Back to School Special: Data Protection in the Education Sector

Schools, by their nature, hold a special place in society. Outside of the family unit, they are one of the core formative institutions for most people’s development. From a data protection perspective, they are complex as controllers and processors as they process large volumes of personal data of a group deemed vulnerable for a relatively long period. Also schools are both  controller and processor as due to databases of government departments they are required to use (where they are not the controller). 

In particular the following issues can confuse the data protection efforts of a school;

  • Legal basis: as mentioned above schools are at times strictly regulated by legal obligation for the provision of education, child safeguarding, health and safety, special education assistance, and data transfer (to certain bodies) among other things.  However, schools do not always know the exact impact of these obligations and the effect of these on their data processing e.g. they may be using incorrect legal bases. 

  • Data Subject rights: Parents / Guardians provide the data on behalf of the child and issues of subject access can be complicated as students age and in instances of parental separation. 

  • Data Retention: Past pupils require their data for entry into further education (post primary or third level) or for inter school transfers.  Some of the data of schools have longer term value outside of its initial purposes for historical records archiving and for use by the data subjects in adulthood (e.g. proof of residency etc.)

  • Special Category data: Schools collect large volumes of sensitive personal data in order to do their work, especially as the students are in the school for over five years (over seven years for primary schools). Information about ethnicity is requested in certain circumstances by the Department of Education 

  • Accountability and Governance: Schools come in all shapes and sizes some have a religious, health or linguistic basis and transfer data with the specific bodies for their respective pastoral or community needs outside of their core educational remit. In extreme cases, schools can be in a situation where they are transferring excess amounts of data to a body without any agreed data protection agreements or procedures in place. 

Let me start by saying there is no one-stop-shop answer for each issue above as each school will be different. However, in general I would advise schools to follow the following steps to work toward compliance;

  1. Conduct an audit: this will help the school know what data they have and why through a data flow map exercise. In addition, an outside auditor investigating the application of GDPR rights, principles and obligations by the school will show where it needs to improve. 

  2. Understand the various legal basis that apply to your school and when. It depends on the process what legal basis will apply – consult your peers and data protection advisors. One piece of advice on consent if you rely on consent for a process and the data subject or guardian remove it question what impact this would have longer term. For example you wouldn’t ask for consent for CCTV but you might ask consent for use of school photography which shows data subjects on the website. Always question if consent is the right basis as another basis may be better suited such as legal obligation or legitimate interest. If you use legal obligation you will need to be sure it applies and know the regulation name and section. For legitimate interest, a ‘Balancing Test’ may be required to show that this basis is reasonable and in line with expectations of data subject and does not impact negatively on their privacy rights and freedoms. 

  3. Develop a Retention schedule: Once you know what documents you have, what legal basis you process them under if you haven’t already it is time to draw up a retention schedule. This is a list of documents that contain personal data and explanation of why and for how long. This will guide storage and disposal. GDPR doesn’t stop you holding documents but it does require that the data held shouldn’t be excessive and should be appropriate for the purpose. Sectoral or education group bodies and government agencies will provide some of the time-frames. Developing retention schedules can be time consuming. Make sure they are appropriate for the exact needs of your school in some instances you may need to keep documents for longer due to legal claim or other legitimate reason. Also bear in mind as the pupil turn eighteen they have a right to see their data as adult.

  4. Have policies and procedures: Have a written policy and set procedures in place that detail the school’s approach and the staff responsibility. Make it available for staff and enforce it. the policy can be used to detail the approach to issues of parental access, consent and subject access for data subjects as they age.

  5. Inform the data subjects: have a privacy statement on the school website and notices of fair processing on forms to detail what, how, where and why the school process data. Have notices for CCTV that detail your basis for processing. Most schools will not have a data protection officer so therefore have a named representative handling data requests such as the principal.

  6. Governance and accountability: Keep track of your compliance through registers that record each instance of breach, subject access, training etc so that if audited by the national supervisory authority you can show what you did to date. These are also useful when you are working through a subject access request from start to finish or need to show data was already supplied.  

  7. Train your staff: this to my mind is the bedrock of your compliance. If staff don’t care or are not invested in data protection all the above efforts will be in vain. GDPR compliance is a journey not a destination therefore bring your staff along this journey so they know what their responsibilities are and why this is key to your school’s work. It is not only in the school’s interest but in theirs as data protection regulations will continue to be in use throughout their working lives. 

  8. Keep data secure and accessible only to those who need to have access. Have child data under lock and key, have solid passwords for access to computers and review your IT security. 

  9. Regulate your suppliers: GDPR requires processor agreements with processors (suppliers) so make sure you have specific data protection processor agreements in place to regulate the safe transfer, procedures and roles of each party. 

This is a good foundation to building a data protection culture in your school. As schools are under increased scrutiny, it is important for parents, staff and students to trust the school knows what it is doing with their data. 


Enguard can assist with the issues which GDPR raises for schools from audit, security, staff training to drafting policies and procedures. For further details please call us at Enguard on 0818 252 052 or email We would love to hear from you!


Disclaimer: Please note the above article is an opinion piece based on current sources of information available at the time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers. 

Kenneth Baker