You should be mindful of data protection issues when sharing personal data. This is the case even where such sharing takes place in order to comply with mandatory regulatory or legal requirements, for example when reporting a concern to Children's Services or sharing data with the ISI in connection with an inspection.
In particular, you should ensure that you are complying with the information security requirements of data protection law.
Many organisations will provide platforms to enable information to be shared confidentially, for example a secure file transfer service or secure email. Although this is the case, a school must still be satisfied that the method used by the academy is robust. In most cases, we would expect schools to conclude that what is offered is sufficiently secure, but if in doubt, the data should be encrypted before it is transferred. This will help ensure that the data remains secure, even if there is a security breach (for example if the secure email platform is accessed by a hacker).
Individuals can make a request for a copy of the information held about them, and in some cases, a copy of information held about their child (a subject access request - SAR). As any person who has had to deal with such a request will know, SARs can take up a lot of time and effort and are often used by individuals to 'fish' for information that may be relevant to an ongoing dispute or claim.
Schools have 40 calendar days to respond to a SAR. Unlike Freedom of Information Act requests, which are relevant to academies and maintained schools, there is no exemption for non-school days when it comes to SARs.
This means that if a school receives a request shortly before the start of the summer holidays it cannot wait until the new term starts in September before responding. You should therefore ensure that your staff are trained to spot SARs so that they can be dealt with promptly and in good time before the school breaks up.
Our compliance management solution, My OnStream, includes two data protection e-learning modules for staff. The first covers the data protection essentials and the second focuses on information security. These modules provide practical guidance to staff on a wide range of data issues including those set out above.