• Contact Us

GDPR - Six Months on, What Have We Learnt?

on Monday, 17 December 2018.

We look at the key data protection issues that academy trusts have been facing since the new data protection regime came into force in May.


We are often asked whether consent should be sought before taking and using photographs.

The answer will often turn on how privacy intrusive the photograph (or its use) is. For example, a photograph featured on the front cover of a school or academy trust's prospectus will likely require consent but not usually if the photo was being used on an internal display at a school.

NB - if consent is not sought the academy trust should still be transparent about its practices so that individuals have an opportunity to object. 

Privacy Notices Are Essential

A lot of academy trusts have not yet put in place compliant privacy notices. The purpose of the privacy notice is to set out how you use personal information.

Not only is the provision of privacy notice information a legal requirement but they are also useful in relation to disputes. For example, a parent with an ongoing dispute may seek to argue that the academy trust has breached its data protection obligations through not being transparent regarding how the parent's data is used by the school as an additional strand to the complaint. If the academy trust can show that what the parent has complained about is covered in the privacy notice then this will often go a long way to rebutting the alleged non-compliance. 

Data Breaches - Getting the Essentials Right

A number of academy trusts have fallen victim to cyber-attacks. These range from phishing emails, through to remote attacks made against your network and IT infrastructure. Attacks are often successful due to academy trusts failing to provide essential training to staff or failing to take basic steps to secure their network.

You should therefore ensure that you have done enough to protect your systems from attack. The GDPR contains explicit obligations around information security, for example, in relation to documentation, encryption, back-ups, and ongoing testing and assessment and you should have regard to these in particular.

Subject Access Requests Are Not Getting Any Easier

Subject access requests (SARs) remain by far the most common type of request made against a school or academy trust, despite the abundance of new rights granted under the GDPR.

Of particular note is that the exemption which allowed academy trusts to withhold third party information (ie, where third party data is mixed with the requester's) under a SAR no longer applies if the third party is 'a teacher or other employee at the school' (or academy trust where applicable).

This is a significant change which makes it more difficult to lawfully withhold staff information, for example, in circumstances where an academy trust wanted to withhold the identity of a whistleblower. However, this is not to say that third party staff data must necessarily be disclosed in all cases, in some situations there may be alternative exemptions which would be applicable.

Do you need help with any of the issues outlined above? Please contact Claire Hall, in our Data Protection team, on 0117 314 5279.