Guidance for schools on data sharing

Department for Education issues new guidance on data sharing 

The Department for Education (“DfE”) has issued new guidance for schools on sharing personal data.

It provides practical guidance for schools on what they need to consider under the Data Protection Act 2018 (“DPA”) and UK GDPR. It outlines the need for a Data Protection Impact Assessment to analyse risks before sharing pupils’ data.

Taking each section of the guidance in turn:

Safeguarding concerns

Data may (as long as it is necessary) be shared with other schools and children’s social care teams if there are safeguarding concerns; consent is not usually required as the lawful ground for sharing. For further details on other lawful grounds that can be relied on, see the “Comments” section at the end of this blog.

The school’s designated safeguarding lead should decide what personal data is shared. A record needs to be kept of:

• Who the safeguarding lead is sharing the information with
• Why they are sharing the data; and
• Whether they have consent from the pupil, parent or carer. 

There is further guidance on sharing a pupil’s safeguarding file in the working together to safeguard children, and keeping children safe in education guidance (see links at the end of this page).

Sharing data with local authorities and government

Data might need to be shared with local authorities, other schools or children’s services when:

• A pupil shows signs of physical or mental abuse (such information might need forwarding to children’s services); or  
• Pupils will be at another school’s sports day or on a joint school trip. 

Before sharing any such data, the school must:

• Consider all the legal implications
• Check if permission is needed to share the data
• Confirm who needs the data, what data is needed and what it will be used for
• Ensure the specified data can be shared securely; and
• Check that the actions cannot be completed or verified without the data.

Consent is not required as a lawful ground for processing when sharing data with the DfE for the school census. However, the relevant privacy notice must outline the types of data that will be shared and the lawful basis/bases for sharing that data. 

Sharing data with other schools

If a pupil moves school, their records should be transferred. When doing so:

• The data must be transferred securely
• The record must be transferred within 15 days of confirmation the pupil is registered at another school; and
• The record must be able to be traced during the transfer.

The guidance suggests the following methods to ensure the data is protected:  

• Use the ‘School to School’ system
• Send the records to a named person and use an encrypted email
• Ask the local authority to transfer them; or
• Deliver any paper records in person or ask the new school to collect them.

If arranging a joint school trip, data will need to be shared between the schools, for example, which pupils are attending and any dietary requirements or medical information. If consent is relied on as a lawful basis to share this information, the consent form must specifically cover this type of arrangement.

Consent before sharing personal data

Consent is only one of the potential lawful grounds for processing under the UK GDPR. The guidance suggests consent might be needed before sharing any personal data, but this might be inappropriate when:

• The individual cannot give consent
• It is not reasonable to ask for consent; or
• There is a safeguarding concern.

The guidance suggests (although it is dependent on the specific pupil) that a pupil might be able to give consent if aged 13 or over, but, for pupils under 13, consent will be required from whomever holds parental responsibility. This is in line with the ICO’s own guidance on children and consent.

A detailed record needs to be kept on the consent, including when and how it was obtained (for example, keeping the letter sent to the parents or carers).

When obtaining consent, the school must explain:

• What personal information is being shared
• Why it is being shared
• Who the data is being shared with and what they will use it for
• How the school will share their information; and
• The process for withdrawing consent.

Any letters sent to parents or carers that ask for a reply slip that includes requests for personal data, should have a data protection statement, through either linking to a privacy notice or including information within the letter.

If asking for consent from a pupil aged 13 or over, the request must be written so the pupil can understand it and so they are clear about what they are agreeing to.

Biometric data of pupils

The guidance provides a case study for schools who use biometric data.

Taking and using photographs of pupils

The guidance states consent is needed for each different use of a photograph, including if the school is going to:

• Share photos on its social media channels
• Include photos of pupils and staff in a prospectus or other marketing material
• Use a photo of a pupil in school displays; or
• Take a photo for a newspaper article.

The pupil’s name should not be included when using the photograph unless the school has specific consent to do so.

The photo can only be used in line with the specific consent provided, which should clearly outline how long the photograph will be used for.

Photos used in identity management systems may be essential for performing the public task of the school, but the school should delete them once a child is no longer a pupil at the school.

Publishing exam results

The DPA and UK GDPR do not prevent schools from publishing exam results online or in the local press, and the guidance states consent is not needed to do so. However, pupils should be told where and how their results will be published before the publication date, so they have an opportunity to ask you to remove their results from the list should they wish to. The guidance also refers to further guidance on exam results, which includes a section on publishing these and pupils’ right to object.

Comments

The guidance has a clear focus on consent as a lawful ground for processing. As there are other grounds for lawful processing under the UK GDPR, it is surprising there is not more of a focus on how some uses of data might be “necessary for the school’s legitimate interests”, or, when such processing might be “necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the school”. Consent can provide significant difficulties as a ground for processing, since it must be as easy to withdraw as it is to give. If consent is withdrawn and no other lawful ground for processing has been identified, the processing would have to cease. There is a separate DfE guide on the other potential grounds of processing and a cross-referral to this in the guidance would have been useful for controllers.

Useful links  

Visit the DfE to see the new guidance on data sharing

See the guidance on working together to safeguard children

See the guidance on keeping children safe in education

See DfE guidance on lawful grounds for processing personal data

See the guidance on exam results 

If you have any questions on when you can share data, or the lawful grounds you can rely on to process data, please contact our experts below.