Data Protection - Schools & Higher Education

Data Protection and Schools

Schools hold and process a huge range of personal data. This includes data on their pupils, pupils’ parents, guardians and their own staff. With the GDPR increasing the regulatory requirements on schools, and new ePrivacy laws due, the importance of the right safeguards is key. With an increased number (and size) of fines, schools cannot afford to ignore the issues.

We can help schools with their data privacy obligations. We have acted for numerous schools and colleges, both in ensuring they have the right systems and processes in place, and to respond to issues as they arise (for example when they receive a data subject access request from a pupil/parent and where there is a data breach). 

By now schools should be meeting their personal data processing and management obligations.

Compliance is an evolving process. Complaints have risen significantly. Since the GDPR came into force, the number of investigations has greatly increased. Likewise, we are seeing more frequent exposure to significant fines as well as damaging publicity, both in the national press and on the “enforcement action” section of the ICO’s (Information Commissioner's Office) website, where perpetrators are named and shamed.  

In the private sector, we have seen a huge increase (in the UK and across Europe) in proposed fines for data privacy violations, including for British Airways and the Marriott Group. There have also been a number of prosecutions of those who have infringed the rights of employees, customers and other individuals. 

Reasons for ICO investigations 

The reasons for complaints are broad, but the most common ones relate to individuals requesting access to their personal data, unlawful disclosure of data and security breaches. Common areas of ICO investigations are -

• Sending or sharing personal information without a lawful basis to do so
• Collecting and otherwise processing personal data unlawfully
• Accessing personal information without authorisation
• Not holding personal data safely or securely
• Marketing by text and email without permission
• Phoning people who have opted out of marketing or sales calls via the TPS register
• Selling personal data unlawfully
• Not responding quickly enough or at all to data subject access requests 

What is clear is that organisations, and in particular managers with employee and third party data responsibilities will increasingly find themselves under the ICO’s well-resourced eye. 

How we can help

Our data protection team advises clients on all of the data protection and related issues they face. Areas where we regularly help clients like you in the education sector include -

• Handling large and complex data subject access requests, using an end to end eDiscovery tool, as required
• Recognising the rights of pupils and the rights of parents, and the steps to take when these conflict
• Ensuring schools adhere to the safeguarding principle when handling pupils’ personal data.
• Handling and reporting data privacy breaches, including whether notifications need to be made to data subjects (including pupils and parents) and/or the ICO, and the best way to mitigate the impact of such breaches
• Challenges brought by pupils, employees and other data subjects to the ICO and dealing with the ICO on behalf of the school
• Employee monitoring and investigations in a variety of cases including alleged bullying and harassment
• Employee screening and background checks (including criminal records checks for staff)
• Drafting and reviewing data protection documentation
• Data Protection Impact Assessments (DPIAs) for high risk processing, such as when introducing new absence management software and other new technologies
• Overseas data transfers and advising how to do these lawfully
• Training staff to meet a range of needs, from general staff awareness of GDPR through to bespoke training for data protection managers, business development managers and other areas where specific risks or issues have been identified

Fixed price packages

We also have a range of fixed price packages which we can discuss with you when we have scoped out the requirements of your school including - 

• Data flow mapping – working out what data you have and what happens to it
• Data processing activity reports (Article 30 reports) – setting out why you have the data, categorising it, and explaining the security measures in place to protect it
• Compliance gap reporting – setting priorities for improvements, including cost-effective “quick wins” which are swift and cheap to put in place, and timeframes and costings for longer-term improvements
• GDPR follow up audits – seeing how well you’re doing “on the ground” at a later stage in the process and making further recommendations where appropriate
• Suites of data protection policies, procedures, notices and contracts to cover data breach management, data retention, employee and other privacy notices, data subject access request forms, template data processing agreements.

Recent work includes -

• Handling data subject access requests received from pupils’ parents. We helped the school first recognise their obligations under the request, work with the parent to understand the scope of the search and then complete the searches. We helped them compile their response and review the data to ensure they did not breach their data privacy obligations to third parties.
• Advising schools and colleges on their data protection responsibilities in light of the COVID-19 pandemic. We advised a sixth form college when two teachers were self-isolating (before the UK lockdown) after being in contact with individuals who had tested positive for COVID-19. We advised on how to communicate this to other staff members (ensuring they did not breach their data privacy obligations) and pupils, balancing the public health duties with the individuals’ rights to privacy.
• Drafting necessary data privacy documents for a school. We reviewed and updated a college’s data privacy notices (for staff and third parties) and their data protection policies. This helped ensure they had suitable systems in place to mitigate the risk of data breaches and outline processes if any data issues arise at a later date.  
• Reviewing a college’s processes and documents to lawfully conduct background criminal checks. We reviewed the existing policies, updated these to clearly set out their lawful basis and provided bespoke appropriate policy documents to handle criminal record data. 
• Practical full day GDPR workshop for IAPS focusing on data protection issues in schools, comprising: how to devise a compliance plan, data breach management and notification, contracts, policies and notices, case studies and quiz
• Training other lawyers at the Employment Lawyers Association Annual Conference on a wide array of data protection issues with an HR focus.

Our Specialists

Piers Leigh-Pollitt is an experienced employment lawyer and data privacy specialist, heading the Doyle Clayton Data Privacy team. He is an expert in his field and holds the Practitioner Certificate in Data Protection (GDPR). 

Mike Hibberd is an employment and data privacy law expert advising both organisations and senior individuals on a wide range of human resources and related issues. 

Simon Henthorn is one of the UK's outstanding Education lawyers. He is listed a Leading Individual for his work advising schools, colleges, universities and other Education sector organisations by the The UK Legal 500 and under his leadership, the firm's Education team has achieved the highest possible ranking (Tier 1) with The Legal 500

Recent feedback for the Data Protection team includes -

•  “Piers is very good - on the ball, articulate, credible and reassuring.”
•  “Thank you very much indeed for your support throughout, and please pass on my appreciation to Mike
•  “Mike’s advice was spot on. He judged the project just right and managed and led the process effectively.”