Between now and May 2018, you need to take steps to ensure that the way you handle data in your school will be in line with the new rules under the General Data Protection Regulation (GDPR). Here are the resources you need to prepare.
Do you know your data controllers from your data processors? How about the difference between personal data and 'special categories' of personal data? The world of data protection is filled with jargon and technical terms, but our GDPR glossary makes it accessible for you.
Your contracts with third parties which process personal data on your behalf must cover new points to be GDPR-compliant. Download our checklist to make sure your contracts address the new rules, and send our template letter to carry out the required due diligence on your suppliers.
The GDPR is changing how you seek people's consent for processing their personal data. Use our checklist to help you meet the new rules and download our template form for seeking consent to take photographs of pupils. Both resources are GDPR-compliant.
Carrying out a data protection audit, or information audit, is a helpful way to start preparing for the GDPR. We've created a downloadable audit template, which includes school-specific prompts, to help you identify what personal data you hold. We also link to examples of information audits and guidance on conducting your audit.
Schools must appoint a data protection officer from May 2018 under the General Data Protection Regulation. We explain the duties of the role, what experience they should have, and what training they may need. You can also download and adapt our template job description and person specification.
Reforms to data protection will come into force in May 2018. The General Data Protection Regulation (GDPR) will determine how personal data is processed and kept safe, and the legal rights people have in relation to their own data.
From May 2018, schools must ensure their data processing complies with new data protection law under the General Data Protection Regulation (GDPR). Here's what you need to do to get your school ready for these reforms.
Is there guidance on writing a privacy notice? We explain the requirement to have a privacy notice and link to guidance from the Information Commissioner's Office on what this should contain. We also link to information about privacy notices under the General Data Protection Regulation.
Our GDPR-compliant model data protection policy and privacy notices will help make sure you're ready for the data protection reforms in May 2018. You can download and adapt them to your school's setting.
How long do schools have to keep attendance registers for? We explain that there is no legal requirement to retain attendance registers for a minimum amount of time. We also relay suggested retention periods from two local authorities and the Information and Records Management Society.
Individuals have the right to request access to the information your school holds about them, under data protection law. Get up to speed with the rules, find out how to respond to such requests, and download our template form that individuals can use to submit requests.
For how long must schools store records? We link to a records management toolkit for schools from the Information and Records Management Society (IRMS). We also relay guidance from the Department for Education and the Information Commissioner's Office on retaining, storing and disposing of records.
Do schools need to keep copies of employees' proof of identity? We outline guidance from the DfE and the ICO on keeping copies of documents used to prove the identity of new members of staff. We also relay advice from One Education on losing proof of identity documents.
Must schools register with the ICO as a data controller? We explain the requirement for organisations that process personal information to register with the Information Commissioner’s Office (ICO). We also look at how this applies to MATs, and relay guidance on updating a registration.
What are the guidelines for using images of staff on the school website? We relay advice from the Information Commissioner's Office, and refer to guidance from a local authority. We also include guidance from a union, and link to an example of a school policy on the use of photographs.
Can parents record conversations with members of staff? We set out guidance from the Information Commissioner's Office on the legal considerations. You will also find guidance on how schools can deal with parents who wish to record conversations with staff, and links to procedures from schools.
Can we post photos of pupils on Twitter? We explain what to consider when uploading photographs of pupils onto social media sites such as Facebook and Twitter, including data protection implications, parental consent and safeguarding. You will also find examples of policies from schools.