This depends on what personal information is being processed. You can take a self-assessment on the ICO’s website- https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/  

This is what the ICO tells us about cookies:

The basic rule is that you must:

• tell people the cookies are there;
• explain what the cookies are doing and why; and
• get the person’s consent to store a cookie on their device.

As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, bear in mind that devices may be used by different people. If there is likely to be more than one user, you may want to consider repeating this process at suitable intervals.

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/

You may also need to obtain fresh consent if your use of cookies changes over time.

When personal data has been accidentally or lawfully destroyed, lost, altered, disclosed or incorrect access was given. This is for both accidental and intentional reasons. It will have affected the confidentiality, integrity or availability of the data. 

A Data Protection Officer is responsible for the following tasks-

1. Provide advice  to an organisation about their responsibilities
2. Monitor compliance with the law
3. Advise on data protection impact assessments
4. Cooperate with the ICO
5. Be a point of contact for data subjects 

GDPR is the General Data Protection Regulation introduced into European Union law in 2018. It governs personal data and privacy in the EU and the transfer of personal data outside the EU and European Economic Area

Personal information is data that relates to an identifiable individual or can indirectly identify a living individual. Whilst the list is non exhaustive, this is likely to include-

1. Name
2. Identification number
3. Location data
4. Online identifiers e.g. IP address and cookie information

GDPR was introduced by the European Union and is a regulation which applies to countries within the Union and concerns data protection. The Data Protection Act 2018 introduced GDPR into British law. It also provides for certain UK-specific sections.

The Information Commissioner's Office is an independent office that regulates data protection in the UK. The office is responsible for ensuring that organisations comply with Data Protection Act 2018, Freedom of Information Act 2004, Privacy and Electronic Communications Regulations and Environmental Information Regulations among others. The Information Commissioner role is held by an individual, currently Elizabeth Denham. 

Under UK GDPR Children may  exercise their individual data rights  when they are competent to do so for  themselves. In order to be considered competent they must have sufficient maturity to understand the nature of the rights which they are seeking to exercise. It is the responsibility of the data controller to decide whether or not a child is competent. If you want to find out more information on how this works in practice consider the guidance of the ICO. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/what-rights-do-children-have/#a3 

Under UK GDPR a child can consent  to the processing of their personal data, in the context of the provision of internet society services (ISS) offered ‘directly’ to them,  when they are 13 years of age or over. See Article 8 of the UK GDPR. if an ISS is  offered by an intermediary, such as a school, then it is not offered ‘directly’ to a child. 

 A parent  or carer, with parental responsibility,  may access the personal data of the children for whom they hold parental responsibility and exemptions will apply to the personal data in the same way as they would to an adult.

Children have the same individual rights as adults. The UK GDPR Chapter III and VIII provides the following rights to all individuals including children; 

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

Under UK GDPR if  a child is not considered competent to exercise their own data rights, it will be the decision of the individual(s) with parental responsibility that will prevail. The exception to this is if, in the specific circumstances of the case, there is  evidence that this would not be in the best interests of the child concerned. 

Under UK GDPR if  a child is considered competent to exercise their own data rights, the decision of the child should prevail.

Under UK GDPR a child who is not considered competent to exercise their own data rights, an individual  with parental responsibility can exercise the data rights of the child for them. The exception to this is if,  in the specific circumstances of the case, there is evidence that this would not be in the best interest of the child concerned.

Under UK GDPR  a child  who is considered competent to exercise their own data rights, the child can decide who  to instruct to act on their behalf. This could be a parent, career, an advocacy service, or another individual under the instruction of the competent child.  

In some circumstances a court may make a court order providing that an appropriate individual be permitted to exercise the data rights of  a child. 

Generally, you do not have to redact something if the individual is already aware of the data. Whilst there are exceptions to this, for example, if the information is particularly sensitive or where that might involve another individual's data, I usually leave the type of information you are referring to in, as they will be aware of their own name and contact details so removing serves little purpose. 

Where you have 2 parents information but the request has only come from one of them, we usually ask the other parent if they consent to their data being left in. This saves time for you and most parents prefer this.

Please contact us for further advice about specific cases if you are unsure: dpo@dataprotection.education.

• The other individual has consented to the disclosure; or
• It's 'reasonable' to comply with the request without that individual's consent.

In determining whether it’s reasonable to disclose the information, take into account the relevant circumstances such as:

• The type of information that you would disclose
• Any duty of confidentiality you owe to the other individual
• Any steps you've taken to seek consent from the other individual
• Whether the other individual is capable of giving consent
• Any express refusal of consent by the other individual

Whilst there are many situations in which it would be nice to share personal data without the knowledge of the pupils, parents or employees (Christmas cards, leavers jumpers etc), this would not be data protection complaint. Consent should be obtained for this type of processing. Where you may wish to do it as a ‘surprise’, a school could obtain the consent at the beginning of the year from the parents. 

Redaction is necessary to protect the personal information of third parties when providing personal data, often in response to a SAR. It prevents unauthorised access and therefore a data breach occurring. Redaction can be done manually, with a redaction pen or other blanking method, or digitally. There are redaction tools available and data can be sufficiently redacted using other masking techniques. 

All personal data should be kept securely and confidentially, this includes when it is removed from school, when in transit and when it arrives to it’s destination. The best way to protect data offsite is to have it stored on a computer that is password protected. If you do have paper documents, we recommend that personal data is not left unattended in a car or available should a third party access your home. It should receive the same protections at home as it does at school. 

Consent must be freely given, specific, in plain, clear, unambiguous language, with a positive opt-in and a true choice must be given. There must also be a mechanism to withdraw consent. It should be recorded and that consent should be retained for the duration of the processing. You can find an example consent form on the Knowledge Bank.

The police are entitled to access personal information using an exemption in the Data Protection Act, Schedule 2 Part 1 section 2 (1) (a) (b) and (c) but they still must comply with the data protection principles so the request must be fair, lawful and reasonable. They should provide a specific request form to the school, signed by a senior officer, stating what they would like access to. The school should inform their Data Protection Officer and read the guidance on ‘Requests for Information by the Police and Law Enforcement’ on the Knowledge Bank.

We recommend you follow these steps-

1. get evidence of the claimed identity 
2. check the evidence is genuine or valid 
3. check the claimed identity has existed over time 
4. check if the claimed identity is at high risk of identity fraud 
5. check that the identity belongs to the person who’s claiming it

You can find a detailed guidance document on the Knowledge Bank.

Personal data should not be accessible in these spaces as there is a high risk of it being accessed by those who are not permitted to see it, thus committing a data breach. If personal data is required in these areas, it should be locked so only those who need it can access it.

A ticket can be submitted on the Knowledge Bank in the Support section. You can also email dpo@dataprotection.education and a ticket will be logged automatically.. 

The Breach log can be found on Dashboard. You may submit a breach by clicking the blue + button on the right hand side of the page.

Your DPO can be registered with the ICO here- https://ico.org.uk/for-organisations/data-protection-fee/your-data-protection-officer-is/ and an organisation's registration number can be found here- https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/ 

Please log all requests for data, regardless of who they come from or what data they are requesting. You may choose to not record the everyday/ business as usual requests, such as a copy of a letter home to parents. 

Yes. There are special rules and provisions about SARs and some categories of personal data, including:

• unstructured manual records;
• credit files;
• health data;
• educational data; and
• social work data.

The ICO detailed guidance provides further details of these special rules and provisions.

Yes. In appropriate cases, the ICO may take action against a controller or processor if they fail to comply with data protection legislation. The ICO will exercise these enforcement powers in accordance with our Regulatory Action Policy.

If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply or to seek compensation. It is a matter for the court to decide, in each particular case, what action to take.

Yes. You need to be satisfied that you know the identity of the requester (or the person the request is made on behalf of). If you are unsure, you can ask for information to verify an individual’s identity. The timescale for responding to a SAR does not begin until you have received the requested information. However, you should request ID documents promptly.

Not usually. In most cases you cannot charge a fee to comply with a SAR. However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.

No. An enforced SAR is when someone requires an individual to make a SAR to gain access to certain information about them (eg their convictions, cautions or health records). This information is then used, for example, as supporting evidence regarding a job application or before entering into a contract for insurance. Forcing an individual to make a SAR in such circumstances is a criminal offence.

You should consult The ICO detailed guidance for further detail about the circumstances in which it is unlawful to require an individual to make a SAR.

An individual can make a SAR verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data. An individual does not need to use a specific form of words, refer to legislation or direct the request to a specific contact.

An individual may ask a third party (eg a relative, friend or solicitor) to make a SAR on their behalf. You may also receive a SAR made on behalf of an individual through an online portal. Before responding, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.

An individual is entitled to a copy of their personal data and to other supplementary information (which largely corresponds with the information that you should provide in a privacy notice). If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.

When deciding what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format. It is good practice to establish the individual’s preferred format prior to fulfilling their request. Alternatives can also include allowing the individual to access their data remotely and download a copy in an appropriate format.

If an individual asks, you can provide a verbal response to their SAR, provided that you have confirmed their identity by other means. You should keep a record of the date they made the request, the date you responded, details of who provided the information and what information you provided.

As the controller of the information you are responsible for taking all reasonable steps to ensure its security. Please see the ICO detailed guidance ‘How do we provide the information securely?’ for more information.

Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. If the request is from a child and you are confident they can understand their rights, you should usually respond directly to the child. You may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child. If a child is competent, they may authorise someone else, other than a parent or guardian, to make a SAR on their behalf.

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

The exemptions are set out in Schedules 2 and 3 of the DPA 2018 and they are as follows:

• Crime and taxation: general
• Crime and taxation: risk assessment
• Legal professional privilege
• Functions designed to protect the public
• Regulatory functions relating to legal services, the health service and children’s services
• Other regulatory functions
• Judicial appointments, independence and proceedings
• Journalism, academia, art and literature
• Research and statistics
• Archiving in the public interest
• Health, education and social work data
• Child abuse data
• Management information
• Negotiations with the requester
• Confidential references
• Exam scripts and exam marks
• Other exemptions

The ICO detailed guidance explains how each of these exemptions works in practice. While the exemptions listed above are those most likely to apply in practice, the DPA 2018 contains additional exemptions that may be relevant when dealing with a SAR. For more information, please see the ICO guidance about exemptions.

You must comply with a SAR without undue delay and at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals’ rights.

If you process a large amount of information about an individual, you may be able to ask them to specify the information or processing activities their request relates to, if it is not clear. The time limit for responding to the request is paused until you receive clarification, although you should supply any of the supplementary information you can do within one month.

Where possible, you should consider whether it is possible to comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request except where the other individual consents to the disclosure or it is reasonable to comply with the request without that individual’s consent.

The ICO detailed guidance provides further information on what you need to consider in these circumstances.

You need to respond to the requester whether or not you decide to disclose information about a third party. You must be able to justify your decision to disclose or withhold information about a third party, so you should keep a record of what you decide and why.

Where an exemption applies, you may refuse to provide all or some of the requested information, depending on the circumstances. You can also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive. The ICO detailed guidance explains the factors you should consider in determining whether a request is manifestly unfounded or excessive.

If you refuse to comply with a request, you must inform the individual of:

• the reasons why;
• their right to make a complaint to the ICO or another supervisory authority; and
• their ability to seek to enforce this right through the courts.

The request should be acknowledged and dealt with straight away. You should inform your Data Protection Officer immediately and take their advice on how to proceed. 

Where an individual has appointed a third party to act on their behalf, it is essential to ensure that is the case. You can do this by requesting identification and a signed authority. You may always wish to discuss the request with the individual to confirm their wishes. 

Where a parent is acting on behalf of a child, it is important that they have parental responsibility and that there are no court orders preventing them from accessing the information.

The best way to share information is always in the best way you can. Some schools may have secure file transfer software available to use, others may be able to share a password protected folder and for some, the safest way will be to hand deliver. If posting the information is unavoidable, please double-envelope the papers and write confidential information on the inside envelope. 

Any individual (pupil, parent, employee, governor, member of the public) can make a request for themselves or can appoint another person or organisation to do so on their behalf. This is most commonly seen with a client/solicitor relationship. Additionally, parents can exercise their childrens’ rights on their behalf. 

There is no legal limit on how to retain CCTV images and therefore it is best to consider how long would be necessary. For some, that would be 30 days as any incidents will have come to light, others choose 90 days to encompass the school holiday time period. 

This should be treated as a SAR and dealt with accordingly. Un-redacted images should not be shown or given prior to following the SAR process. 

When undertaking a new processing of high risk information (such as CCTV images) a Data Protection Impact Assessment should be undertaken. This assessment looks at the risks involved with such processing and whether any steps need to be taken to protect the personal data. 

Contain the data where possible by stopping the processing or asking the recipient to delete it. Contact your DPO and complete the data breach log.

This should still be logged as a breach and any recommendations followed. 

Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.

If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss.  Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.

Isolate the infected device and pass to IT 

Always ensure there are backups you can restore from.

Little Guide to ACTION FRAUD

Use the Data Breach Assessment Matrix to determine what personal data categories and data subjects were affected:  Data Breach Assessment Matrix

Contact IT immediately for their support in curtailing the breach. Inform your DPO so they can take any necessary steps such as informing the ICO or the data subjects if appropriate. 

Any information which could identify, or lead to the identification or a living individual. This could include name, date of birth, health information and online identifiers such as IP address. General non-personal and business information would not be considered a personal data breach. 

A public authority has 20 working days, or 20 school days, to respond. Any request must be answered, even where an exemption is applied or no information is held. 

An FOI refers to a request under the Freedom of Information Act. The Act allows any individual or organisation to make a request to a public authority for information they have recorded.

An FOI can only be made to public authorities and does not cover personal information about any individual. A SAR can be made to any organisation and only covers personal information. 

Parents are allowed to take photos of their own children, as this is for domestic purposes and therefore isn’t covered by data protection legislation. Schools may ask parents to be considerate when taking photos/videos, and request that they don’t post them on social media.

You do not need consent for all photos and videos. Some of the photos held or taken will be for educational purposes, and where this is the case, consent is not required. However, photos such as the annual school photo have no educational purpose, and therefore require consent.

You may need consent for this type of processing, and there should be a contract/agreement in place. If you have any of these types of requests, please contact DPE.

The best way to do this is by firstly gaining consent from the parents whose information you wish to share. You should also ensure you are sending the information in a safe way in line with your data protection policy, ensuring the security of the information that you are sharing.

There is no defined legal requirement. You should make this clear in the consent forms when asking parents and pupils for consent. If you are unsure of retention periods, please contact DPE.

Any photographer should be treated the same as any other third party supplier/contractor. This means that there should be a contract in place to cover their services and agree how they will handle the photos. If you have any questions or are unsure about contracting with a photographer, please contact DPE.