All Schools must meet their Information Rights obligations.
Data protection – looking after the information you hold
Recommendations for Schools from the ICO
The ICO have produced a report, indicating areas of good practice, areas for improvement and practical advice, is based on the results of a questionnaire of over 400 schools across nine different local authorities in England and Wales.
View the Summary report
Your pupils and students have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. They – and their parents – also have the right to see their educational records.
The Protection of Freedoms Act 2012 places controls on the use of biometric systems in schools, for example for cashless catering or borrowing library books.
If you intend to publish exam results in the media, you must inform your pupils and students first.
Taking photos in schools
The Data Protection Act does not prevent parents and teachers from taking photos of events such as the Christmas play or sports day. Asking permission to take photos is normally enough to ensure compliance.
Freedom of information – making public information available
If the educational establishment you work in is a public authority, the Freedom of Information Act means you must produce a publication scheme, which outlines the information you will routinely make available to the public - such as minutes of meetings, annual reports or financial information.
ICO definition documents explain the detail of what you need to publish:
Schools In Northern Ireland Definition Document
For further information & resources on the above please refer to https://ico.org.uk/for-organisations/education/ or contact the SELB Information Management Team.
Sharing of Personal Data
Schools are increasingly using third parties to assist with the delivery of services, some of which require the sharing of personal data. Some examples include:
- Text or e-mailing services
- Attendance / behaviour management reporting
- Cashless catering systems
- Virtual learning environments or online assessment environments
Because schools originally collect the personal data and the provider is conducting the service on behalf of the school, the school is accountable for any breach of the Data Protection Act by the provider, where proper assurances were not obtained around data security. Guidance has been created to help schools obtain these assurances. The guidance can be downloaded at the following here.
The guidance provides advice on the information security/data protection areas schools must consider when using a third party provider to help deliver a service, and has three parts:
- Part 1. Data Protection considerations
- Part 2. Technical standards and controls
- Part 3. A proforma for schools to use to obtain assurances from providers in the areas referenced in Parts 1. and Part 2.
It is the responsibility of the School Principal and Board of Governors to ensure that their school complies with the Data Protection Act throughout all its operations.
The Data Protection Act requires personal data to be processed fairly, and often this is only possible if certain information is given to the individual or individuals concerned.
The oral or written statement that individuals are given when information about them is collected is often called a ‘fair processing notice’ or ‘privacy notice’.
In general terms, a privacy notice should state:
- your School Name;
- the purpose or purposes for which you intend to process the information; and
- any extra information you need to give individuals in the circumstances to enable you to process the information fairly.
Sample Privacy Notice
Advice for Governors
The following advice has been prepared to help develop a consistent approach to minute taking and to provide some guidance to staff who record minutes.
Guidance on Minute Taking
The SELB have also made a leaflet available providing Summary Guidance for Principals and Governors on FOI, EIR and DPA.
Sample Data Protection Policy for Schools