GDPR recently celebrated its first anniversary, but there is still confusion in schools about data duties and obligations. Richard Skipper provides clarity on some common problems

May 25, 2019, marked the GDPR one-year anniversary. However, despite this milestone, there is still some confusion within schools over what exactly is expected of them with regard to data compliance – which is not all that surprising given the complexity of this area of law. Below are some of the common questions I come across and some quick advice.

If you want to share any personal data, no matter how much data or how important it is, you have to identify a “lawful basis” (a legal reason) to do it. The available lawful bases, in summary, are:

In the majority of cases, you can use the public task basis. If the data you are sharing is sensitive – known as “special category data” – you also need to decide on a “condition of processing”. Take particular care when establishing a lawful basis for sharing pupil and staff medical information and safeguarding information, as these are risky areas.

Register now, read forever

Thank you for visiting SecEd and reading some of our content for professionals in secondary education. Register now for free to get unlimited access to all content.

What's included:

  • Unlimited access to news, best practice articles and podcast

  • New content and e-bulletins delivered straight to your inbox every Monday and Thursday


Already have an account? Sign in here