GDPR: General Data Protection Regulations

The General Data Protection Regulation (GDPR) is now in effect and covers all countries within the EU and will be adopted by the UK. It is heavily based on the Data Protection Act 1998 but will lead to schools having to refine their approach to Data Protection, as it brings many enhancements to the rights of individuals in regards to their personal data. At its heart the GDPR changes the importance of Data Protection and emphasises accountability. Making Data Protection important means that as a school we will employ ‘Privacy by Design’ – thinking about how we use data in everything we do. There is also an emphasis on accountability which will inevitably mean that as a school we will have to increase the amount of documentation we use to record procedures and issues. As a school we have been developing our approach to ensuring that we are fully compliant with GDPR and the aim of this page is to outline our GDPR compliance and share resources to explain the implications of GDPR as well as what it means for schools.The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

  • Discover what data we are holding, where it is stored, why we hold it, who it is shared with and what access is available to this data by who in the school organisation.
  • Manage the data held and processed in school by robust policies and procedures that are clear and transparent.
  • Protect all data held through appropriate systems.
  • Report what is done with data and record how data is discovered, managed and protected.

There are 6 key principles to the GDPR that schools are accountable for:

  • There must be a lawful reason for collecting personal data and it must be done in a fair and transparent way.
  • Data must only be used for the reason it is initially obtained.
  • No more data than is necessary should be collected.
  • Data has to be accurate and there must be mechanisms in place to keep it up to date.
  • Data should not be retained for longer than is necessary.
  • The protection of personal data must be upheld.

Key Protection Measures

All Saints has put a variety of measures in place to ensure that all personal data is protected. These include;

  • Storing all pupil and staff personal data with the Management Information System (MIS) – Arbor – that is password protected and access to data is strictly limited to a need to know basis.
  • Data stored on the school Server is password protected and access rights for individual staff members is linked to their role within school. The retention of data on the server is governed by the Data Protection Policy, which is enforced by the School Data Protection Officer.
  • We require “strong” passwords on all software that holds sensitive information.
  • No passwords for logging onto school IT equipment are stored for automatic login.
  • No pupil data is stored on un-encrypted external drives of any kind.
  • All visitors and staff use a digital sign in system, which ensures that no personal information is visible to other visitors. Pupils are signed in by the admin staff.

Key Terminology

There is a range of terminology that is used to refer to aspects of GDPR that schools must get used to using. Below is an overview with definitions to provide clarity over what is meant by certain types of data and the different roles involved in the handling of data.

  • Data Controller – the holder and gatherer of data who decides what to do with it (the school).
  • Data processor – the person/organisation who does activities that the controller tells them to do with data and who is not a direct employee. An example would be Capita SIMS who provide an MIS service.
  • Data Subject – the person who data belongs to. It is important to note that under the new GDPR regulations children have more rights even though it is parents who give consent for the collection of certain types of data.
  • Subject Access Request – the request by a data subject for information about the personal data that a data controller holds. This must be made available in an accessible format within 40 days and 15 days if it is a request for a child’s education record.
  • Data – all recorded information in any format (sound, text, electronic files, photographs, videos, voice recordings) which includes statements and opinions.
  • Personal Data – any data that relates to an individual which can identify them or link to other information which would lead to identification.
  • Sensitive Personal Data – data that relates to aspects of personal life/preferences such as race, political opinions, religion, disability, sexuality, criminal offences etc.
  • Processing Data – obtaining, recording, sorting, converting, disclosing, analysing, storing, sharing or destroying data by any means.

Protecting Data

As a school we have reviewed all of the data that we currently hold and produced a “Data Asset Register” which documents the type of data, the data processor, where the data is stored, the reason that the data is stored and any potential risks that must be considered when developing policies/procedures around data protection. Included in this process has been making contact with any data processors to ensure that they are all GDPR compliant. Below is a list of the data processors used by the school (individual links to each provider will be added once their GDPR compliance policies/statements are finalised, which will highlight them below as blue):

  • Purple Mash (Digital learning tool that can be accessed within school and at home with individual logons from Y3-Y6 and class logons from YR-Y2.
  • Junior Librarian (Online library catalogue of the school library with individual user barcodes to scan books in and out of the library)
  • CPOMS (Child Protection Online Monitoring System that incidents are stored on)
  • Office 365 for Education (Staff email system)
  • Edukey/Provision Map (SEND data storage and management)
  • Arbor (Management of Information System)


As a school we have looked at what data we need to obtain consent for under the GDPR, so that any data we collect is appropriate. To comply with the Department for Education (DFE) and Census obligations we request on admission a range of personal information that complies with our statutory duties on the emergency contact form. When changes to any of this data occurs and we are informed, this is updated as soon as possible within our Management Information System (MIS) Arbor.