What data protection means for schools

data protection legislation, and who and what it’s intended to protect good data protection practices ensure that an organisation and the individuals within it can be trusted to collect, store, and use personal data fairly, safely, and lawfully data protection law all those who process others’ personal data have to follow strict rules these rules are set primarily by the uk general data protection regulation (uk gdpr) the data protection act 2018 (dpa) data protection principles the uk gdpr sets out 7 key principles that should guide you in processing personal data those principles are lawfulness, fairness and transparency purpose limitation data minimisation accuracy storage limitation integrity and confidentiality (security) accountability you can read more about the personal data processing principles on the website of the information commissioner’s office (ico) the {{ico}} is the independent body that upholds the uk’s information rights personal data personal data is information that relates to an identified or identifiable living individual in a school, examples of personal data include identity details (for example, a name, title or role) contact details (for example, an address or a telephone number) information about pupil behaviour and attendance assessment and exam results staff recruitment information staff contracts staff development reviews staff and pupil references special category data special category data is personal data that’s considered more sensitive and given greater protection in law special category data includes racial or ethnic origin political opinions religious or philosophical beliefs trade union membership genetic information biometric information (for example, a fingerprint) health matters (for example, medical information) sexual matters or sexual orientation in a school, it would be best practice to also treat as special category data any personal data about a safeguarding matter pupils in receipt of pupil premium pupils with special educational needs and disability (send) children in need (cin) children looked after by a local authority (cla) criminal offence data criminal offence data is personal data that’s treated in a similarly sensitive way to special category data it records criminal convictions and offences or related security measures criminal offence data includes the alleged committing of an offence the legal proceedings for an offence that was committed or alleged to have been committed, including sentencing schools process criminal offence data in storing the outcome of a disclosure and barring service (dbs) check on their employees, non employed staff and volunteers as this data relates to criminal convictions, collecting and retaining it means the school is processing criminal offence data this applies even though the check has not revealed any conviction you can read about handling dbs data in the statutory guidance on keeping children safe in education data subjects schools collect, store and use personal data about a variety of individuals in this context, those individuals are known as data subjects a school’s data subjects include pupils and former pupils parents and carers employees and non employed staff governors and trustees local authority personnel volunteers, visitors and applicants data assets schools hold personal data in several forms these are collectively known as its data assets data assets comprise data items – single pieces of information data item groups – data items about the same process data sets – collections of related data that can be manipulated as a unit by a computer systems – administrative software system groups – the larger systems housing administrative software personal data breaches a data breach is a security incident that results in personal data a school holds being lost or stolen destroyed without consent changed without consent accessed by someone without permission data breaches can be deliberate or accidental a breach is about more than just losing personal data