Obligations for Schools

You will need effective Data Protection policies, procedures and regular employee training.

Schools are required to assess the suitability of all suppliers and contractors who process personal data on their behalf (i.e. data processors) and have written contracts in place, stipulating the clauses set out in Article 28.

Schools need to identify and record what categories of personal data they are processing; why; how long it is kept for; who it is shared with and a brief description of the security measures they have in place to keep it safe. This document must be provided to the Information Commissioner's Office or the public upon request.

Proportionate and adequate technical security measures, policies and procedures  must be implemented to ensure data protection compliance is built into everyday practices.

Data protection impact assessments must be carried out prior to any processing of personal data, which could result in high risks to the rights and freedoms of data subjects.