Articles 12-14 of the GDPR
There are new requirements to publish more information in Privacy Notices - these include the contact details of your Data Protection Officer; the purpose and lawful basis for processing personal data; how long you keep the data for; who you share personal data with and so on.
Article 15 of the GDPR
Otherwise known as a Subject Access Request- this enhanced right entitles pupils, parents/guardians and employees to receive a copy of the information the school holds on them for free and within one month. Maintained schools have additional duties under The Education (Pupil Information) (England) Regulations 2005 and must provide education files to parents/guardians within 15 pupil days.
Articles 16 and 17 of the GDPR
Individuals are entitled to have inaccurate personal data rectified or incomplete information completed and have their personal data deleted in cases where the data is no longer needed or if the individual withdraws consent. This right does not require a school to delete data upon request, if the school is complying with a legal obligation in holding it, for example if the school is required under statute to collect and retain the data for a certain length of time.
Article 21 of the GDPR
By default, individuals have the right not to receive direct marketing, which means that schools will have to gain explicit 'opt-in' consent before sending out marketing material. This will be relevant where schools target individuals for fundraising; advertise their school prospectus or send out advertising literature for other organisations.
Copyright © 2019 Firebird Data Protection Consultancy - All Rights Reserved.