GDPR and safeguarding in schools: what you need to know

The General Data Protection Regulation (“GDPR”), which came into force on the 25 May, needs no introduction. You probably know that it is a European law which governs what we can and can’t do with people’s personal data. It will apply directly to us and will be incorporated into our laws post-Brexit by the Great Repeal Bill which will swallow it whole into our own legal framework.

What you may not know is that the Data Protection Act 2018 (“the DPA”), which came into force last month, is our own law which will supplement GDPR and govern matters which are not covered specifically in GDPR. And data protection issues surrounding safeguarding is just one of those matters which the DPA deals with. So what do you need to know about what GDPR and the DPA say about safeguarding? In this article we aim to bust some of the myths as to how GDPR and the DPA might affect safeguarding and share some tips of what you need to do to be ready.

Busting some myths

Does GDPR ‘trump’ safeguarding? What if we don’t have consent to share safeguarding information about pupils, parents or staff?

GDPR does not ‘trump’ safeguarding if you have concerns about sharing information about a safeguarding matter – whether within the school or externally. You won’t need the individual’s consent to share the information in most circumstances.The DPA goes into detail about exactly what those circumstances are, but the principle set out in Keeping Children Safe in Education, the statutory guidance for schools and colleges on safeguarding, is helpful:“Fears about sharing information cannot be allowed to stand in the way of the need to promote the welfare and protect the safety of children.”If you have any doubts, get legal advice.

Do we have to delete safeguarding records because of GDPR?

The simple answer is ‘no’. The GDPR principle is that you don’t keep personal data any longer than you need it for. But how long will you ‘need’ safeguarding information for?It is for your school to decide what your retention policy is. There are some benchmarks out there – where there are concerns about a pupil or member of staff, one association we work closely with retain records for a period of 50 years. The courts have also held that a period of 30 years is lawful where the reason for holding that information is for an ex-pupil to come back to the school to retrace their story and understand what happened to them in their time at the school. You may also find it helpful to talk to other schools about what their policy is.For both state and independent residential schools the Independent Inquiry into Child Sexual Abuse has issued a guidance note saying that, for the duration of the Inquiry, residential schools should be retaining all information that may assist its investigations. What might assist the Inquiry? It is impossible to say – and the response of most residential schools has been to decide to retain everything whilst the Inquiry is ongoing.It’s also worth knowing that the rights pupils and staff have be forgotten and object to processing of their data are limited and are unlikely to allow them to force schools to delete such data providing the school can justify their continuing to hold it.The lesson here is not to delete any safeguarding personal data without getting specialist advice.

Do we need to appoint a Data Protection Officer (“DPO”)?

Are you a maintained school, an academy, a free school or a multi-academy trust? If so, then yes you do. The Department for Education has a section in their recently published Data Protection ‘toolkit’ on how you might approach this duty.The ‘toolkit’ in its current form assumes all schools will have to appoint a DPO. This is misleading if you are an independent school, as the position for independent schools is different – as the Information Commissioner’s Office (“ICO”), our data protection regulator, has recently acknowledged.Most independent schools we advise are taking a “wait and see” approach on the basis that (1) neither GDPR, the DPA or any of the regulator’s guidance give any clear steer on whether they would be required to do so; (2) the time and financial cost of training an existing employee or taking on an extra member of staff or consultant are not inconsiderable and (3) there are practical challenges of complying with the GDPR requirements which independent schools – particularly smaller schools with limited resources – are understandably reluctant to face if they do not need to.

3 things you need to do

Get everyone on board

Like safeguarding, data protection is everyone’s responsibility and should be child-centred. This is never going to happen without giving all your governors and staff training to understand what their duties and responsibilities are. Data protection is all about protecting people – not just files and computer systems.Whether you do it yourself, buy in materials or get someone else in to provide training, make sure it’s relevant to your school context.

Get digging to work out what safeguarding data you have

One of the first things to do is to start digging to work out what personal data your school is processing. Whether you like flow diagrams, spreadsheets or lists, here are some of the questions you need to answer before you can start working out how GDPR and the DPA applies:

  • What safeguarding data do you hold which is personal data?
  • Where and when did you get it?
  • Where is it held?
  • How do you keep it secure?
  • Who do you share it with?
  • Who has access to it?
  • Why do you need it?
  • How long do you need it for?
  • What did you tell people you were going to do with it?

Why do you think you’re allowed to process it? Safeguarding data won’t all be in your Single Central Register. It may be scattered far and wide – in medical records, email chains, pupil files, CCTV records and alumni records to name just a few examples.This exercise – your ‘data audit’ – will take some time so if you haven’t already started, get digging!

Take a risk-based approach

Once you have conducted the audit exercise described above, you then need to get busy working out where the gaps are between what you currently have and do and what GDPR/the DPA require. You won’t have the resource or the time to deal with all the issues at once so take a risk-based approach. Compliance in respect of your safeguarding practices and the sensitive safeguarding information you hold is going to be a fairly high priority so work out what other high compliance priorities there are and get started on those first!Schools are complex and one individual member of staff can’t solve GDPR. Get a team together, don’t panic and get help if you need it!

For further advice on the above topics, please contact us.