rsimmonsltd@gmail.com 07704-838512
Personal, practical and affordable Data Protection support for schools and colleges
GDPR Templates for Schools
Privacy Notices
Schools should use their Privacy Notices to inform pupils, parents, staff and Governors about the information that will be collected and how it will be processed.
The Privacy Notices must inform individuals about their individual data protection rights, the legal basis under which their data will be processed and how the school will process their data securely.
Templates are provided below as a guide for schools and should be adapted to reflect the school's specific policies and procedures.
Privacy Notice - Pupils and Parents
Privacy Notice - Staff
New - September 2023
Data Protection Do's and Don'ts
for office staff and teachers
Schools have a range of policies, procedures and templates available to support them in keeping personal data safe.
This document provides a few lines on what each document does to help the school to remain GDPR compliant.
It also highlights some key practices that are helpful to office staff and teachers to keep information safe, plus some dangerous practices that should be avoided as far as possible.
Subject Access Requests and Breach Management
Under normal circumstances, schools must be able to provide data subjects (people) with a copy of their personal information.
It is important that the school uses a formal process to manage this process so that information is only given to those who are entitled to receive it, the disclosure of information does not impact on the rights of other data subjects and that it is provided within the required timescale.
It is equally important that the school records, monitors and resolves any data breach. Again there are specific requirements that must be observed in the event of a breach. Failure to comply with these requirements can lead to individuals and organisations being held accountable and subject to financial penalties.
Individual Rights Request Form (Including SAR)
Breach Management Process
Record of Processing Activity
& Retention Schedule
The Record of Processing Activity (ROPA) allows schools to identify and record all the processing activity that involves Personal Identifiable Information. A simple template can be used to effectively capture what processing is taking place, the controllers and processors of that information, the legal basis for processing, why it is being processed and how long it will be held. The processing of personal data of parents, pupils, staff, Governors and volunteers must all be recorded. This template provides the majority of processing activity, allowing any additional activity specific to be added by the school.
Record of Processing Activity (ROPA)
Although the ROPA contains some indicative retention periods for personal data, the Retention Schedule provides a more detailed summary that takes into account the legal and financial requirements to hold records beyond their processing period. This template is based on national guidelines that will cover the majority of the schools processing activity.
Retention Schedule
Data Protection Policy and Data Protection Impact Assessment
Schools are responsible for ensuring data is held securely. This means every effort must be taken to ensure data is not lost or accessed by an authorised person or organisation. The Data Protection Policy lets individuals know how yu will keep their data secure.
Before introducing any new technology or procedures, the school must consider the risks to the data. To do this it should complete and Data Protection Impact Assessment.
Data Protection Impact Assessment
Data Protection Policy and Information Security Policy
Freedom of Information Policy and Requests
The Freedom of Information Act (2000) gives individuals the right to ask any public sector organisation for information they hold.
Anyone can ask for the information held by the school. A FOI request is different to a GDPR Subject Access Request in many ways. These include the time allowed to respond, limits on time allocated to the request, potential charges and the absence of personal information. Schools should have a FOI Policy, which includes a Publication Scheme for the school.