In mid-2018 the General Data Protection Regulation (GDPR) is expected to come into force, bringing with it a number of changes that will affect how schools manage information.

Whether its paper stuffed into filing cabinets, databases of children’s assessment and behaviour histories, staff personnel records, or CCTV capturing who is present on the school premises, schools are awash with personnel data. Whatever form it is gathered and held in, establishments have a responsibility to ensure this information is managed appropriately and in accordance with current legislation.

The Information Commissioners Office (ICO) which oversees the application of the Data Protection Act(DPA) in the UK has advised that public bodies (including schools, academies and academy trusts) start to consider the impact the GDPR will have on their organisations.

To help unpick the pertinent changes from the new regulation the ICO has published a concise “12 steps to take now” guide available here.

Don’t Panic… Schools and academies that are complying with the current law will not have to make wholesale changes to their practices. There are however, some key differences between the GDPR and the Data Protection Act that will require education establishments to review how they approach the management of personal data.

Early buy-in from Senior Leaders, Governors, or Trust Board members will help in the planning where changes to policies and procedures and increased budgetary commitment is required. Areas impacted include the management of IT infrastructure and communications technologies, personnel records and the maintenance of documentation to evidence that organisations are properly accountable for their new responsibilities.

Organisations that have not already done so should consider undertaking an audit of existing compliance with the current DPA legislation. The GDPR’s new transparency and individuals’ rights provisions will also require schools and academies to review their governance arrangements and their approach to data protection at an organisational level.

It would probably be prudent to review contracts that are in place between the school and suppliers to ensure accountability for data sharing is appropriately defined. As “Data Controllers” schools and academies are still ultimately responsible for processing of personal data undertaken on their behalf by third parties (don’t get caught out by woolly promises made to you by suppliers keen to secure a contract).

Another significant change is to the explicit parent or guardian consent that will be required for processing children’s (under the age of 13) personal data. Organisations will have to be able to demonstrate how consent has been sought and verify this if required. Privacy Notices will also require review and must be written using language that both children and adults can understand.

S4S offers advice, training, review and issue management support with all aspects of information governance and data protection. Contact or 01902 203990 for more information about how we can help.