School Data Protection Policy: A Step by Step Guide

The importance of data within the education sector has changed significantly in recent years. Schools collate more useful information than ever before from pupils, staff, parents and visitors. This valuable data is used for practical, everyday use but also for monitoring the progress of students and determining improvements that lead to greater efficiency. 

To match this growing use of data, relevant school policies need to be audited and updated to ensure they comply with changing regulations. Make sure your school data protection policy is robust and exhaustive with our step-by-step guide. 

  • Step One: Educate and Raise Awareness
  • Step Two: Creating a High-Level Data Map
  • Step Three: Collecting Data and Special Categories
  • Step Four: Data Retention
  • Step Five: Establish Data Protection Officers to Reduce Risk
  • Step Six: Inform Data Subjects and Monitor Future Policy Changes

Step One: Educate and Raise Awareness

All staff should know what personal data actually is and what their duties are when handling it. In many instances, it may just be a case of refreshing information that staff previously learned during training. 

They need to be aware of the permissions regarding data and understand the consequences of it falling into the wrong hands. Highlight how easy it is for data to be lost or stolen if they don’t follow the correct practices. This reminder of responsibility is relevant to all members of staff who encounter personal data.

Senior members of the school hierarchy have more control of the data and how it’s used. They also need to review high-level data maps, understand the laws regarding data usage, minimise its storage and safely destroy it once it’s no longer needed. 

Step Two: Creating a High-Level Data Map

Data maps give an overview of how your school is currently managing data. If there isn’t already one in place, then you’ll need to log the different places that personal data is stored, who interacts with it and what it’s used for.  

This is also a good opportunity to remind staff of the kind of information that falls under ‘personal data’. As well as more obvious details like contact details and curriculum tools, there are several others to be aware of. The government has published a full list, but some other examples include social care, catering management, photographs and payment information.

Make sure the data map is shared with all members of staff. They might notice gaps that need addressing or possible missed information. Sharing it with everyone responsible ensures they’re all fully aware of their role and what the correct processes are. 

The map can be used to identify possible compliance risks and areas where data management might be an issue. The questions raised from this lead to policy improvements that protect the school and the data it stores. 

Step Three: Collecting Data and Special Categories

Any time that data is collected from a pupil, parent or visitor, it’s vital you know why it’s being stored. 

No matter the scenario, consider whether or not this data has to be legally processed. In some instances, you might decide that information has to be passed on to a third-party for safeguarding purposes. Information like this should be shared because it helps to inform decisions that are made about a child’s welfare.

However, share data for business interests and you’ll breach privacy laws. Data is shared with you with the assumption that it’ll be stored appropriately. 

Special category information like a person’s ethnicity, religion and sexual orientation is subject to strict privacy laws and should be handled sensitively if provided. 

Step Four: Data Retention

As part of your school data protection policy, establish how long data is retained before it’s minimised or removed entirely. There’s no need to keep detailed records of pupils that have long since left the school, for example. 

There’s no definite time period that’s correct when it comes to data retention. You’ll need to find a length of time that feels both necessary and appropriate. Host an event at the school and you might store data for around a month. For pupils, it might be for a year after they’ve left to allow for a smooth transition period to their next school. 

With any sensitive information, consider why you’re holding this data, whether you’re obligated to legally and what the school’s responsibility is. The government recommends reducing the sensitivity of data over time by blurring details. This means removing specifics and making information a little more general.

For example, rather than keeping a pupil’s name and date of birth, remove their name and only store the year they left the school. Keep generic identifiers like gender, which can be used for statistical analysis, but reduce specifics to protect the pupil’s data. 

It’s always better to keep the minimal amount of personal information that’s needed. If someone needs to access the records of pupil ages, for example, then do they require full dates of birth or can they manage with just the years they were present at school? 

Step Five: Establish Data Protection Officers to Reduce Risk

Breaches occur wherever data is stored. Schools, businesses, charities - if there’s sensitive data that can be accessed then someone might be trying to take it. These breaches take place because of targeted action by hackers or something as simple as an infected USB stick. 

To reduce risk, ensure staff are aware of the importance of cybersecurity and handling data in the correct way. Appoint a Data Protection Officer (DPO) who is responsible for advising members of the school hierarchy. They should be knowledgeable about data security, GDPR and school operations to allow them to take necessary precautions. 

The DPO can be a new responsibility for an existing member of your team who already has previous relevant expertise. Hiring a DPO can be a costly expense for schools so we’d advise collaborating with other schools, sharing the cost and having a DPO that works between a larger group. 

Step Six: Inform Data Subjects and Monitor Future Policy Changes

A key aspect of the policy needs to be how you intend to communicate it with your data subjects. They have the right to be informed of the data you have and access to it if they wish. For example, Subject Access Requests might be issued to your school when a parent wants to know the information you have on their child. 

Parents should know exactly what information you intend to store and what it might be used for in the future. Outlining the reason for data storage is more likely to avoid any possible confusion or unhappiness in the future. 

Once you’ve audited your existing data protection policy and ensured that it meets all necessary regulations, the final thing to do is consider when this process will next take place. Government policies are changing all the time and you’ll need to make certain that you’re always up-to-date. 

This means making further adjustments, or even full audits, in the future to make sure that your school data protection policy safeguards pupils, parents and staff. 

Additional Resources:

Upcoming CPD:

Learn more about your school data and GDPR responsibilities and make practical amendments to your current strategy to ensure compliance at our Improving Data Protection and Safeguarding Compliance in Your School training day on 20th June 2023.

Our Guide to Safeguarding:

Data is just one aspect of a child’s wellbeing that you’re responsible for. Although staff might have covered safeguarding during their training, it’s a crucial part of their role they simply can’t overlook.

For all the essential information you need on modern safeguarding in schools and your key responsibilities as educators, download our free guide today. 

Find out more about the handbook by clicking here