Schools And GDPR

Schools like any other organisations hold and store yours and your child’s data. There is so much information that is collected that schools are accountable for looking after this information to safeguard pupils and their families.

WHAT IS GDPR AND THE DATA PROTECTION ACT 2018?

GDPR is short for general data protection regulation. They are rules that make up the toughest privacy law across the European Union. The UK data protection act 2018 is the UK’s version of GDPR and implements GDPR rules. The data protection act 2018 superseded the 1995 UK data protection directive.

LINK TO GOVERNMENT WEBPAGE FOR UK DATA PROTECTION ACT 2018.

LINK TO GOVERNMENT WEBSITE FOR DATA PROTECTION

The data protection act 2018 was created to protect the public from how organisations, companies, public and private bodies and institutions handle and look after private and personal details of individuals.

HOW DOES GDPR AFFECT SCHOOLS?

If the school wishes to use any information that the school holds on any individual outside of normal school procedure they must get consent from the individual (namely the parent) whose data it is. This is very important if this data is going to be released or used by a third party outside the school.

If the school is dealing with a third party where sensitive private data is involved not only must they get consent from the individual whose data it is but they must ensure the third party is GDPR compliant.

WHAT IS THE DATA PROTECTION OFFICER (DPO)?

Under article 37 (1) GDPR all education establishments including schools must appoint a data protection officer. This role is an independent monitoring and advisory role. They:

Help the school with compliance with GDPR rules
Help the school understand their obligations with GDPR
They are the point of contact for everyone with regards to GDPR
They are a point of contact for the Information commissioner’s office (ICO)

A DPO officer can be an internal member of staff as long as there is no conflict of interest however an individual who is not part of the school is preferred. Usually a data protection officer is an individual who is the DPO of many schools in the area (the schools share one officer). This officer advises the schools about their GDPR compliance. The DPO reports directly to the head or deputy head of the school, they must have experience, understanding and knowledge of UK and European GDPR.

LINK TO GDPR WEBSITE FOR APPOINTING A DPO FOR YOUR SCHOOL OF TRUST

WHAT IS A DATA PROTECTION IMPACT ASSESSMENT (DPIA)?

A data protection impact assessment (DPIA) is carried out by an education establishment when they are administering and implementing new software, new operating systems, and payment plans where there is a risk and danger of data leak or mismanagement. The DPO of the school must advise and help with the assessment.

WHAT MUST THE SCHOOL DO IF THEY DISCOVER THERE HAS BEEN A DATA PROTECTION BREACH?

If the school discovers there has been a data breach they must inform the information commissioner’s office within 72 hours of it happening.

LINK TO THE INFORMATION COMMISSIONER’S OFFICE (ICO)

WHAT DO YOU DO IF YOU FEEL YOURS OR YOUR CHILD’S DATA PROTECTION HAS BE BREACHED?

The first thing you must do is contact the school. Make an appointment with your child’s form tutor or year head. Explain what has happened in detail and show the evidence. If you hand over any evidence please make sure you keep a copy of every piece of evidence you have. This type of complaint will no doubt be escalated to higher departments at the school.

If you are not happy with the school’s response then you can forward your complaint to the information commissioner’s office.

LINK TO THE INFORMATION COMMISSIONER’S OFFICE (ICO)

IS IT A CRIMINAL OFFENCE FOR A SCHOOL TO BREACH YOUR DATA PROTECTION?

Under section 170 of the data protection act 2018 yes it is a criminal offence to knowingly and/or recklessly breach someone’s data without their consent.

LINK TO GOVERNMENT WEBSITE FOR SECTION 170 OF THE DATA PROTECTION ACT 2018

WHAT COULD HAPPEN TO THE SCHOOL IF THEY BREACH YOUR DATA PROTECTION?

If the school is found guilty of breaching data laws they could be sanctioned or fined up to 4% of their turnover.

CAN YOU MAKE A CLAIM FOR COMPENSATION?

You could make a claim for compensation if your data protection has been breached. You can claim for the following:

Violation of your privacy where a criminal has accessed your private information.
Theft of your identity. An example of this is a criminal has been able to clone your identity and commit fraud under your name..
Any losses you have incurred financially. An example of this is a criminal has been able to apply for credit under your name.
Any psychological harm you may have suffered that has caused you distress, mental anguish and anxiety.
Damage to your reputation. An example of this can be if a criminal has set up a fraudulent bank account in your name or sent messages to others using your identity.

Recital 85 of the UK General Data Protection Regulation lists the effects a data protection breach can have on an individual

LINK TO GOVERNMENT WEBSITE FOR RECITAL 85 OF THE UK DATA PROTECTION REGULATION

It is best to await the outcome of your complaint to the Information Commissioner’s Office (ICO) first before you decide to pursue a claim for compensation.

WHICH EDUCATION ESTABLISHMENTS CAN YOU MAKE A CLAIM AGAINST IF THEY BREACH YOUR DATA PROTECTION?

You can claim against nurseries, colleges, universities, schools and examination boards.

CAN YOU EXPERIENCE THE EFFECT OF A DATA PROTECTION BREACH MONTHS AFTER THE INCIDENT?

Yes you can. The full impact of the after effects of a data protection breach can sometimes be felt for months and years later. There are cases where individuals have been caused a great deal of stress and they have had to move home, change jobs and start new relationships.

WHAT IS A DATA SUBJECT ACCESS REQUEST (DSAR)?

A data subject access request (DSAR) is a request from an individual who would like to view what information an organisation/company/school holds about them. The data protection officer (DPO) will handle these requests and make sure the whole process complies with regulation.

I AM L.I.P

About Us

Our Purpose

Fighting For Litigants' Rights

I AM L.I.P Press & Media

Podcast - Memoirs Of A McKenzie Friend

YouTube Video Diary - Share Of The Reward

1. Legal Foundations Of A Child And Their Parents

2. Child Education Matters

3. Safeguarding Your Children

4. Child Arrangements And Proceedings

5. Filling In Forms, Their Numbers, And Where To Find Them

6. Appeals, Complaints, Realities & Trauma Of Child Proceedings, Knowing Your Rights And GDPR

7. Legal Aid, Solicitors, Barristers, Litigation Loans & Bullying By Proxy In Child Proceedings

8. Legislation Governing Child Proceedings & Cases You Can Refer To

9. How To Withdraw (Stop) Or Halt (Stay) Child Proceedings And Any Applications Made

10. Where To Save Money During Child Proceedings

11. Other Child Matters 1 (Before Conception To 1 Years Of Age)

12. Other Child Matters 2 (From 1 Years To 18 Years)

13. You And Child Loss

14. Name Change, Wills & Trusts, And Paternity Tests

15. International Child Matters

16. Connect With Registered Charities That Could Help You

17. Common Occurrence

18. Glossary

Relieving Deep Breathing Exercises

Find A Self-Care Activity

Rapid And Ready – Easy Recipes For Dinner

Did You Know? – Mineral Iron

Schools And GDPR