You are here:

Last reviewed on 26 June 2020
Ref: 39748
School types: All · School phases: All

If you're setting up online systems for remote working, make sure you've considered all the relevant data protection concerns. This includes the rules on signing pupils up to online services, and staff accessing personal data when working at home.

You may need to deliver remote learning during this school year:

  • If pupils need to self-isolate
  • As part of your contingency plan for local coronavirus outbreaks
  • As part of your blended learning offer (for example, if you have teachers in fixed ‘bubbles’ delivering video lessons to pupils in other bubbles) 

You can find advice on remote learning during coronavirus here.

Data protection won't be your number one concern right now, but you need to make sure you're considering it.

Get your data protection officer (DPO) involved in any plans you make for remote working, and take a look at our tips below for ideas on what to consider.

Introducing a new online service

If you've already got pupils signed up on an online service for learning, there's no need to worry about this. You should have covered this already and can proceed as normal.

If you're introducing a new system, you'll need to consider a few points.

Establish your school's role

  • If you're the data controller (i.e. you share personal data with the service and/or receive it back), you'll need to establish a lawful basis - the 'public task' basis should apply for any service necessary for educational purposes, so you won't need to get anyone's consent
  • If you're not the data controller (i.e. pupils sign-up themselves and you can't see their work), you can't require pupils to join as they or their parents must consent to it with the service provider - try to think of other learning options that don't involve them having to share data with the service

If you're the data controller, read below.

If you're not, the responsibilities for following data protection law lie with the service so the next part doesn't apply to you.

Steps to take if you're the data controller

  • Conduct a data protection impact assessment to identify and minimise risks
  • Ensure that the service provides sufficient guarantees it's GDPR-compliant (most services will likely have information on their security measures which should suffice)
  • Make sure any contract you agree to is GDPR-compliant
  • If the service holds personal data on international servers, check whether you can make this international transfer
  • Update your privacy notices to reflect your data sharing with the service
  • Share only the personal data that the service needs to work

Staff accessing personal data from home

A large number of your staff will likely access personal data about other staff members and pupils when working remotely, including when managing online learning.


  • Staff will be able to access personal data on a secure cloud service, or a server in your IT network that's accessible through a virtual private network (VPN), so they're not keeping any data on their devices
  • Devices will be provided by your school, so you can make sure appropriate security arrangements are in place
  • You'll have provided data protection training to staff, so they know what steps to take

If you don't have these measures in place right now, don't panic. Just make staff really aware of security issues and make sure they keep their devices safe.

How to make devices secure

Get staff to follow the steps below on the devices they're using, if these aren't in place already.

Lean on your IT staff to help staff with putting these measures into place.

  • Keep the device password-protected - strong passwords are at least 8 characters, with a combination of upper and lower-case letters, numbers and special characters (e.g. asterisk or currency symbol)
  • Encrypt the hard drive - this means if the device is lost or stolen, no one can access the files stored on the hard drive by attaching it to a new device
  • Make sure the device locks if left inactive for a period of time
  • Avoid sharing the devices among family or friends
  • Install antivirus and anti-spyware software
  • Keep operating systems up to date - always install the latest updates

Sharing contact details

You may need to collect or share contact details you didn't need to before, such as email addresses, as part of your online learning system.

Don't worry too much about this - if you're collecting or sharing them as part of your functions as a school, the 'public task' basis would apply and you won't need to seek consent.

However, try to collect and share as little personal data as possible to complete your purpose.

More from The Key

Anxiety (2).jpg

Pupil mental health: deepening understanding

Are you looking to deepen your staff's understanding of mental health, including anxiety, depression, self-harm and suicidal ideation? Safeguarding Training Centre has the resources you need.


Evidence-led training courses that make it easy to upskill staff, anytime, anywhere.

CPD Toolkit is the most effective way to virtually deliver evidence-led training and support the professional development of your staff. Downloadable courses and online 5-minute summaries provide flexibility for training, whether staff are participating as skeleton staff in-school, via video call or individually at their own pace.

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.