GovWire

For most of the personal data you collect, store and use, the school or the multi-academy trust is the data controller. This means its responsible under the Data Protection Act 2018 for protecting data in every situation where it decides:

• whose information to collect
• what types of data it needs
• why it needs it
• whether the information can be shared with a third party
• when and where data subjects rights apply
• for how long to keep the data

As a data controller, your school needs to register with the Information Commissioners Office.

Where, for example, a school is required to supply a copy of some personal data to the Department for Education (DfE), DfE also becomes an independent data controller of the copy it receives.

The responsibility and accountability for compliance sits with governors and trustees. Schools and multi-academy trusts risk getting a fine if they dont comply.

Governors and trustees check that the school:

• monitors their data protection performance
• supports the data protection officer
• has good network security infrastructure to keep personal data protected
• has a business continuity plan in place that includes cyber security

Senior leaders are accountable for:

• deciding how the school uses technology and maintains its security
• deciding what data is shared and how
• setting school policies for the use of data and technology
• understanding what UK GDPR and the Data Protection Act covers and getting advice from the data protection officer, as appropriate
• assuring governors and trustees that the school has the right policies and procedures in place
• making sure any contracts with third-party data processors cover the relevant areas of data protection
• making sure staff receive training on data protection every 2 years (we recommend annually as best practice)

Staff training on data protection should include training on specific school processes such as:

• personal data breach reporting processes
• the escalation of information rights requests

All staff should be aware of what:

• personal data is
• processing means
• their duties are in handling personal information
• the processes are for using personal information
• is permitted usage of that data
• the risks are if data gets into the wrong hands
• their responsibilities are when recognising and responding to a personal data breach
• the process is for recognising and escalating information rights requests

This includes:

• teaching staff
• catering staff
• welfare supervisors
• library staff
• cleaners
• first-aiders
• governors and trustees
• volunteers

There are extra requirements for any staff in school who:

• create and store data
• enter data into applications or software
• decide if and when theyll process certain data
• handle paper documents

Staff who collect, store or view personal data are responsible for:

• making sure they have a legitimate need to process the data
• checking that any data they store is needed to carry out necessary tasks
• identifying any risks
• understanding the governance arrangements that oversee the management of risks

Staff are responsible for making sure that pupils using personal data for projects or coursework do so appropriately. This includes being compliant when storing data.

The Information Commissioners Office has guidance on training for staff. It also produces resources to help you promote good data protection practice in your school.