Data Protection Commissioner publishes Toolkit for Schools
Reading time: 3 mins
Overview
The much-anticipated Data Protection Toolkit for Schools (the "toolkit") was published by the Data Protection Commissioner (the "DPC") on 19 December 2024. The toolkit has been developed to assist schools in understanding the nature of their obligations as data controllers and to help them to comply with their obligations under both the General Data Protection Regulation (the "GDPR") and the Data Protection Act 2018 (the "Act"). The toolkit was developed after consultation with a number of organisations in the education sector and provides detailed guidance on various areas of data protection law that have been identified as posing the most challenging for schools.
In publishing this toolkit, the DPC has recognised the specific obstacles faced by schools given the sensitive nature of the data they often process and the challenges that often arise when processing children’s personal data, which is afforded additional protections under the GDPR. The toolkit is therefore focused on the processing of children’s data as opposed to employees/parents’ data.
It also provides some very helpful guidance on the principles of data protection and the legal basis schools can seek to rely on when processing children’s personal data. This information is available in a readily accessible format with useful examples to assist schools in ensuring compliance with their obligations. In particular, the DPC has confirmed that if relying on legitimate interest as a legal basis for processing children’s personal data, schools must ensure that reliance on this legal basis does not interfere with, conflict with or negatively impact, the best interests of the child, thus reinforcing this principle from the 'Fundamentals for a child-oriented approach to data processing' published by the DPC in December 2021.
The toolkit gives insight into the DPCs approach to the exercise of data protection rights by or on behalf of children, noting that children can exercise rights in their own right, as long as they have capacity and it’s in their best interest. It confirms that once a child has reached the age of 17, other than in exceptional circumstances, their data protection rights should not be exercised by the parent or guardian. The DPC has made it clear that in such situations, schools should deal directly with the child. This is the first time the DPC has given clear guidance on this point and will assist schools when trying to determine whether to allow parents to exercise the data protection rights of their children, particularly those who are nearing the age of majority. The toolkit also clarifies that time continues to run during the school holidays for the purposes of request and a designated email address must be monitored for data related queries and subject access requests.
The toolkit outlines many instances in which schools share data either by use of third party suppliers or in compliance with various pieces of legislation. In all circumstances, schools must engage with the third party processors they choose to ensure they enter into a processing agreement (as per Article 28 of the GDPR) and must ensure that the processor has sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects. The DPC outlines that schools have various statutory functions under various legislation and often process personal data to comply with such legal obligations. Schools must be in a position to identify the specific provision of the Act and it is their responsibility to ensure they are only providing the personal data required under the Act. Our team are often asked to advise schools in respect of their statutory obligations, particularly on the interplay between the various pieces of legislation schools must consider and their obligations under both the Act and the GDPR.
The toolkit cautions against the bundling of consent at the start of the academic year and that each circumstance needs to be considered and whether consent is an appropriate basis to process personal data and/or whether further consent is required for the specific processing activity. It helpfully states there can be emergency situations, which involve the threat to children’s lives, health and welfare where the processing of their personal data is legal as it is necessary to protect their vital interests under Article 6.1.d GDPR
The DPC's guidance around CCTV in schools recommends that schools have in place an appropriate data retention policy, appropriate signage to inform people that CCTV is in use and an up-to-date data protection policy.
Notably, the DPC has recommended that all schools carry out a Data Protection Impact Assessment ("DPIA") in order to identify risks arising out of the processing of children’s personal data and to minimise these risks as far and as early as possible. Whilst there is no obligation on schools to carry out a DPIA, the toolkit makes it clear that there will be an expectation on schools to do so given the nature of the data they process.
It is evident from the toolkit that the best interest of the child, which is referenced throughout the guidance note, will be at the forefront of any decision made by the DPC in respect of a child’s data protection rights, taking into account their changing capacity as they near the age of majority.
The DPC has welcomed feedback on the toolkit up to and including the 31 January. It will be interesting to see if any further advice and/or guidance is published following feedback.
Access to the complete Data Protection Toolkit can be found here.