Skip to main content

This blog post was published under the 2015-2024 Conservative Administration

General Data Protection Regulation: Evolution or Revolution for Schools?

Posted by: , Posted on: - Categories: Data protection and management

Finger pressing enter on a keyboard

Like the DfE, many schools are increasingly talking about General Data Protection Regulation (GDPR) - the beefing up of data protection, which will be written into law in May 2018.

The obvious question is: “where do I start?”  Typically, the first place most people begin is by reading the Information Commissioner’s Office (ICO) overview of the GDPR and GDPR: 12 steps to take now, and are thinking, “what does this mean for us?”

Whether the new regulation represent revolution or evolution for your organisation depends on current practice, but generally speaking I’d recommend 3 things:

1. Focus on why this is important

Sure, it’s legislation, and there are potential fines for serious breaches, but for most schools the focus should be on the third word in the title: ‘Protection’. It’s about keeping the large volumes of sensitive data about young and sometimes vulnerable children safe.  A pretty essential thing to do well, and something that can help get your staff engaged in a more effective way than quoting mandatory work just to comply.

2. Work out what’s new about the regulations

In particular, there is a shift in emphasis which means that data controllers, like schools, not only need robust processes and controls, but need to be more pro-active in demonstrating them.  There are also more things considered as sensitive data, and the bar is raised on where citizens should have transparency and choice about where their data goes.

3. Understand your school's data ecosystem

Any data controller should be on top of protecting sensitive data know where it is stored, where it goes, and what is done with it. Can you draw that for your school or organisation?

Initial steps to take now

Working with the head teacher and business manager, here’s how we went about it at Dobcroft Infant School…

Step 1: Think where personal data is captured during school life – this is likely to include admissions, parental forms, assessment, school trips etc.

 Step 2: Think about where that data is used – generally it’s for contacting people, for tracking education, or for maintaining regular school facilities and activities like libraries and canteens.  Several, but not all of your systems, may interconnect with the core management information system (MIS).

 Step 3: Think who you share that data with – for schools this commonly includes local authorities, multi-academy trusts, the DfE and beyond.

Building a picture of your new data landscape

You might already have that picture.  You might not, and if not, just have a go…you won’t get it right first time, but show it to a few colleagues across the school, iterate it a few times with them and you’ll be that bit closer to de-mystifying GDPR.

The working version at our infant school is looking like this:

Data landscape

That overview sets us up for the next task – showing where the sensitive data is in that ecosystem, and the associated security.

Looking ahead, schools will want to think about how we evolve our privacy notices and messages to parents. Investing some time now in doing the work outlined above will be a good step to support communicating to parents and pupils about what data you process and why.

The role of Data Protection Officers under GDPR

There’s also plenty to think about in terms of an appropriate Data Protection Officer role - the focus of which shifts slightly under the proposed GDPR towards managing subject access requests, ensuring staff are aware and up to date with their responsibilities and the legal principles under which data is processed.

As the education sector prepares for May 2018, whilst DfE cannot give advice to individual schools, we will be talking with the ICO about the top issues schools ask and we’ll make sure to blog further thoughts and recommendations. Online forums can also help the sector collaborate and share approaches and questions about data protection, data handling and GDPR.


Sharing and comments

Share this page


  1. Comment by Christine Jackson posted on

    Interesting starter for ten. I think the challenge is in the new accountability requirement. Recording what's done with the data, who it's shared with, the legal grounds for each type of processing etc renders the task a bit more complex. But it isn't difficult.

  2. Comment by Peter Richmond posted on

    Is it the core role of the Local authority to produce a model policy for schools re GDPR?

  3. Comment by Tom Meiklejohn posted on

    There is good guidance out there with regard to the legal basis for processing of data that falls under article 6 of GDPR (where special categories are not included) but much of the data that is processed can fall under article 9 (special categories of information). It is unfortunate that paragraph 2(h) couldn't have been extended to the education sector as this would have made determining the legal basis much simpler. As it is there doesn't seem to be anything within article 9 other than consent that can be used as a legal basis for processing this information (SEN, health, even just recording ethnicity) so there's a lot of head-scratching going on here.

  4. Comment by Jenny posted on

    We have been told that we will no longer be able to use paper based mark books outside of school as they would contain student information ie names, target grades, grades etc and they are insecure.

    Is that correct? Because if that is the case then surely we will not be able to take books home to mark either as they contain the same data.

  5. Comment by Kala Schuemann posted on

    I was curious if you ever considered changing the page layout of your blog? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having 1 or 2 images. Maybe you could space it out better?
    Kala Schuemann

  6. Comment by Jacqui posted on

    there are data items that a school holds about a pupil that are not classed as special category data in GDPR but are to be treated as such.
    eg. A pupil's Additional Learning Needs, a pupil's image or a pupil's looked after status
    however i cannot find a list of such items - can you help?