Schools Data Protection
The Data Protection Act 1998 is a law designed to protect the privacy of individuals, in particular with regards to the processing of their personal information. The Act covers manual (paper) records as well as those held on computer.
Under the Data Protection Act, schools are their own data controllers and are responsible for registering individually with the ICO as well as complying with the eight principles of the Act and using, storing and protecting data, as appropriate.
Schools who are signed up to Legal Services ‘Service Level Agreement with Hampshire Schools’ for the period 2011-2014, can access legal advice within the remit of this agreement, around Data Protection Issues . However, where the school requires legal advice or assistance not covered by the annual subscription(s), a pay-as-you-go service will be offered at an hourly rate.
For more information, please contact Legal Services: email@example.com
Privacy Notices for use in Schools and Children's Services (including Templates)
Guidance to schools and LAs with respect to fair processing of information under the Data Protection Act 1998
To meet the requirements of the Data Protection Act 1998 Children’s Services, schools and other service providers need to issue a privacy notice to staff, children and their families summarising the information collected about them, why it is held, and the third parties to whom it may be passed on.
Privacy Notices (previously known as Fair Processing Notices) are needed as the Data Protection Act requires that data is only shared with the data subject (or their parents/carers in the case of children under 13) unless the data subject has given permission to share or where there are statutory requirements for that information to be shared. As the permissions needed and the statutory requirements often change according to the needs of the service, different Privacy Notices have been developed for each type of service and/or data collection.
For general information on privacy policies, please see the Information Commissioner's guidance
Privacy Notices Templates
- Children in Need Census
- School Workforce Census - HCC Staff 50kb
- School Workforce Census - School Staff 50kb
- Primary Pupils
- Secondary Pupils
- Youth Service Privacy Notice 342kb
Schools are their own data controller in the eyes of the law; accordingly they need to develop their own policies and documentation to comply with the Data Protection Act. The documentation included here is designed to support schools in developing their own privacy notices.
When designing privacy notices, schools need to be aware of the information they collect and wish to share/use about staff, children and their parents outside of the normal reasons for collection. For example:
- Emailing electronic school newsletters
- Sharing contact details of parents within a class (to assist in arranging birthday parties etc for younger pupils)
- Sharing across the Local Children’s Partnership for more vulnerable children
- Sharing with the PTA when arranging unofficial school events, such as discos and fundraising activities
- Sharing across a school consortia
- Contact details for governors
There are also many statutory requirements for schools to exchange information about staff, parents and children; for example
- School workforce census
- Pupil Level censuses
- School Travel Surveys, Forces Children census etc
- Youth Service (formally known as Connexions service) data exchange (in year 8)
- Information exchanged when moving between schools
- Exam entries and results
Apart from the standard reasons of protecting vulnerable individuals and those involving the prevention and detection of crime, which are mentioned in the Data Protection Act.
Many schools used to send out fair processing notices at the start of each academic year, often linked to the provision of an annual data collection to ensure that the information held about pupils is still correct. There is nothing to stop schools doing the same with privacy notices if they wish.
At the start of year 8, schools need to make parents and pupils aware of their right to opt out from the provision of information to the Integrated Youth Service under the Learning and Skills Act 2000. This can be done through the use of a privacy notice, a message in a school newsletter or other suitable means but schools should ensure that the message reaches both the pupils and their parents. Once a child attains the age of 13 they are assumed, for most purposes, to have rights over their own information so they need to be aware of privacy notices and their rights to see their own record.
To help schools, example Privacy Notices have been created which schools may wish to personalise to their own requirements.
The text in the outline privacy notice for parents/pupils that relates to the work of the Integrated Youth Service and the Learning Records Service is only necessary for secondary schools.
In addition to the privacy notice, schools need to ensure they have made details of any routine information sharing arrangements known to the individuals concerned. This can be achieved through the use of the school website, as part of the publication scheme or through advice to contact the school’s admin officer.
Early Education & Child Care
The EECU provides an outline privacy notice for nurseries and child minders which is updated every autumn and distributed as part of the census package. As most provision in this sector is delivered through private providers, many will wish to use the privacy notices belonging to their organisation. As with schools, the outline privacy notice is provided for advice only
For most people in contact with social care the leaflets Your Records and CR11 provide the privacy notices required. However the Department for Education has recently set up a new data collection which requires an additional privacy notice for all young people having a referral to social care as a Child in Need. This privacy notice is mandatory for use within Children’s Services and should be provided to the child (if deemed Fraser/Gillick competent, normally aged 13) and their family at the first suitable meeting with social care after the referral.
For any other information about Privacy Notices Children’s Services staff should consult Data protection and information sharing or contact the Department’s Data Protection Lead, Colin Payne (firstname.lastname@example.org).
Information Sharing & Confidentiality
The Children’s Trust has published a policy document on Information Sharing and Confidentiality which can be downloaded from the Children’s Trust website at http://www3.hants.gov.uk/childrens-trust
Data Protection Guidance
Data Protection Policy
As data controllers, schools should have a data protection policy setting out how they comply with the Data Protection Act. The County Council has developed a template policy for schools to be able to use as the starter for developing your own policies.
School Data Protection Policy 2
Registration with the Information Commissioner's Office (ICO)
The ICO maintains a public register of data controllers. Each register entry includes the name and address of the data controller and details about the types of personal information they process. Individuals can check the register to find out what processing of personal information is being done by a particular data controller. Notification is the process by which a data controller's details are added to the register.
Schools are required to renew their registration on an annual basis and there is a fee. Schools will need to action the payment directly.
The ICO website has further guidance.
Subject Access Requests (access to pupil's records)
Your pupils and students have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. They - and their parents - also have the right to see their educational records. The Information Commissioner's Office (ICO) has produces a 'Technical Guidance Note' containing information on this and what you need to do.
The County Council has also produced a short Frequently Asked Questions sheet around 'Rights of Access to Information'
ICO Data Protection Advice for Schools
A report was released in September 2012 aiming to help schools ensure they are handling pupils' personal information in-line with the law.
The report has been written by the Information Commissioner's Office, and gives practical advicde on how to comply with the Data Protection Act. The report can be accessed via the following link:
Freedom of Information (FOI)
This is concerned with the provision of information not covered by the Data Protection Act, but the two areas are closely linked. As public authorities, schools are subject to the Freedom of Information Act (2000) in their own right and are responsible for the provision of information in response to requests made.
The Information Commissioner's Office (ICO) has produced a guide that explains your obligations under the Freedom of Information Act, answers many frequently asked questions and gives practical examples to illustrate how to apply the Act in practice.