As you will see below you can do very little without gaining express permission, yet if you are clear about how you will use the data and strictly adhere to this, in addition to evidencing this permission, you can do so much.
The answers below refer to personal information, but schools will hold and have the right to hold a range of other data which is not personal information without permission. Therefore it is important to know what constitutes personal information.
Thanks to the ICO.
1. Can I send out class lists?
It depends. Under GDPR (and under the older data protection legislation for that matter) you should not share personal information of any kind without permission from the person in question, or their parent/guardian for younger pupils. If you have a signed consent form which states that you will share information with others pupils and parents of the class. You need to be very clear about what information you will share. You may also wish to request that the recipients should not share this information further to cover yourself, but also state that by agreeing to share this information means it is outside the control of the school.
On a related point, you can still act of postman or postwoman for birthday invitations, notes about play-dates and the many other kind acts of communicating you as the person giving you the message is given you the consent to pass this on.
2. I’ve heard that permission can be revoked. Is this true?
Yes, parents, pupils and staff can revoke their permission at any time. They can also ask for any data the school holds to be removed. They have the right to request all the data that the school hold about them, including written records from private meetings with written records and governor minutes which feature them, so watch what you say! The information must be given and/or removed within 30 days of receiving the request.
3. Can I use my USB memory stick to take files between school and home?
If the files contain zero personal information, yes, if you must. Although there are much better options, such as online encrypted platforms where you can access your files from the cloud using a secure username and password.
However, if you are using personal information you should only use encrypted physical storage which never leaves the school, or password and encrypted online cloud storage. Check the online storage providers GDPR statement carefully as a business account, rather than a free account, may be required to provide adequate levels of protection.
4. Can I take photos and videos of my pupils?
This has been covered by child protection legislation for many years and schools are generally aware of their responsibilities here. GDPR does add much to what should have already been in place, with permission needed from parents/guardians to both take and use images and videos.
Where GDPR does have an impact is if personal information is being recorded and published in or with the photo or video. The times I have seen schools coyly share an anonymous photo of a pupil celebrating his or her work on a blog or on Twitter, only to have the pupil’s name, and sometimes even age, written on the piece of work they are holding up to the camera for all the world to see! Unless clear and express permission has been given, schools should not share personal information with or within a photo or video.
This is also true of videos and photos being taken by parents at school productions, sports days or other open events. This shouldn’t mean that parents should be banned from recording video or taking photos as long as child protection needs are met, but you need to think about how you announce over the load-speaker the winner of the egg and spoon race at your next sports day.
5. Can I call out the children’s names on a school trip?
While it might be fun to assign your class nicknames, or worse, for trips out of school, no, calling them by their first names will never be an issue even in public. Unless you are prone to grand ticking offs along the lines of “Little Joe Bloggs, I don’t know how your parents have put up with you since you were born on 21st February 2010 on St George’s streets….” You are not infringing on GDPR. Getting them to respond to their name when out and about is the real challenge here folks!
6. Can I have a social media life and be GDPR compliant?
I have experienced an overzealous senior management team myself who sought to control my social media output. However, unless you are giving out personal information of other people, there is nothing under GDPR which would prevent you from appearing on any social media platform you wish. Although it is probably wise not to use the school address for your Tinder profile!
7. Our school uses video monitoring of lessons and staff. Can this continue under GDPR?
It is arguable that under Article 8 of the Human Rights Convention which ‘protects our right to have our privacy respected’ and is a powerful shield against excessive snooping, this shouldn’t be allowed at all. Naturally, what constitutes ‘excessive’ is open to interpretation. While I personally believe that the convention means this cannot be mandatory and forced upon anyone, if the snooped-upon people are silly enough to expressly agree to being watched, then it can and does take place.
Where GDPR has an impact is how the video is stored and how the information, whether on the video or derived from the video, is used. This must be made completely clear at the time that agreement to opt-in to being surveilled is given. For example, if the video may be used in staff disciplinary proceedings or as evidence for pupil exclusions this should be stated at the outset. As with all GDPR agreements, it must be a real choice that can be refused or revoked.
8. My school keeps the books of all our past pupils for years after they have left the school Is this allow under GDPR?
No, unless permission has been expressly granted by the pupil or parent. Even if that pupil left before GDPR was enacted, you should not keep information without gaining permission, or be prepared to justify to the Information Commissioner’s Office that you have a legitimate need and use of the books if a complaint is made. This is true for any information you hold of past pupils and employees. Best practice is to gain permission to hold any information and to state clearly when that information will be removed.
9. Should pupils have their name on their lunch boxes?
Yes. This is essential as anyone can be tempted by an unattended Mars bar and it is imperative that these reach the correct owner at lunchtime. While they are at it, label any coats, hats, gloves, PE clothes and all the other items that seem to coalesce in the communal areas of every school.
10. I have been made the data officer at my school… help!
Yes, this is now officially the worse responsibility for any teacher and you deserve a medal or a TLR bonus at the very least! Many schools have split the role between a business manager who can address the legal areas and compliance, and a member of teaching staff to ensure the staff are trained, knowledgeable and adhering to GDPR day to day. There is extensive, yet fairly readable guidance at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr.
However, there are six very basic principals to remember:
- Keep private things private
- Delete what you can’t justify keeping
- Give things the owner requests to be given
- Delete things the owner requests to be deleted
- Clearly state what you will use information for
- Seek express permission again and again and again
And for goodness sake, replace your memory sticks. They’re so ‘noughties’!
This article does not constitute legal guidance or advice and schools should carefully research GDPR for their own particular context.