Keeping Schools and Trusts UK GDPR Compliant and a Special Focus on Governance

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 15th of January, with our Data Protection Consultant Claire Lockyer. This session covered schools’ responsibility for UK GDPR compliance, data requests, and handling sensitive and confidential information effectively.

The introduction of the UK General Data Protection Regulation (GDPR) marked a turning point in how organisations handle personal data. For schools and trusts, ensuring compliance is not just about meeting legal requirements; it's about fostering transparency, accountability, and trust within their communities.

In this blog, we’ll explore how schools and trusts can remain UK GDPR compliant, with a particular focus on governance – essentially the systems of rules, practices, and processes used to direct and control data protection within educational settings.

Poll 1

What is the objective of UK GDPR?

At its core, GDPR exists to:

1. Protect the personal data of individuals and safeguard their privacy.
2. Enhance transparency and accountability in how personal data is handled.

To meet these objectives, schools and trusts must first understand what personal data is and the types they process.

Personal Data

Types of Personal Data in Schools and Trusts:

• Personal Data: Information that can directly or indirectly identify a person
  • e.g., names, addresses, contact details, or student records

• Special Categories of Personal Data: More sensitive data like health records, ethnic background, political opinions, or religious beliefs that require additional protections.

Examples of data processed in schools and trusts include:

• Student data: Academic records, health and attendance records.
• Staff data: Payroll information, disciplinary records, background checks.

Conducting an Audit of Data Processing Activities

The first step toward compliance—and a best practice—is conducting a comprehensive audit of data processing activities.

• What to Identify:
  • What personal data is collected.
  • Why it is collected.
  • How it is stored.
  • Who it is shared with.

In larger organisations, this might involve delegating audits to departments like HR, Finance, or IT, while smaller schools could distribute simple questionnaires to staff. Maintaining this as a “living document” ensures the data map stays current. While an annual review is a good start, the ideal scenario is for staff to consistently update records as data use changes.

Once you know what data you are processing, we can start to investigate the more technical side. This is where you will want to lean on your DPO but, as a high-level overview, we’re looking at the lawful basis for processing (and you want to have one of these for every piece of processing you do).

Know Your Lawful Basis for Processing

Under UK GDPR, schools and trusts must have a lawful basis for every instance of data processing. Common lawful bases include:

1. Consent: Explicit permission from individuals.
2. Contractual Obligation: To fulfil contracts, such as delivering education services.
3. Legal Obligation: Complying with legal requirements (e.g., reporting to Ofsted).
4. Vital Interests: To protect someone’s life.
5. Public Task: Processing necessary for education provision or other public interest tasks.
6. Legitimate Interests: Data processing that supports safeguarding or other legitimate purposes.

A Note on Consent:

Consent is often misunderstood. While it must be freely given, informed, and unambiguous, it’s not always the most appropriate basis. For example, sharing data externally doesn’t always require consent if another lawful basis applies (e.g., legal obligation). Schools must carefully document their lawful bases and be prepared to justify them.

Subject Access Requests:

An access request gives very specific access, and that is to your own personal data. The right to make a SAR is one of the rights individuals are granted under UK GDPR. Without doubt, we do see SARs the most but there are other rights, all of which we need to be familiar with (at the very least, know how to recognise) so, when a request is received, they can be complied with.

Regular Staff Training

Compliance starts with education. Staff, governors, and trustees must understand UK GDPR principles, policies, and the rights of data subjects. Regular training sessions help to:

• Foster a culture of data privacy and security.
• Enable staff to identify potential data protection risks and respond appropriately.
• Build confidence in handling Subject Access Requests (SARs), which allow individuals (or parents on behalf of children) to access their personal data.

Provide staff with practical resources such as checklists or flowcharts for handling data appropriately. Combine formal training with ongoing awareness initiatives to create a long-term data protection culture.

Poll 2

Policies and Procedures

Having the right policies and procedures in place is key. Ensure they are:

• Reviewed regularly: Policies should be updated as data protection laws evolve.
• Accessible: A central repository (such as a shared drive or staff room folder) ensures staff can easily find guidance.

Some schools opt for mandatory policy signoffs, but creating a culture where staff proactively refer to the policies often yields better results.

Data Subject Rights Under UK GDPR

1. Right to Access:

Individuals (students, staff, parents) can request access to their personal data.

2. Right to Rectification:

Individuals can ask for inaccurate data to be corrected.

3. Right to Erasure (Right to be Forgotten):

Under certain conditions, individuals can request that their data be deleted.

4. Right to Restrict Processing:

Individuals can request restrictions on how their data is used.

5. Right to Data Portability:

The right to obtain personal data in a structured, commonly used format and transfer it to another controller.

6. Right to Object:

Individuals can object to the processing of their data under certain conditions.

Appoint a Data Protection Officer (DPO)

Schools and trusts are required to appoint a DPO to oversee data protection. The DPO should:

• Coordinate audits and assess compliance risks.
• Develop processes to mitigate risks, including breach reporting procedures.
• Act as the central point of contact for data protection queries and concerns.

Many schools find it helpful to designate data champions in individual academies or departments who liaise with the DPO.

Don’t forget, when looking at risk, we’re looking at IT systems too. Do you have measures in place to mitigate the risks? Mistakes/breaches will happen, the key is to be able to evidence potential risks were identified and mitigators put in place. Avoid situations where wholly preventable issues occur – that’s when the ICO comes down hard.

Consequences of Non-Compliance

Failing to comply with GDPR can have serious consequences:

• Financial Penalties: Fines can reach up to £17.5 million or 4% of annual turnover.
• Reputational Damage: A breach can severely impact the trust and reputation of a school or trust.
• Legal Risks: Individuals can take legal action for violations of their privacy rights.

GDPR in Action: A Real-Life Example

Consider this scenario:

A school’s IT system was breached, exposing sensitive personal data. Thanks to a proactive approach, the school:

1. Conducted a Data Protection Impact Assessment (DPIA) before implementing the system.
2. Reported the breach to the ICO within 72 hours.
3. Communicated transparently with affected individuals.

As a result, the school avoided fines and demonstrated strong governance and compliance measures.

Key Tools for Compliance

To summarise, here are some actionable tips for ensuring compliance:

1. Update Privacy Notices: Ensure privacy notices are clear, accessible, and tailored to stakeholders (students, parents, staff).
2. Enhance Data Security: Use encryption, secure networks, strong passwords, and restrict access to sensitive data.
3. Maintain a Record of Processing Activities (ROPA): Document data processing activities, sharing practices, and retention periods.
4. Monitor Compliance Regularly: Set up processes for regular reviews and risk assessments.

Final Thoughts

Compliance with GDPR is not a one-time task but an ongoing commitment. By building a culture of data protection, schools and trusts can safeguard personal data, maintain trust, and avoid the pitfalls of non-compliance.

With a clear strategy—anchored in governance, training, and robust processes—schools and trusts can confidently navigate the complexities of GDPR and create a secure environment for all stakeholders.

Additional Info

Sofa Session Notes ‘A Guide to Subject Access Requests in 45 Minutes’

Sofa Session Notes ‘Tricky Subject Access Requests’

Sofa Session Notes ‘Data Implications of CCTV Usage’

You can find information regarding our Data Protection Officer (DPO) service here.

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.