You are here:

Last reviewed on 11 December 2018
Ref: 36506
School types: All · School phases: All

Answers to the most common questions you're currently asking us about the GDPR. Get clarity on the key principles and understand what’s expected of you.

Can I share this piece of data?

If you want to share any personal data, no matter how much data or how important it is, you'll need to identify a 'lawful basis' (legal reason) to do it.

Glossary of GDPR terms

Use our jargon buster to make sure you understand all the terms used in the world of data protection.

How do I know which basis is right?

The available lawful bases, in summary, are:

  • Public task basis (you need to share this data for your school to run properly)
  • Legal obligation basis (you're required to share this data under law)
  • Fulfilling a contract (you're required to share this data as part of a contract)
  • Vital interests (you need to share this data in a life or death situation)
  • Legitimate interests (you're sharing this data outside the scope of your functions as a school, and you've determined it is sharing that the person would reasonably expect with a minimal privacy impact and a compelling justification)
  • Consent (you've received appropriate consent from the person the data is about or, in the case of young children you don’t consider mature enough to understand their data protection rights, their parents)

In the majority of cases, you can use the public task basis.

Read our article on choosing a ‘lawful basis’, which goes into more detail about when each of these bases can apply.

What about sensitive data? If the data you're sharing is sensitive, known as 'special category data', you'll also need to decide on a 'condition of processing'. Take a look at our guidance on special category data for more help with this.

In all cases, it's up to you to decide which basis and condition to use because you need to justify and document your decision.

However, we've produced specific guidance on establishing a lawful basis when sharing pupil and staff medical information and safeguarding information, as these are risky areas.

How can I transfer the data?

There's no requirement to send the information through a certain method, nor is any method banned.

However, make sure that any system you use has appropriate security measures put in place. For help with this, read our guidance on sending personal data via email, as well as sending it home with pupils.

Can I display pupil names and photos?

While there's nothing stopping you from displaying personal data on a website or in your school, you'll need to identify a lawful basis, and sometimes a condition of processing for doing so - as explained in the section above. This includes using names and photos on a display, next to coat pegs, or on work books.

Typically, you'll be using the public task basis or the consent basis, with the latter mostly reserved for using pupil data when promoting your school.

Even when you have a lawful basis, display the information in places where only the intended people can see it. For example, a pupil's emergency medical care plan should be kept in secure areas like your staff room, rather than in a school corridor.

Read more about this in our article on taking and displaying pupil photos and information.

How long should I keep personal data?

Keep records containing personal data for 'no longer than necessary'.

Sometimes, how long is 'necessary' is defined in separate legislation, but for most records it'll be up to you to figure out when you don't need it anymore.

Take a look at the record management toolkit for schools, which contains a retention schedule on pages 66 to 99. It sets out statutory and recommended retention periods for a range of school records.

When you're dealing with information related to pupils, you can normally dispose of these records if the pupil has moved to a new school and you’ve sent over any information you need to. It'll be the responsibility of the school where the child reaches statutory school leaving age to retain their records for longer.

Read our articles on retaining and disposing of records and on transferring pupil records if you'd like more information.

How do I deal with requests to see personal data?

Individuals have a right to see copies of the personal data you hold on them.

When they make a request to see copies of their data, this is called a subject access request. In most cases, you have to respond to these requests within a month of receiving them, and you cannot charge for this.

Look at our article on subject access requests for more details on how to respond, including when you can extend the response deadline or refuse a request, and some template documents you can use to respond.

Even during school holidays like the summer break, you're required to respond to subject access requests within a month. If you haven’t got a plan in place for how you’ll handle this, read our suggestions.

What about other requests to do with data?

There are other rights that individuals can exercise, such as the right to ask for erasure of their data. Usually these different rights only apply to data you’re keeping under certain lawful bases.

For example, the right to erasure only applies to data you’re storing under the consent or legitimate interests bases.

Take a look at the guidance on individual rights to see what lawful bases have which rights attached.

Can I still use educational apps with pupils?

You're allowed to use educational apps that are provided directly to pupils, such as a homework app.

As explained in section 1 of this article, you’ll need to establish your lawful basis to share your pupils’ personal data with the providers of these apps. If you’re using the app for educational purposes, the public task basis will likely apply, and the consent basis if not.

Read more about using online services for more help with this.

What about services not managed by the school?

If pupils will be signing up to the service independently and you won’t be receiving any data from the provider, such as if they’re using a social media platform to research photos in class, then this isn’t your responsibility and you don’t need to identify a lawful basis.

However, in these situations, you mustn’t require pupils to use these services because they or their parents have the right to choose whether to give consent to the service provider.

More from The Key

Anxiety (2).jpg

Pupil mental health: deepening understanding

Are you looking to deepen your staff's understanding of mental health, including anxiety, depression, self-harm and suicidal ideation? Safeguarding Training Centre has the resources you need.


Evidence-led training courses that make it easy to upskill staff, anytime, anywhere.

CPD Toolkit is the most effective way to virtually deliver evidence-led training and support the professional development of your staff. Downloadable courses and online 5-minute summaries provide flexibility for training, whether staff are participating as skeleton staff in-school, via video call or individually at their own pace.

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.