188体育

It鈥檚 a legal requirement that your school has data protection policies and procedures in place and that you regularly review and update these, along with the associated documentation. You should also review the statutory policy for maintained schools or the statutory policy for academy trusts in the light of data protection legislation.

A is an efficient means of capturing all the important information about your school鈥檚 data processing activities. It will improve your information governance and show your compliance with accountability principles. It will also ensure you comply with other aspects of data protection law, such as the requirement to create privacy notices and keep data assets secure, thereby reducing the risk of a personal data breach. Guidance on is available on the ICO website.

Step 1: identify your personal data assets

Locate all the personal data your school has received, created or shared. It could be stored in:

• management information systems
• communication systems
• safeguarding technology
• health and social care records systems
• curriculum management software
• virtual learning environments
• workforce systems
• catering systems
• equipment records
• photo and video storage systems
• paper records and photos
• statutory returns to the Department for Education (DfE) and local authorities

Step 2: list your personal data assets

Compile a list of that personal data. Start with broad data item groups, then add beneath each group specific data items. For example, the data item groups for pupils might be:

• admissions
• attainment
• attendance
• behaviour
• exclusions
• personal identifiers, contacts and pupil characteristics
• identity management and authentication
• catering and free school meal management
• trips and activities
• medical information and administration
• safeguarding and special educational needs

Repeat this for the personal data assets of all data subjects in the school community.

Step 3: add information about your personal data assets

Record extra detail about each of the personal data items in the list. There鈥檚 no definitive format you need to follow in creating your record of processing activities, so develop your own to suit your school鈥檚 needs, using this as a starting point.

Mandatory information

Your record of processing activities should include the following as a minimum:

• the name and contact details of your school
• the name and contact details of your data protection officer (DPO)/data protection lead
• the name and contact details of any joint controllers
• the purposes of the personal data processing you carry out
• the categories of personal data you process
• the categories of individuals whose personal data you process
• the categories of organisations with which you share personal data
• the schedule for retaining each category of personal data
• a general description of your technical and organisational security measures

Additional information

The following prompts will help you add more detail about each personal data item to your record of processing activities.

Source of personal data

Record whether the data item:

• was received by the school
• was created by the school
• has been or will be shared by the school

Category of personal data

Record whether it鈥檚:

• personal data
• special category data
• criminal offence data

Data controller or data processor

Record whether, in respect of this data item:

• the school鈥檚 a or a
• the school鈥檚 a and, if so, with which organisation
• there鈥檚 an up-to-date in place, if applicable

Access and use

Record, in respect of this data item:

• the lawful basis (personal data) and, if applicable, additional condition (special category or criminal offence data) that allows it to be accessed and used
• who has to it and how that鈥檚 controlled
• whether there鈥檚 an up-to-date in place, if applicable

Data retention and destruction

Record, in respect of this data item, the:

• data retention period and the justification for it
• procedure for depersonalisation or disposal of it at the end of the retention period
• disposal is manual or automated and, if manual, there鈥檚 a prompt to ensure it is destroyed

Consent, rights and subject access requests

Record whether, in respect of this data item, data subjects have:

• given their consent for it to be processed and, if so, how
• been informed of their rights regarding access, rectification and erasure
• been told about the procedure for making a subject access request

Security and personal data breaches

Record whether, in respect of this data item, there:

• are up-to-date information and communication technology (ICT) security policies and procedures in place to prevent a cyberattack
• is a procedure for secure sharing
• is a procedure for handle a personal data breach

Automated decision-making

Record whether, in respect of this data item, the processing involves any .

Share your record of processing activities with your school leadership team (SLT) and governors or trustees. They are responsible for ensuring your school is compliant with the DPA and keeps only the personal data it needs.

A is a tool to help you identify, measure and manage data protection risks. Under UK GDPR, a DPIA is needed whenever the processing of personal data is likely to result in a 鈥榟igh risk to the rights and freedoms鈥� of individuals.

An effective DPIA will help you:

• identify, manage and mitigate data protection risks
• fix problems at an early stage, minimising those risks
• consider and mitigate risks to individuals鈥� privacy
• ensure individuals鈥� expectations of privacy obligations are being met - for example, by the provision of privacy notices
• provide individuals with reassurance
• demonstrate both accountability and compliance with data protection law
• avoid reputational damage to your school

You should consider and document carrying out a DPIA of personal data collected:

• about vulnerable data subjects, including:
  • children (because of their age)
  • employees (because the power imbalance means they cannot easily consent or object to the processing of their data by an employer)
  • more vulnerable sectors of the population (who need special protection)
• by innovative technologies, such as:
  • biometrics

Review your record of processing activities

Look again at each personal data item in your record of processing activities and ask yourself whether:

• there are any current data processing activities that do not have a lawful basis (personal data) and, if applicable, additional condition
• as the result of applying those justifications, you would be less likely to carry out any safeguarding activities 鈥� if so, re-assess how you鈥檙e applying the law
• you鈥檙e certain about the procedure for data sharing in every case, including when this takes place and with which organisations
• there鈥檚 a procedure in place for updating the with any organisation to which you鈥檙e passing personal data
• there鈥檚 a procedure in place for updating your ICT security policies, and regular training for everyone who handles personal data
• the school鈥檚 systems allow you to carry out responsible data retention, depersonalisation and disposal procedures
• everyone in the school community knows the procedure for reacting to a personal data breach and that procedure has been tested

Record the risks

There鈥檚 no definitive DPIA format you must follow, so you can develop your own to suit your school鈥檚 needs, using this guidance and your own risk management framework as a starting point.

A DPIA does not have to demonstrate that all risks have been eliminated, but it鈥檒l help you document them and assess whether any that remain are justified.

If it identifies a high risk and you cannot take measures to minimise it, you鈥檒l need to seek advice from the ICO. You may not begin processing the personal data in question until you have acted on the ICO鈥檚 advice.

Regularly reassess the impact

A DPIA is not a one-off exercise. You need to keep it under regular review and update it if anything changes in your school鈥檚 data life cycle.

In particular, if you make any significant changes to how or why you process personal data, or the amount of personal data you collect, it has to demonstrate that you鈥檝e assessed any new risks.

You should also review your DPIA if a new:

• security flaw is identified
• technology is made available
• contractor is appointed
• public concern is raised over the type of processing you do
• public concern is raised over the vulnerability of a particular group of data subjects

鲍苍诲别谤听UK GDPR聽and the Data Protection Act 2018, every school must make its privacy notices freely available to those whose personal data it handles.

A privacy notice explains:

• why a school needs to collect personal data
• what it plans to do with it
• how long it will keep it
• whether it will be sharing it with any other organisation

Privacy notices need to be clear and accessible, and regularly reviewed and updated. Being transparent builds trust, avoids confusion and lets everyone in the school community know what to expect.

Privacy notices should be reviewed by your data protection officer:

• at least annually
• whenever you make a significant change to how you process personal data

Parents, pupils and staff, who are the data subjects聽, must be notified in the case of any significant changes to your privacy notices or if the way you use their personal data changes.

What to include in a privacy notice

Your privacy notice is expected to explain to your data subject what makes it lawful for the school to use personal data, including any data that may be regarded as sensitive.聽The Information Commissioner鈥檚 Office (ICO) has a list of .

Your school鈥檚 privacy notice must include what personal data your school shares with DfE.

Model privacy notices聽for schools to issue to staff, parents, carers and pupils about the collection of data are available.

A privacy notice can be in any format, provided it is accessible. For example, you can take a , where you provide a short version of your privacy notice, along with details of how to view further information.

Data subjects鈥� rights

Data subjects have rights and control over the use of their personal data. These rights are:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• rights in relation to automated decision-making and profiling

Your privacy notice should include:

• what personal data is being processed
• why their personal data is being processed
• on what lawful basis their personal data is being processed
• with whom their personal data will be shared and why
• how and for how long their personal data will be stored
• how they can exercise their rights over their personal data
• whom to contact if they have any questions or concerns, including your data protection officer and the ICO

The information in your聽record of processing activities聽will be a useful source of information in this regard.

Inform data subjects about their privacy rights

Privacy notices are the most common way of complying with data subjects鈥� right to be informed.

There are a number of ways you can keep data subjects informed about how your school deals with their personal data.

For pupils, these include sharing the school鈥檚 privacy notice:

• in an induction pack, when joining the school
• at the start of each school year
• when they provide extra personal data during the school year
• through聽the school website

For staff, these include:

• when they apply for a role, accept a contract, are appraised, or leave the school
• ensuring existing staff members are made aware of the privacy notice at the start of each school year
• making the notice visible on the staff notice board and intranet

For pupils and staff, you must make sure the privacy notice is accessible at all times.

Children have the same rights over their personal data as adults. Schools can be inventive in the way they present child-friendly privacy rights information, using diagrams, graphics, comic strips, videos and so on.

For example, DfE has a privacy notice specifically for children and young people.

Introducing the idea of data privacy within wider online safety lessons will allow teachers to use age-appropriate language, ensure understanding and encourage pupils to ask questions.

Personal information shared with DfE

DfE collects personal information from educational settings, local authorities, and other organisations, via various statutory data collections. Each data collection or census guide contains the legislation detailing the lawful basis for collection.

This data is used for many purposes, including to inform funding, monitor education policy and school accountability, and to support research.

Your school鈥檚 privacy notice must include what personal data is shared with DfE. You can read examples of this text in 聽DfE鈥檚 privacy notice model documents.

It鈥檚 essential to ensure critical data is protected from cyber-attacks and unauthorised access. You should be aware of what personal data you store within your school network, and what鈥檚 stored outside of your direct control. Both locations must have in place good security settings, including encryption and access control, and all those processing personal data should be trained in keeping data safe.

DfE has guidance to help schools keep people and their personal data safe when using digital technology, and on meeting ICT service and equipment standards.

The government鈥檚 National Cyber Security Centre has resources to improve cyber resilience. They include:

The police service鈥檚 regional cyber protect officers provide free advice and training to schools.