Data Protection Obligations for Schools

Data protection is an area of compliance that affects all organisations which collect information about individuals. As well as the risk of significant reputational damage and adverse publicity, educational bodies should note that the Information Commissioner ("ICO") has the power to impose financial penalties of up to £500,000 for serious data protection breaches. This article considers some of the actions that schools can take to minimise the risk of non-compliance.

1. What the DPA applies to

If your school 'processes' any 'personal data' then it will assume the role of a 'data controller' under the Data Protection Act 1998 ("DPA"). This means that the school will be responsible for how that data is processed and it will need to ensure that it complies with the requirements set out in the DPA.

'Personal data' includes any information about an identifiable living individual, such as their personal records, school reports, medical information and exam results. Broadly speaking, 'processing' covers any activity involving that data.

2. Notifying the ICO

Data controllers should notify the ICO of the fact that they are processing personal data and the purposes for which they are processing that data. Failure to notify the ICO could be a criminal offence which carries with it the risk of an unlimited fine. Notification can be carried out online and the fee (which is payable annually) is £35 for the majority of organisations.

3. The data protection principles 

The DPA sets out eight key principles which data controllers must adhere to. Set out below are some of the most important requirements for schools to comply with:

1. Personal data must be processed fairly and only for specified lawful purposes

Schools need to be clear and transparent about how they will use personal data. In order to do this, the school should have a 'fair processing notice' which can be made available to individuals whose personal data you intend to process (referred to as 'data subjects'). The fair processing notice should state:

  • who the data controller is;
  • what types of personal data the school will be collecting; and
  • the purposes for which that data will be collected.

The notice should also provide any other information about the school's use of the personal data (for example, whether it might be passed on to third parties such as council departments) and explain the school's obligations as the data controller and the individual's rights as a data subject.

The school will either need to obtain the individual's consent to processing their personal data or satisfy one of the other legitimate reasons for processing set out in the DPA. In the case of children, it is advisable to also obtain the consent of a parent or guardian (particularly in the case of young children). If the school processes 'sensitive personal data' (such as data relating to race, ethnicity or medical information) then more stringent obligations will apply to its use and the school will either need to obtain the explicit consent of the individual concerned or satisfy one of the DPA's other requirements for processing sensitive personal data.

2. The personal data collected must be adequate, relevant and not excessive, accurate and up to date and it should not be kept for longer than is necessary.

Schools should actively manage the collection, storage and use of data. It should periodically contact individuals to confirm that their data is still accurate and delete information that it no longer requires.

3. Data must be processed in accordance with the rights of the data subject

Individuals have the right to ask to see the personal information that a school holds on them (referred to as a 'subject access request'), including information contained in correspondence and notes made by staff. The DPA governs how a data controller must address such a request, including a 40-day time limit for responding.

4. Appropriate security measures must be taken to prevent unauthorised or unlawful access to or use of personal data, or the accidental loss, destruction or damage to that data

It is vital to ensure that your school has adequate physical security in place and appropriate access restrictions to personal data in order to prevent unauthorised access. Filing and storage systems should be kept under lock and key when not in use and electronic devices should be protected by passwords and up-to-date firewalls and anti-virus software.

The ICO advises that where personal data is taken off school premises then procedures should be in place to keep track of it. Portable electronic devices (such as laptops and memory sticks) should be kept in secure locations and the information contained on them should be password protected and encrypted to prevent unauthorised access. Where devices are stolen or lost and the information is not encrypted, the ICO have made it clear that enforcement action will usually follow. In 2013, the ICO fined North East Lincolnshire Council £80,000 after a teacher lost an unencrypted memory stick containing information on hundreds of children with special educational needs.

When it comes to disposing of personal data, paper records should be shredded or pulped and electronic data should be permanently erased. If your school outsources the disposal of its data to a third party, make sure the contract contains sufficient safeguards to ensure that the third party will handle the data appropriately. NHS Surrey was fined £200,000 by the ICO last year when computers containing patient & HR records were found to have been sold on as second hand equipment after supposedly having been disposed of by a specialist data destruction company.

4. Policies and procedures

The DPA requires 'organisational methods' to be in place to keep data secure. Written policies and procedures will help to demonstrate the school's compliance with the DPA and will help staff and governors to be aware of their data protection responsibilities.

Whatever policies and procedures you do have in place, making sure that they are adequately monitored and enforced and that staff receive sufficient training on how to follow them. One of the grounds on which the ICO found North East Lincolnshire Council to have been at fault was because the council failed to make sure that staff were following its encryption policy.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.