• Careers
  • Contact Us

The GDPR - 1 Year on, What Are the Key Lessons for Schools?

on Monday, 24 June 2019.

What are the key data protection issues that schools have been facing since the new data protection regime came into force in May 2018?


We are often asked whether consent should be sought before taking and using photographs. The answer will often turn on how privacy intrusive the photograph (or its use) is.

For example, a photograph featured on the front cover of a school's prospectus will likely require consent but not usually if the photo was being used on an internal display at the school.

NB - if consent is not sought, you should still be transparent about your practices so that individuals have an opportunity to object.

Privacy Notices Are Essential

We are finding that a lot of schools have not yet put in place compliant privacy notices. The purpose of the privacy notice is to set out how the school uses personal information. Not only is the provision of privacy notice information a legal requirement but schools are also finding they are useful in relation to disputes.

For example, a parent with an ongoing dispute may seek to argue that the school has breached its data protection obligations through not being transparent regarding how the parent's data is used as an additional strand to the complaint. If the school can show that what the parent has complained about is covered in the privacy notice, then this will often go a long way to rebutting the alleged non-compliance.

Banner GDPR OS Jun19


Data Breaches - Getting the Essentials Right

A number of schools have fallen victim to cyber-attacks. These range from phishing emails, through to remote attacks made against the school's network and IT infrastructure. We have found that attacks are often successful through schools failing to provide essential training to staff or failing to take basic steps to secure the school's network.

You should therefore ensure that you have done enough to protect your systems from attack. The GDPR contains explicit obligations around information security, for example, in relation to documentation, encryption, back-ups, and ongoing testing and assessment, and schools should have regard to these in particular.

Subject Access Requests Aren't Getting Any Easier

Subject access requests (SARs) remain by far the most common type of request made against a school despite the abundance of new rights granted under the GDPR.

Of particular note is that the exemption which allowed a school to withhold third party information (ie, where third party data is mixed with the requester's ) under a SAR no longer applies if the third party is "a teacher or other employee at the school".

This is a significant change which makes it more difficult to lawfully withhold staff information, for example, in circumstances where a school wanted to withhold the identity of a whistleblower. However, this is not to say that third party staff data must necessarily be disclosed in all cases, in some situations there may be alternative exemptions which would be applicable.

Alumni Relations

A school will often use the same alumni database as its alumni society. In these circumstances, it is not always clear who 'owns' the data as between the school and the society (or to use data protection terminology, who the data controller is). That the school may physically control the database is not determinative.

A risk is that the society argues that it, and not the school, is the controller. If the society is right, then the school would have no right to use the data for its own purposes. A data sharing agreement between the school and the society can help to regularise the relationship. An agreement should in particular, make it clear that the school is a controller of the data (if indeed this is the case) to prevent any dispute further down the line. Often these agreements provide that both the school and the society are controllers.

Do you need help with any of the issues outlined above? Please contact Claire Hall, in our Data Protection team, on 0117 314 5279 or complete the below form.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input