GDPR: 5 real life examples for schools

The General Data Protection Regulation (GDPR) comes into force on 25th May this year. But with a plethora of information out there – some of it contradictory – you’d be forgiven for being confused about what educators have to do to comply.

In a nutshell, the GDPR will ensure schools look after the data they hold responsibly, while giving individuals more control over their personal information. Last year, we set out the steps schools needed to take to make sure they were ready for the new legislation, and these steps are still valid. Expanding on this, and to shed some light on how the law will impact educators on a day-to-day basis, here are some real-life examples of how the GDPR will work in practice.

1) DfE census

What most people don’t yet realise is that, while the GDPR sets a high standard when it comes to consent, you don’t always need it. In fact, as long as you have a “lawful basis” for processing information (such as complying with a regulatory requirement), you can do so without consent. For example, it is a legal obligation for schools to provide data to the DfE as part of its census; so permission isn’t needed in this instance.

2) Using photographs of pupils

As with the Data Protection Act, schools will have to obtain consent for the processing of personal data. However, under the GDPR, separate consent must be given for different processing purposes. In practice, what this means is that, under the new regulations you do require permission to publish pictures of pupils, however, you don’t need to get this every single time you want to do this.

Instead – and if you haven’t already done so – update your consent forms with tick boxes for each way you want to use these photos (e.g. on the school website, on social media, in advertisements, etc.) and let parents – or the pupil themselves depending on their age – opt-in accordingly. According to the ICO, only children aged 13 or over are able provide their own consent. To keep compliant, make it clear that pupils and parents can withdraw their consent at any time, and that you will review permissions regularly (e.g. each year).

3) Using educational technology

If your school outsources data to a third party (e.g. a text messaging service), you will need to make this clear when requesting consent. In asking for this, you should let individuals know who you will be sharing their details with and why. If you introduce any new software that requires personal data, you would need to inform pupils and parents, and get additional consent for this new purpose.

Regardless of which software provider you use, the school remains the Data Controller (the body responsible). So, make sure you have an agreement in place that obliges any third-party to comply with the GDPR. This contract must include exactly what data is being used, who is using it, who has access to it, and how it is being protected.

4) Providing educational services

Legitimate interest is another reason for storing and using data under the GDPR without consent. A legitimate interest simply means that you are using personal data in ways people would reasonably expect and where there is an undeniable justification for doing so. If you can realistically achieve the same result by another less intrusive method, or the processing is unfair, legitimate interest does not apply.

A school’s legitimate interests could require data capture and use for many reasons including:

• To confirm the identity of students and their parents
• To provide educational services
• To allow students to take part in assessments
• To safeguard student welfare.

To keep things transparent, your school should provide details of any legitimate interests in its privacy policy. Of course, even data used because of a legitimate interest must be kept safe and in line with the wider requirements of the GDPR.

5) Reporting a breach

From 25 May 2018, if your school is aware of a personal data breach, it is required to inform the Information Commissioner’s Office (ICO). However, teachers are often unaware about what constitutes a breach. For example, if a student goes into another student’s Facebook account without their permission, that is a data infringement and should be reported.

While the maximum fine for failing to comply with the GDPR is €20m (or four percent of an organisation’s annual turnover, whichever is greater), for now at least, the regulator is more concerned about helping schools get up to speed than imposing fines. To ensure the right governance measures, the DfE has created a Data Protection: toolkit for schools. The ICO has also published some handy guides to bust the myths surrounding GDPR.

Information correct as of 30/04/2018. The information found on our website does not constitute legal advice and ResourcEd and Promethean accept no liability for any loss that may be suffered in relying upon this information. If you want professional assurance that our information, and your interpretation of it is correct, we recommend you consult a lawyer and/or support from the ICO.