Data Protection in Schools Banner - "safeguarding children's safety"s

Data Protection Guidance for Schools

GDPR In Schools

Our Data Protection Guidance for Schools has received great feedback. How best to maintain data protection compliance in schools is a recurring question within our network. Since leaving the EU many education providers are now turning to the information commissioner’s office for formal guidance. We have attached a link below directing you towards the official ICO website. This will outline their formal instructions for schools on how to comply post-transition period. All our services deliver compliance in accordance with their formal guidance. All education providers will be a data controller or data processor and need to make changes following the end of the transition period. The following steps will help your school following the UK leaving the EU.

Data Protection Guidance for Schools:


• Carry out an impartial data protection audit (External data protection consultant Led)
• Appoint a Data Protection Officer (DPO as a service)
• Annually audit and review the correct frameworks to maintain GDPR compliance

Remember within school’s personal data can be categorised: Personal data includes, but is not limited to:


• Contact information about pupils, students, learners, staff and carers, volunteers
• Health information, medical records, mental health records
• Biometric data
• Employee references
• Safeguarding information about an individual
• Passport information, if planning trips to the EU
• Pupil exam references and results

So, what is an audit and why should you be doing them annually?

For many education providers the first step on the journey to GDPR compliance. For others it’s an annual exercise to reassure and embedded data protection best practice. An audit provides a clear assessment of whether your school is following lawful data protection practices. We advise our customers that audits play a key role in meeting your data protection obligations. The audit also known as a Gap Analysis or compliance review looks at whether you have effective controls in place. It also reviews your policies and procedures to support your data protection obligations. Our audit exercises are led by impartial consultants who check if you are following data protection legislation. As a result we makes recommendations on how to improve your current frameworks.

Data Protection Guidance for Schools Continued:

As a response, many schools are now looking to engaging a data protection compliance partner like Compliance Direct Solutions Ltd. This is to ensure that the internal processes are upholding data protection compliance in a lawful manner. This therefore means implementing a DPIA or data protection impact assessment. This can be completed in a gap analysis as in most cases is fundamentally comprised of the same elements. We have experience as Outsourced data protection officers in a range of industries and sectors. In addition our remote data protection help desk provides support around information security compliance for your school.

Data Protection Guidance for Schools (DPIA) :

A DPIA helps you legitimately analyse your data processing. This is to identify and minimise data protection risks. To reliably establish and assess the level of risk we consider both the likelihood and the severity of any impact on pupils. A DPIA does not have to indicate that all the risks have been eradicated. But it should help you document them and assess whether any remaining risks are justified. We identify what risks need addressing within the school first by prioritising them. This overall provides you with a demonstrable audit trail of your data processing activities.

Safeguard Children’s Data

There are many schools that implement annual audits to help them demonstrably show they are measuring and monitoring their compliance journey. Others take this a step further and have internal audit functions who manage the process. Most schools have a responsibility in house to ensure they are also taking adequate steps to enable them to highlight any key areas of risk to the school and mitigate against this to minimise the eventuality of a breach opening them up to fines under the GDPR.

Data Protection Officer or Outsourced DPO as a service

Data Protection Roadmap

The Primary function of the outsourced DPO as a service is to ensure that the school in question processes personal data of its staff, pupils and providers in compliance with applicable data protection law. All organisations deemed to be a public authority or require regular and systematic monitoring of data subjects including special categories of data are in scope. Schools are public authorities. The guidance given from the ICO (Information Commissioners Office UK) clearly stated that all organisations who fall into scope of the regulations should appoint a DPO or make adequate arrangements to fulfil the requirements of the GDPR. This is because as we move into a more data centric era, responsibilities to comply with information security and the impacts of GDPR and DPA 18 will increase.

Download our free school toolkit for more information on how to implement data protection compliance within your school:

Free Toolkit: https://compliancedirectsolutions.com/data-protection-guidance-toolkit-for-schools/

ICO Guidance: https://ico.org.uk/for-the-public/schools/