Data Protection in Schools

May 17

p.p1 {margin: 0.0px 0.0px 2.9px 0.0px; font: 24.0px 'VAG Rounded Light'; color: #00afe8} p.p2 {margin: 0.0px 0.0px 2.9px 0.0px; font: 9.0px 'VAG Rounded Light'} p.p3 {margin: 0.0px 0.0px 2.9px 0.0px; font: 19.5px 'VAG Rounded Light'; color: #00afe8} p.p4 {margin: 0.0px 0.0px 2.9px 0.0px; font: 7.5px 'VAG Rounded Light'} p.p5 {margin: 0.0px 0.0px 2.9px 0.0px; font: 10.0px 'VAG Rounded Light'; color: #00afe8; min-height: 11.0px} p.p6 {margin: 0.0px 0.0px 2.9px 0.0px; font: 10.0px 'VAG Rounded Light'; color: #00afe8} p.p7 {margin: 1.4px 0.0px 0.0px 11.3px; text-indent: -11.3px; font: 7.0px 'VAG Rounded Std'; min-height: 8.0px} span.s1 {font: 7.5px 'VAG Rounded Std'; text-decoration: underline ; color: #00b163} span.s2 {font: 7.5px 'VAG Rounded Std Light'} span.s3 {text-decoration: underline} span.s4 {font: 7.5px 'VAG Rounded Std Light'; color: #00b163}


 I am a business manager of a school. I was recently told that data protection law in the UK is changing and that this will affect schools. Can you please give me any guidance?


The way in which schools manage the personal data of staff, students and any other individuals related to it in the UK is currently and largely governed by the Data Protection Act 1998 (DPA). The DPA stems from the 1995 EU directive, which established a ‘one size fits all’ approach to the management and control of personal data by ‘data controllers’ and ‘data processors’ across all EU member states. 

In an educational setting, the DPA is largely concerned with the way in which schools, local authorities, multi-academy trusts and the like manage individuals’ information. Breaches of data protection laws currently carry both civil and criminal sanctions and create a setting for increased reputational risk for schools. In an ever-increasing litigious environment, schools need to ensure full compliance with data protection regime in force from time to time and stay abreast of changes.

In 2016 the European Commission published its final version of a new data protection regime, applicable to all member states, which seeks to amend and to further synchronise procedure and enforcement of data protection throughout the EU (the New Regime). This came into force on 24 May 2016 and provides for a two year transition period, which means that it will apply to all data controllers (including Schools) in the UK and across the EU from 24 May 2018. 

Whilst the legislation is too extensive to go into in any detail in this article, to give you an idea of the changes afoot in relation to your school, the New Regime changes the obligations of schools as data controllers and processors, including changes to the security of data held; it changes the rights of students and teachers (and other individuals involved with the School as data subjects); it amends the rules regarding transfer of personal data to countries outside of the EEA (which may particularly impact on independent schools or schools with a high number of forces students, for example); it significantly amends enforcement procedures for breaches of the legislation, including greatly increased fines. 

In November 2016 Matthew Hancock MP confirmed that the UK will still implement the New Regime. However since this time, Article 50 has been triggered and Brexit is very much on the horizon. My advice, however, is that schools should continue to prepare and ensure compliance with the New Regime.




This site would like to use cookies to enable it to run, you can choose to opt out, or continue using the site with cookies more about how we use cookies