The Optimus blog

The blog that inspires leaders in the UK education sector

The Optimus blog

The blog that inspires leaders in the UK education sector

Dai Durbridge

GDPR and your FAQs

From encrypting emails to gaining consent, we asked Browne Jacobson lawyer Dai Durbridge some common questions.

1. Encryption and password protection: what’s the difference and do we need to do it?

Encryption – also known as end-to-end encryption – protects the email while it is passing from your email system to the recipient email system. In other words, if someone tries to intercept it, they cannot read its content. What encryption doesn’t do is protect the contents of the email if you send it to the wrong recipient. That’s where password protection comes in.

Password protection is a simple security measure that does what is says on the tin – it password protects the contents. So instead of putting confidential information in the body of the email, you put it in a word document or PDF, password protect that document and then attach it to an email. That way, if you send it to the wrong person, they don’t have the password to open it.

Your school email systems are likely to have good encryption built in to them. Password protection is the step you need to consider when sending personal information by email, especially when sending it outside of the school. This is a very new concept for most schools and so it is worth spending some time considering how best to do it, for example agreeing fixed passwords with those whom you email frequently with personal data.

2. What happens if we receive a query about a pupil or staff for data that we no longer hold?

You provide them with the honest answer: ‘We only hold your data for X years in accordance with our retention and destruction policy’. 

As long as your retention and destruction policy makes sense and you follow it, you cannot be criticised.

3. Should we be changing our culture re displays of work throughout the school that have the names of pupils on?

In short, no. That’s not what the GDPR requires of you. Children’s work displayed around the school is usual practice and, in terms of personal data, more often than not you are simply processing (displaying) names and year groups/class names and only other staff, pupils and parents will see it.

Where thought should be given is where you display photos/data relating to children so that they can be identified for medical need, safeguarding concerns or behaviour. Ask yourself these questions (data minimisation).

  • Who else can see that data and do they need to?  

  • Is this the best way for this important information to be shared?

If you are honest, I’m betting the answers are ‘quite a few’ and ‘no’…

4. Should you keep copies of pupil files when they transfer to another school?

There’s no problem with doing so, as long as you destroy them once receipt has been acknowledged. After all, what is your lawful basis of processing the data of children that no longer attend your school?

There may well be the occasional exceptions, such as an ongoing complaint, that means you have a lawful basis for processing those documents for a further period of time. If so, it is important to remember that when that purpose has ended, so has your lawful basis for processing.

5. If parents can withdraw their consent for personal data not to be held, where does that leave the school should an emergency arise and they cannot be contacted?

Schools would not rely on consent as the lawful basis of processing emergency contact details. Instead, they would rely on public task. This means that you do not hold the data on the basis of the parent’s consent and therefore there is no consent to withdraw.

6. Do you need to re-seek consent from parents/students for use of photographs if you obtained consent before the GDPR?

This depends partly on whether the basis upon which you secured consent complied with the requirements of the GDPR. If it did, then you can still rely on it. If it did not then you do need to give consideration to whether those pupils and parents whom you can identify in the photos need to be approached for fresh, GDPR-compliant consent.

From compliance to culture

The 25 May has passed, and so far, so compliant. But while your school might have the right policies in place, culture change can be slower. Are you sure and can you evidence that the new procedures to safeguard student data have been embedded throughout your school or MAT?

Our forthcoming GDPR for Schools conference will help you prepare for this second wave of GDPR compliance.

Find out more