What the General Data Protection Regulation means for schools

What data do you have about them? Photo via Stencil, CC0 licence.

What data do you have about them? Photo via Stencil, CC0 licence.

The primary focus of schools always has been and always will be on education. However, in providing an education that is fit for purpose for every child, a school amasses a huge amount of data: pupils’ names, their dates of birth, home addresses, parent and guardian details, even photographs. That’s before we even come on to looking at patterns of behaviour: attendance, lateness, attainment, and conduct.

When the kind of data collected is itemised like that, it is easy to see what a potential minefield every school is standing on. Put starkly, in the wrong hands that data would be an identity thief’s or paedophile’s paradise.

It’s for that reason that data protection in general, and the forthcomingGeneral Data Protection Regulation (GDPR) in particular, must be taken seriously. Schools not only need to know what information they have for each pupil, they need to know where it is held. This has always been the case under the Data Protection laws, but the requirement is even more explicit under GDPR. 

The data also needs to be secure, and that includes backups. The days when a school could take a weekly backup and store it in a cupboard, or in a Deputy Headteacher’s house, are over. The most sensible option these days is cloud storage, properly encrypted.

If this all sounds onerous, the reality is that the GDPR represents data protection legislation catching up with both technology and expectations. 

Software technology has developed to the point where collating the data and making it available in suitable formats is straightforward.

As for expectations, people these days are far more concerned about what data they share, and with whom. They trust organisations that are transparent about these issues. And surely trust is the best basis for a healthy relationship with parents and children?

For more information on the GDPR, please visit the Information Commissioner’s guidance.