GDPR FAQs

Are we a public authority under GDPR? Is parental consent always required when collecting or processing children’s personal data? These are just a couple of questions we have been getting from education organisations about the new data protection law.

Our FAQs document answers these questions and many more.

 Department for Education video: GDPR guidance for schools

Iain Bradley from the DfE explains how you can review and improve your handling of personal data.

The DfE has also published a data protection toolkit for schools to help them fulfil their obligations under the GDPR.

Your data matters

Making sure your students and staff understand the value and importance of their personal data is essential. Our campaign, your data matters, offers organisations a range of ‘off the shelf’ communications materials to help communicate these messages.

Fundraising and marketing in education organisations

If you're planning a fundraising or marketing campaign, it is essential that it is undertaken in line with the Data Protection Act and Privacy and Electronic Communication Regulation (PECR). The ICO has produced a number of resources that offer guidance about how organisations can ensure the activities undertaken are compliant with the law.

Data protection – looking after the information you hold

Subject access

Your pupils and students have rights to see their personal information. They can make a request to access the personal information you hold about them. They – and their parents – also have the right to see their educational records. 

 Exam results

If you intend to publish exam results in the media, you must inform your pupils and students first.

Taking photos in schools

The Data Protection Act does not prevent parents and teachers from taking photos of events such as the Christmas play or sports day. Asking permission to take photos is normally enough to ensure compliance.

Bring your own device (BYOD) guidance

Guidance for organisations who want to allow staff to use personal devices to process personal data that they are responsible for.

The Department for Education have also provided guidance on data protection for schools considering cloud software services.

Guidance on the use of cloud computing

This guidance covers how the security requirements of the DPA apply to personal data processed in the cloud.

Freedom of information - making public information available

If the educational establishment you work in is a public authority, the Freedom of Information Act means you must produce a publication scheme, which outlines the information you will routinely make available to the public - such as minutes of meetings, annual reports or financial information.

Our definition documents explain the detail of what you need to publish:

Further reading