The Optimus blog

The blog that inspires leaders in the UK education sector

Dai Durbridge

GDPR: your questions answered

We were inundated with questions at our recent GDPR conference. Browne Jacobson lawyer Dai Durbridge answers the most popular ones.

1. What are the implications of staff working remotely with access to confidential information?

There is no reason why staff cannot continue to access personal and confidential information remotely. What is important is to have a robust policy in place that addresses how that information is managed (including how it is accessed, where it is saved/stored, whether it can be printed and how it should be destroyed), ensuring the importance of that policy is understood by all staff and taking steps to ensure the policy is followed.

2. Should we insist that governors use school email addresses for all school correspondence?

That would be good practice, yes.  From a data protection viewpoint, it is only the security of personal information that would be of interest to the Information Commissioner's Office (ICO), but given the sensitive nature of governor email conversations and minutes, it is sensible for all email traffic to come from school email addresses.

3. Is there a list available that gi​ves clear timescales schools must keep categories of data? Pupil records, employment files, pension, tax, etc?

While some legislation requires certain documentation to be retained for a particular period (e.g. some recruitment documentation), there is no hard and fast rule for how long the majority of documentation created and held by schools should be retained.  

Life would be more straightforward and practices more consistent if timeframes were set out in law or guidance.

For the moment, the closest we have is the Information Management Toolkit for Schools provided by the Information and Records Management Society (IRMS).

You also need to be aware of any local requirements, particularly those of your local safeguarding children board (LSCB) regarding safeguarding records, which can vary from one local authority to another.

4. Can we change policies now for GDPR or do we have to stay under the 1998 Data Protection Act until 25 May?

Best practice is to bring the new policies into effect on 25 May 2018, until then it is better to remain with your current policies. There is some sense in having your new policies ready and available for viewing from late April to let stakeholders know about the changes and to get used to them before they take effect.

5. If a child over 13 gives consent for something like photographs but you believe/know their parents/carer wouldn’t, what do you recommend?

You need to obtain consent from the person whose personal information you will be processing. In doing so, you need to be satisfied that the individual has capacity to provide consent – in other words, does the individual understand what is being asked of them, what will happen to the information if consent is provided and what will happen if consent is withheld.

Through discussing the issue with the individual you should be able to satisfy yourself that they do or do not have consent. If they do, you are entitled to rely on it, regardless of the views of parents or others. 

The only caveat to add is to be aware of court orders restricting the publishing of information relating to the individual and/or any additional information the parent may have that the individual does not that could impact upon the decision to use the photo.  An example might be a child who is at risk of abduction or harm but the child is unaware of that risk.

6. Does the timescale of one month for subject access requests still apply during school holidays?

The time period is set by the legislation and so is a legal requirement. It can be extended by up to two additional months ‘where necessary, taking into account the complexity and number of the requests,’ but a school holiday does not fall under either of those categories so relying on the extension brings with it a high risk of non-compliance.

The time period runs from ‘receipt’ of the request but currently there is no guidance in the GDPR as to when a request is deemed to be received. A school could run the argument that requests made during school holidays are not received until the first day of the new term, but doing so does run the risk that receipt could be deemed to take place when the letter/email is delivered to the school. So it could be a risky strategy.  

If adopted, then a statement setting out this approach should be included in your Fair Processing Notice where the rights of the data subject are set out. Until we have clarity on this matter, the safest approach is to take steps to reply to subject access requests within the set timeframe.

Evidence compliance

With less than three months until the GDPR takes effect, is your school clear on how to demonstrate its compliance with the new regulations?

Join us on Wednesday 14 March for our GDPR for Schools Update: Practical Implementation, for the latest updates from legal experts and advice on the vital steps you should be taking now.

Find out more

More from Optimus

Webinar: GDPR – the role of the data protection officer

GDPR: how to undertake a data audit



Subscribe to Optimus Education's Blog

Join other educators and get the latest Optimus blogs direct to your inbox.
Your data is safe with us: Privacy Policy

Similar Posts

John Viner

Another year, another education secretary

Unexpected departures and new arrivals at the DfE have brought the future of government education policy into question. Just as the profession was developing a good working relationship with a new secretary of state for education, we looked up and, instead of Justine Greening, found Damian Hinds...
Damian Moore

'One happy family': reviewing and refining practice for 2018

One year on from our Ofsted report, Holy Family is committed to implementing our plan for better SEND support. Here are some of our priorities. Reviewing and planning are the main two priorities for many SENCOs as the year ends. Ours has just given a wonderful exposition of the history of SEND to...
Dr Karamat Iqbal

Should education be secular?

Religious belief is very much alive in our schools, but many teachers are drastically unprepared to teach in the classrooms of the future. One of the most visible effects of globalisation has been the greater movement of peoples and communities. This has led to newer forms of diversity, especially...