Every school is classed as a Data Controller under the Data Protection Act 1998 because they decide how personal data for which they are responsible is processed. Each school and every employee has a legal duty to protect the privacy of information relating to individuals that it processes.
The Data Protection Act 1998 sets standards (eight data protection principles) which must be met when processing personal data or information that will identify an individual.
The act also gives rights to the individual the information is about i.e. the right of subject access which lets individuals find out what information is held about them (see below).
The eight data protection principles state that personal data must be:
- obtained and processed fairly and lawfully
- held only for specified purpose(s)
- adequate, relevant and not excessive
- accurate and kept up-to-date
- held no longer than necessary
- processed in accordance with the rights of the data subject
- subject to appropriate security measures
- only transferred to countries that have suitable data protection controls.
These principles apply to anyone who handles or who has access to information concerning individuals.
All schools must have a Data Protection Policy (DOC, 45.0 KB) together with procedures for accessing personal information (DOC, 58.5 KB).
To comply with the eight principles, every school must register the reasons for processing personal information with the Information Commissioners office. This is called Notification. Failure to notify is a criminal offence.
For details on how to notify visit the Information Commissioner's website, where you can complete an online form or telephone 01625 545745 for a hard copy form to be sent in the post. There is an annual fee of £35/£500 depending on the size and turnover at the school.
Either method will enable you to request a standard template for schools. If you choose to use the template the details provided should be checked, and any amendments made as necessary. When completing the template try to consider every likely consequence of the information to be held, how it will be used and with whom it may be shared.
Pupil Referral Units (PRU) are considered to be data controllers in their own right. To meet the data protection principles every PRU, like schools, must register the reason for processing personal information with the Information Commissioner's Office
Privacy notice guidance
The first principle of the Data Protection Act 1998 states that data controllers must process personal data fairly and lawfully.
To keep to the first principle of the Data Protection Act, schools should issue a privacy notice to all parents and/or pupils, to explain how their information is going to be used. We must be fair and transparent with people when collecting and using their personal information. It is good practice to put yourself in the position of the people you're collecting information about. Ask yourself: would they know who is collecting the information, would they understand why it's being collected, would they understand the implications, would they be likely to object or complain?
Request for personal information (Subject access request)
Section 7 of the Data Protection Act gives individuals a right of access to their own personal information that is held about them by an organisation. This right is known as 'subject access'. Under this right and individual is entitled only to their own personal information and not to information relating to other people (unless they are acting on behalf of that person).
Request for education records
The Education (Pupil Information) Regulations 2005 gives parents a right to the official education records for their child. A fee of up to £50 for photocopying may be charged (see scale of fees below) and the school must respond within 15 school days from date of receipt of request.
|Number of pages||Maximum fee|
Data protection and photography in schools
Policy and guidance (PDF, 1.8 MB) is available for Kent schools, settings and Kent County Council services on the use of photographic images of children. Look at the e-safety pages for more guidance and information.
Parents wishing to capture the moment their child crosses the finish line at their school sports day should not be deterred by data protection myths. The Information Commissioner's Office (ICO) is reminding parents that the Data Protection Act does not prevent them taking photographs of their children and friends participating in school events. Read the full press release
Information Commissioner produces advice for schools on data protection
A survey of 400 schools across nine local authority areas showed that schools need to pay more attention to complying with data protection law. One finding from the survey showed that a third of schools with password protected computer systems were using passwords that were not necessarily strong enough or changed regularly.
This survey prompted guidance and advice (PDF, 492.2 KB) delivered to schools by the Information Commissioner Office in 2012.
Information Commissioner's Office
You can visit the Information Commissioner's Office for more information about the Data Protection Act and for training toolkits.
Data protection enquiries
Please email firstname.lastname@example.org if you have any questions relating to data protection in your school or setting.