Most of what schools do involving personal data, do not require consent, unless for example they photograph a school event and publish the images; collect and use biometric information (e.g. fingerprints) or send out direct marketing communications (particularly by electronic means).
Under the new GDPR rules, schools will need to demonstrate that consent has been obtained freely, it is specific and not general, the person giving it is fully informed and the consent wording is unambiguous.
Schools will be required to keep clear records of all consent they obtain and they must inform individuals of their right to withdraw consent at the time, and offer easy ways to do this.
Consent can be sought direct from children (under 18s), providing they have the capacity to understand the implications of their decision. The Department for Education (DfE) suggests (in the DfE Data Protection Toolkit for Schools) students aged 13+ are likely to have capacity in this regard.
When making any decisions involving children’s data, the child’s best interests must be the deciding factor.
Copyright © 2019 Firebird Data Protection Consultancy - All Rights Reserved.