GDPR and Data Protection
The UK General Data Protection Regulation (UK GDPR) works with the Data Protection Act 2018 (DPA 2018) to form the UK's data protection framework. It determines how people’s personal data is processed and kept safe, and the legal rights individuals have over their own data.
‘Personal data’ means information that can identify a living individual.
Changes after Brexit
The UK adopted the EU’s GDPR in 2018, but since the UK's withdrawal from the EU it has used its own version, known as the UK GDPR.
The key principles, rights and obligations remain the same as before, but there are some amendments, mainly around international data transfers.
The UK GDPR sets out the key principles that all personal data must be processed in line with.
- Data must be: processed lawfully, fairly and transparently; collected for specific, explicit and legitimate purposes; limited to what is necessary for the purposes for which it is processed; accurate and kept up to date; held securely; only retained for as long as is necessary for the reasons it was collected
There are also stronger rights for individuals regarding their own data.
- The individual’s rights include: to be informed about how their data is used, to have access to their data, to rectify incorrect information, to have their data erased, to restrict how their data is used, to move their data from one organisation to another, and to object to their data being used at all
The main requirements are:
- Schools must appoint a data protection officer, who will advise on compliance with the UK GDPR and other relevant data protection law
- Privacy notices must be in clear and plain language and include some extra information – the school's ‘legal basis’ for processing, the individual’s rights in relation to their own data
- Schools have a month to comply with subject access requests, and in most cases can’t charge
- Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are special protections for children’s data
- The Information Commissioner’s Office must be notified within 72 hours of a data breach if the breach puts people at risk
- Organisations have to demonstrate how they comply with the new law
- Schools need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils
- Higher fines for data breaches – up to 17.5 million euros
Our Data Protection Officer is Mr Palmer, who can be contacted at school.
Annual Consent Forms - will be updated in September