What do I need to know about GDPR?


You will have heard about the General Data Protection Regulation (GDPR) but might be unsure about your role in data protection at your school. Essentially, GDPR is designed to protect personal data stored on computers, organised filing systems and to give people more control over data which is held about them.

As a teacher, you will be accessing pupil data on a daily basis on management information systems (such as SIMs) and working with sensitive personal information. In this article, we provide an overview of GDPR, look at data protection principles and look at how you can protect yourself when using pupil data in school.

What is GDPR?

GDPR replaced the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches.

Since 25 May 2018, any data subject (that’s someone whose data the school holds) can exercise certain rights with regards to their data. This means that a parent could ask for a school to produce all data it currently holds on their child, or a job applicant could ask you to erase all their details. Under the law an individual could ask for their data in a portable form so they can pass it on to another organisation.

Schools are legally obliged to carry out these request within 28 days of the request. In addition, the £10 fee for data requests has been waived.

What are data protection principles?

Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

  • Used fairly and lawfully
  • Used for limited, specifically stated purposes
  • Used in a way that is adequate, relevant and not excessive
  • Accurate
  • Kept for no longer than is absolutely necessary
  • Handled according to people’s data protection rights
  • Kept safe and secure

Most large secondary schools will have a data management or systems manager who will ensure that the school and members of staff are following the data protection principles. If you are ever unsure about how to use pupil data safely they will be a good person to talk to.

How can I ensure I am following data protection principles at my school?

You should follow your school’s data management policy which should outline details about the correct way to access and use pupil information. Some practical ways to ensure you are following data protection principles include:

  • Do not leave your laptop open without password protection when you leave your classroom
  • Do not leave personal pupil data on your desk and make sure you tidy away on documents which contain personal information at the end of each day
  • Ensure you ask for parental consent when taking photos and videos in the classroom
  • Ensure you keep track of any memory sticks or external drives which may contain pupil data. If possible, you should not transfer pupil data to external drives in case they go missing
  • Any physical spreadsheets which may contain pupil data should be shredded after use

GDPR: what are the key changes for school leaders?

  • Demonstrate compliance: schools need to document every system used to process personal data. They also need to map how this data is transferred to other systems or any third parties.
  • Appoint DPO: schools must appoint a Data Protection Officer (DPO) to ensure that their school is fully compliant to the new regulations
  • Processor agreements: for any third-party processors you must have contracts in place stipulating that personal data is handled in compliance with the GDPR.  
  • Reporting a data breach: if personal data has been put at risk, you may be required to inform the ICO, and in some cases, the individual at risk. This should be done within 72 hours of the breach being discovered.
  • Staff training: despite the best efforts of the DPO in using compliant processes, these are only as secure as the people using them. Making sure staff are trained and there is a culture of data compliance is crucial.

Key changes for teachers:

  • Reporting a breach: teachers must understand what constitutes a breach and, if they suspect a breach has occurred, report it to their DPO.
  • Introducing new systems: if teachers want to introduce a new piece of subject-specific software or use any new processing system there needs to be a clear process in place to inform the DPO and ensure it is done compliantly.

If you have any questions about GDPR and how it affects your role you can contact us for more information.

Was this article helpful?

The information contained within this article is not a complete or final statement of the law.
While Edapt has sought to ensure that the information is accurate and up-to-date, it is not responsible and will not be held liable for any inaccuracies and their consequences, including any loss arising from relying on this information. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence. If you are an Edapt subscriber with an employment-related issue, please contact us and we will be able to refer you to one of our caseworkers.