You must take steps to ensure that the way you handle data in your school is in line with the new rules under the General Data Protection Regulation (GDPR) and Data Protection Act 2018. Here are the resources you need to get compliant and stay compliant.
Learn under what circumstances you can share pupil and staff medical data under the GDPR. We set out what lawful bases you can typically rely on, and outline good practice on sharing information with staff so that they're prepared for emergencies but the data is kept secure.
You need to ensure GDPR compliance for your visiting staff who have access to personal data held by your school. Use the following guidance to help you determine their employment status and satisfy yourself that they’re compliant.
As a MAT, you're the legal entity responsible for data processing across your schools, and so the responsibility for GDPR compliance sits with you. Here are the steps you now need to take to get your trust ready.
Figure out what to do with your old photographs of pupils and staff with the GDPR in place. We look at whether previous consent will be enough and explain that you may not need to seek consent if archiving photos for certain purposes.
Understand the GDPR and ePrivacy rules surrounding marketing so you can ensure you're compliant. We set out what these rules are and what you'll need to do to comply, and suggest alternative marketing methods you can use.
Use our process to help you work out whether you need to seek consent for processing personal data under the GDPR. If you do, use our template consent forms that cover the most likely situations where you'll need to seek consent or use our checklist to ensure your own forms meet the new rules.
Your contracts with third parties which process personal data on your behalf must cover new points to be GDPR-compliant. Download our checklist to make sure your contracts address the new rules, and send our template letter to carry out the required due diligence on your suppliers.
The GDPR classifies some data as 'special category', meaning it's sensitive and needs more protection. Read on to find out what kind of data is defined this way in schools, and the conditions you can use to justify why you need to process it.
Read this article for guidance on recording consent to process pupils’ personal data under the GDPR. You can also see examples of how two schools are managing consent, plus some top tips to help you manage your consent procedures efficiently.
The GDPR will affect schools' commercial trading activities slightly differently to their core education services. If your school runs activities for profit, for example a sports centre or evening adult learning classes, read on to see how the rules differ.
Use this article to figure out how to handle the contact details of parents under the GDPR, and when you will need consent to contact parents. We look at scenarios including messages about emergency situations, marketing and fundraising, and sending out newsletters.