Providing accessible information to individuals about the use of personal data is a key element of the Data Protection Act 2018 and General Data Protection Regulation.
The Department for Education have provided guidance notes for Local Authorities and Providers.
Data protection
Data from which it is possible to identify children (in any medium, including within a Management Information System) is personal data. Such personal data must be managed in line with the requirements of the Data Protection Act 2018 (the Act). Data Controllers must make sure that their data handing rules keep to the Act and that staff understand these. Local authorities should advise providers about their responsibility to hold data in line with the Act including the requirement to issue parents with a fair processing notice explaining how their data and data about their child is to be used.
The Act puts in place in safeguards about the use of personal data by organisations, including the department, local authorities and schools. The Act gives rights to those (known as data subjects) about whom data is held, such as pupils, their parents and teachers. This includes:
- the right to know the types of data being held
- why it is being held
- to whom it may be communicated
A privacy notice is a good way to be able to meet data subjects’ rights and therefore the department recommends that these are used to explain to children and staff how their data is being used in the census collections including the school workforce, early years census and school census. The department has drafted template privacy notices that providers and local authorities may wish to use. However, the template notices will need to be reviewed and, where necessary, amended to reflect business need. Ideally the privacy notice will include a link to the GOV.UK webpage on how the department collects and shares data.
It is strongly recommended that the privacy notice be included as part of an induction pack for staff and made available to parents through the provider’s website, as well as potentially featured on the staff notice board or intranet. They do not need to be issued on an annual basis as long as new children and staff are made aware of the notices and they are readily available electronically or in paper format.
Legal Duties under the Data Protection Act 2018 (the Act): data security
Providers and local authorities have a legal duty under the Act to make sure that personal data is processed securely. Processing is the collection, handling (use), storage, transmission and deletion of data. More information is available from the Information Commissioners Office.
If personal data is not properly safeguarded it could damage your reputation and compromise the safety of individuals. Your responsibility as a data controller / processor extends to those who have access to your data beyond your organisation if working on your behalf, that is, if external IT suppliers can remotely access your information.
The 10 steps to cyber security and responsible for information pages provide further guidance and advice. It is vital that all staff with access to personal data understand the importance of protecting it; that they are familiar with your security policy; and that they put security procedures into practice.
It is recommended that you provide appropriate initial and refresher training. More information on handling data securely is available in the DfE guidance on data protection for schools consider cloud software services.