The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Report offers school data protection advice

News release: 17 September 2012


A report released today aims to help schools ensure they are handling pupils’ personal information in-line with the law.

The report has been written by the Information Commissioner’s Office, and gives practical advice on how to comply with the Data Protection Act.

It was prompted by a survey of 400 schools across nine local authority areas that showed that whilst awareness of data protection laws was generally good, schools need to pay more attention to complying with data protection law.

The survey showed 95 per cent of schools provided some information to pupils and parents about what was done with personal information.

But a third of schools with password-protected computer systems conceded the passwords were not necessarily strong enough and not changed regularly, with 20 per cent admitting email systems were not secure.

Louise Byers, ICO Head of Good Practice, helped draft the report: “The survey results showed that whilst awareness of the law was broadly good, knowledge on how to comply with it wasn’t always there. In many respects that should come as no surprise – it’s not teachers’ area of expertise – and it is precisely what our report is aiming to address.

“I’d urge teachers and heads to take a look at our recommendations and make sure they’re complying with the law. The sensitive personal data that schools handle means it is crucial they get this right, and we hope the ICO’s report will help them achieve that.”

Read the report detailing data protection advice for schools
Summary of recommendations from the report

The ICO’s top tips to schools on complying with the Data Protection Act:

  1. Notify. Not a top tip so much as a legal requirement. Schools handle personal data, and are obliged to notify the ICO of what they are doing with it.

  2. Be fair. A key principle of the Data Protection Act is that individuals should know what organisations are doing with their personal information, known as ‘fair processing’. This includes letting parents and pupils know why and where CCTV is being used, and taking care not to disclose personal info like photos online without consent.

  3. Keep it secure. It is essential that schools keep information secure. This means secure storage, secure usage, secure sharing and secure disposal. And if parts of a school’s website are for staff or parents only, make sure there’s proper password security in place and they can only access what they’re entitled to.

  4. Prepare. Spend some time ensuring your school has clear and practical policies. Ensure that staff are trained in what they mean and don’t forget to monitor whether the policy is being followed.

 

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
 
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
 
3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

4. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

5. Schools in Scotland do not have to notify with the ICO in their own right as the local authority will be notified on their behalf and classed as the data controller. This is not the case in England, Northern Ireland and Wales.