Department For Education
Under UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), schools have to:
- comply with the legislation
- demonstrate that theyre complying
You can read more about the personal data you need to document and how to do so on the Information Commissioners Office (ICO) website, where there is a useful data controllers checklist.
Its a legal requirement that your school has data protection policies and procedures in place and that you regularly review and update these, along with the associated documentation. You should also review your other statutory policies in the light of data protection legislation.
A record of processing activities is an efficient means of capturing all the important information about your schools data processing activities. It will improve your information governance and show your compliance with accountability principles. It will also ensure you comply with other aspects of data protection law, such as the requirement to create privacy notices and keep data assets secure, thereby reducing the risk of a personal data breach. Guidance on how to document your processing activities is available on the ICO website.
Step 1: identify your personal data assets
Locate all the personal data your school has received, created or shared. It could be stored in:
- management information systems
- communication systems
- safeguarding technology
- health and social care records systems
- curriculum management software
- virtual learning environments
- workforce systems
- catering systems
- equipment records
- photo and video storage systems
- paper records and photos
- statutory returns to the Department for Education (DfE) and local authorities
Step 2: list your personal data assets
Compile a list of that personal data. Start with broad data item groups, then add beneath each group specific data items. For example, the data item groups for pupils might be:
- admissions
- attainment
- attendance
- behaviour
- exclusions
- personal identifiers, contacts and pupil characteristics
- identity management and authentication
- catering and free school meal management
- trips and activities
- medical information and administration
- safeguarding and special educational needs
Repeat this for the personal data assets of all data subjects in the school community.
Step 3: add information about your personal data assets
Record extra detail about each of the personal data items in the list. Theres no definitive format you need to follow in creating your record of processing activities, so develop your own to suit your schools needs, using this guidance as a starting point.
Mandatory information
Your record of processing activities should include the following as a minimum:
- the name and contact details of your school
- the name and contact details of your data protection officer (DPO)/data protection lead
- the name and contact details of any joint controllers
- the purposes of the personal data processing you carry out
- the categories of personal data you process
- the categories of individuals whose personal data you process
- the categories of organisations with which you share personal data
- the schedule for retaining each category of personal data
- a general description of your technical and organisational security measures
Additional information
The following prompts will help you add more detail about each personal data item to your record of processing activities.
Source of personal data
Record whether the data item:
- was received by the school
- was created by the school
- has been or will be shared by the school
Category of personal data
Record whether its:
Data controller or data processor
Record whether, in respect of this data item:
- the schools a data controller or a data processor
- the schools a joint controller and, if so, with which organisation
- theres an up-to-date
Related Articles
Comments
Write a Comment
Ministerial Departmental News
- PM's Office, 10 Downing Street
- Cabinet Office
- Department for Business, Innovation and Skills
- Department for Communities and Local Government
- Department for Culture, Media and Sport
- Department for Education
- Department for Environment, Food and Rural Affairs
- Department for International Development
- Department for Transport
- Department for Work and Pensions
- Department of Energy and Climate Change
- Department of Health
- Foreign and Commonwealth Office
- HM Treasury
- Home Office
- Ministry of Defence
- Ministry of Justice
- Northern Ireland Office
- Scotland Office
- Wales Office
- See all departments