Tel: 0371 321 01 01 
Telephone Talking Business 
email talking business
GDPR For Schools
As yet, only guidelines have been published for how the new General Data Protection Regulation (GDPR) will affect schools. The regulations are expected to be finalised in May 2018. 
There are a number of things schools will need to be aware of and possibly change in light of the new regulations. The overarching change is that organisations will have to prove that they are aware of and have accounted for specific issues in relation to data. 
What GDPR means for your school
In short, schools need to take into account the impact on the following: 
'Bring your own device' (BYOD) 
security requirements for cloud computing 
subject access and pupils personal information 
biometric use for cashless catering or borrowing library books 
publishing of exam results 
taking photos in schools 
In this blog, we'll give you an overview of each aspect, starting with those most relevant to what Talking Business can help your school with. 
'Bring your own device' (BYOD) 
Allowing staff and pupils to bring their own devices has become more popular. A school needs to take into account how their information is being stored and shared. The Data Protection Act 1998 (DPA) requires that "the data controller must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". A BYOD policy needs to cover how employees and pupils access wifi, what is downloaded and stored and where and how the information should be cleared when no longer needed. Information about safe wifi use and data monitoring over public networks is also worth sharing. Our teams have created robust BYOD policies for a number of schools, ensuring data is safely looked after. 
Security requirements for cloud computing 
When choosing a cloud service provider schools should select a data processor providing sufficient guarantees about the technical and organisational security measures governing the processing to be carried out, and must take reasonable steps to ensure compliance with those measures. The Department for Education has a self-certification list that schools can go through with a prospective cloud service supplier to ensure all aspects have been covered, including safe processing of data, confidentiality, data integrity, service availability, data transfers outside of Europe and use of advertising. Talking Business specialise in cloud hosting for schools and have an excellent track record in providing solutions for secondary schools. 
Should you need to use CCTV and video, you need to make sure that images are only used for the purpose you have specified and you need to make individuals aware they may be recorded. Do you have appropriate measures in place to keep the recorded images securely? A privacy impact assessment (available on the ICO website) can help you go through a step by step process to think through the implications of using surveillance within the guidelines of the Data Protection Act. 
Subject access and pupils personal information 
Pupils and students have a right to see their personal information held by the school via a subject access request. Access to education records can also be requested by pupils and their parents. 
Biometric use for cashless catering or borrowing library books 
The protection of Freedoms Act 2012 set out guidance on using biometrics in schools. Parents must first be notified and at any point an objection is made by the pupil or parent, or their consent withdrawn, the school must stop processing their data straight away. 
Publishing of exam results 
If exam results are to be published, pupils and their parents need to be informed first in order to 
take a fair and open approach. They will need to how this will be done and when and a regular reminder at the start of each term is prudent so that a school is not assuming all pupils are aware. 
Taking photos in schools 
A common sense approach suggests that by the photographer asking or permission to take a photo, that is enough to ensure compliance. 
For full details from the Information Commissioners Office and regular updates on GDPR, see the ICO website


Share this post:

Leave a comment: 

Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings