GovWire

Data protection policies and procedures

Department For Education

September 12
12:15 2023

Under UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), schools have to:

  • comply with the legislation
  • demonstrate that theyre complying

You can read more about the personal data you need to document and how to do so on the Information Commissioners Office (ICO) website, where there is a useful data controllers checklist.

Statutory policies

Its a legal requirement that your school has data protection policies and procedures in place and that you regularly review and update these, along with the associated documentation. You should also review your other statutory policies in the light of data protection legislation.

Record of processing activities

A record of processing activities is an efficient means of capturing all the important information about your schools data processing activities. It will improve your information governance and show your compliance with accountability principles. It will also ensure you comply with other aspects of data protection law, such as the requirement to create privacy notices and keep data assets secure, thereby reducing the risk of a personal data breach. Guidance on how to document your processing activities is available on the ICO website.

Step 1: identify your personal data assets

Locate all the personal data your school has received, created or shared. It could be stored in:

  • management information systems
  • communication systems
  • safeguarding technology
  • health and social care records systems
  • curriculum management software
  • virtual learning environments
  • workforce systems
  • catering systems
  • equipment records
  • photo and video storage systems
  • paper records and photos
  • statutory returns to the Department for Education (DfE) and local authorities

Step 2: list your personal data assets

Compile a list of that personal data. Start with broad data item groups, then add beneath each group specific data items. For example, the data item groups for pupils might be:

  • admissions
  • attainment
  • attendance
  • behaviour
  • exclusions
  • personal identifiers, contacts and pupil characteristics
  • identity management and authentication
  • catering and free school meal management
  • trips and activities
  • medical information and administration
  • safeguarding and special educational needs

Repeat this for the personal data assets of all data subjects in the school community.

Step 3: add information about your personal data assets

Record extra detail about each of the personal data items in the list. Theres no definitive format you need to follow in creating your record of processing activities, so develop your own to suit your schools needs, using this guidance as a starting point.

Mandatory information

Your record of processing activities should include the following as a minimum:

  • the name and contact details of your school
  • the name and contact details of your data protection officer (DPO)/data protection lead
  • the name and contact details of any joint controllers
  • the purposes of the personal data processing you carry out
  • the categories of personal data you process
  • the categories of individuals whose personal data you process
  • the categories of organisations with which you share personal data
  • the schedule for retaining each category of personal data
  • a general description of your technical and organisational security measures

Additional information

The following prompts will help you add more detail about each personal data item to your record of processing activities.

Source of personal data

Record whether the data item:

  • was received by the school
  • was created by the school
  • has been or will be shared by the school

Category of personal data

Record whether its:

Data controller or data processor

Record whether, in respect of this data item:

Related Articles

Comments

  1. We don't have any comments for this article yet. Why not join in and start a discussion.

Write a Comment

Your name:
Your email:
Comments:

Post my comment

Recent Comments

Follow Us on Twitter

Share This


Enjoyed this? Why not share it with others if you've found it useful by using one of the tools below: