staff member. This is the case even if you determine that they are external and have their own GDPR processes in place.

You should speak to the staff member concerned to confirm what their employment status is. Use the following questions to help do this.

Is the staff member classed as self-employed?

As part of your due diligence process, you should ask a self-employed member of staff to provide you with evidence that they are compliant with the GDPR, for example, by giving you their own privacy notice.

As the data controller, you'll then need to decide if this is acceptable or if you wish to issue your own for the staff member to agree to and work under.

Is the staff member a temporary member of staff (is there some form of contract in place between your school and the individual)?

If the staff member is contracted to your school then they should fall under your school’s remit. You should ensure they process personal data according to your rules.

Is the staff member unsure of their status?

If the staff member is unsure of their employment status with the school, they may fall under your school’s remit. To be on the safe side, you should ensure they process personal data according to your rules.

Document your compliance

Once you’re satisfied with the due diligence you’ve completed for the staff member, show your compliance by documenting it.

Your file for a self-employed individual could include a record saying, for example, that:

  • They’ve provided you with their privacy notice
  • You’re happy they understand their obligations under the GDPR

More from The Key


Bitesize training with a big impact

Our on-demand training has your whole board covered and lets them learn at a time and pace that suits them.

Help your new governors hit the ground running with our expertly-designed induction training, and our role-specific courses support your link governors develop key skills and confidence in their role.


Upskill your staff, any time, anywhere with CPD Toolkit. 

 The most effective way to deliver engaging virtual training to support the professional development of your staff. 

Downloadable courses and 5-minute online summaries provide flexibility for training, whether staff are participating in-school, via video call or independently at their own pace.

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.