Welcome to Nurseriesandschools.org
Data Protection in Schools: Practical Tips for Staying Compliant
Data protection in schools could not be more important. Schools collect a lot of information (or "data") from parents and will need to provide transparency about how this information will be used. You must also collect consent from parents for you to store their data.
As technology improves and the world of education moves increasingly online, data protection is a must. If you email parents concerning your child's grades, parents evenings, school trips and exams, you will need to explain exactly how you plan to use this information.
If you fail to do this, you will be breaking GDPR and could face a penalty.
Data protection in schools: how to ensure GDPR compliance
To ensure compliance, it's important to keep up with current regulations. GDPR sets out seven key principles that your school must follow:
- Fairness and transparency: you will tell parents what data you are collecting and why you need it
- Purpose limitation: you will only use data for essential purposes and not sell it to a third party
- Data minimisation: you will only collect data you need for essential purposes
- Accuracy: you will, to the best of your ability, ensure all the data you collect and store is genuine and accurate
- Storage limitation: you will only store the information you need, e.g. parent contact information, child health records, allergy information, etc.
- Integrity and confidentiality: you will ensure the security of all data collected
- Accountability: your school will claim full responsibility for the data you collect
These seven principles are vital to your approach to processing personal data from parents and children, and you should display them in your school privacy notices.
Do you need to display school privacy notices?
Your school must display data privacy notices on all enrollment documentation when a child starts school. You should also display a clear privacy notice on your website. It's a good idea to send a digital privacy notice to all parents at the beginning of each school year.
To comply with data protection laws, you should include the following in your privacy documents:
- How you intend to collect and store personal data and why
- Your school's identity and the identity of your nominated school representative
- Details on confidential waste procedures
- Computer security policies
- Information regarding third parties involved with the processing of data
- How personal data is encrypted and stored electronically
- What happens if data is lost or stolen
- Guidelines on if and how data is shared outside of the school
- Any additional information related to safe and fair data processing
How to ensure data protection in schools
Here are some tips to ensure your school complies with data protection regulations:
- Make sure you use strong passwords and store them securely
- Encrypt all personal information and store it electronically
- Shred all physical copies of confidential information or hire a confidential waste service
- Install virus checking software and firewalls on all school computers and devices
- Turn off "auto-complete" settings on all school computers
- Limit school access to personal information unless completely necessary
- Make sure all storage systems are secure
- Keep digital devices and paper information locked away when not being used
If you plan to take photos in school, you will need expressed consent from parents to use these photos on your website, social media, or any other physical or digital school materials. At the start of each year, parents should sign a consent form to detail if and how their child's photo is allowed to be used. You must make sure you abide by these regulations at all times.