What is Personal Information?
Personal information is anything relating to a person that can be used to identify them. This includes both manual paper records and digital records. In a school, examples of personal information include:
- Names of staff, parents and pupils.
- Dates of birth.
- Addresses.
- Parent’s bank account.
- Copies of parents’ passports
- Insurance numbers.
- School marks.
- Medical information.
- Exam results.
- Assessments and data.
- Staff development reviews.
Registering with the CNPD
Each individual school is a data controller and so must register with the CNPD. Failure to do so is a criminal offence.
Schools must notify the CNPD of:
- The purpose for which the school holds personal data.
- What data it holds.
- To which countries they intend to transfer the data.
- The source of said data.
- To whom they intend to disclose the data.
Fair Processing / Privacy Notices
When you collect information about a child, parent or staff member, you must be clear and transparent about how you intend to use it.
Schools need to explain in clear language that the personal data of everyone in the school (both staff and students) will be processed and why they are doing so (for example: to facilitate education or to arrange school trips).
In order to comply with the Data Protection rules, schools should have ‘fair processing notices’ or ‘privacy notices’ in place.
The aim of a privacy notice is to summarise what information is needed, why it is being collected and which third parties it may be passed on to. The person whom the information is about must give their consent in order for you to hold it.
Different services, such as primary versus secondary schools, have different data requirements. So each service needs an individual privacy notice.
Include the notice in any enrolment documentation and on the bottom of any forms used to collect personal information. It should also be displayed in the school reception area or on the school’s website. Many schools send out a copy of their privacy notice to students at the start of each school year.
When a letter or other document requires a student, parent, or staff member to provide personal data, fields that are vital could have an asterisk placed next to them. This make it clear to the person what they must fill in and where they can leave spaces blank.
Information must not be collected just because it might become useful later – it must be essential for the present intended purpose.
Information Security
Once personal information about students, parents and teachers has been gathered, it must be kept secure.
Unauthorised access or loss of information can cause serious harm to people. The CNPD can issue fines if they learn that appropriate safety precautions are not being taken.
Both manual and digital records need to be secure. The level of security should reflect the potential harm that could result from the loss or misuse of the data. Memory sticks perhaps need the most consideration as they are very easy to lose. Either avoid the use of memory sticks completely or ensure they are password protected and fully encrypted.
The 8 Data Protection Principles
- Data must be processed fairly and lawfully.
- It should be obtained only for one or more specified and lawful purposes
- All data held shall be adequate, relevant, and not excessive.
- Data should be accurate and up to date.
- It should be held no longer than for the purpose it was originally collected.
- All data should be processed in accordance with the data subject’s rights under the Act.
- Data should be secured.
- It should only be transferred to other countries if they have suitable or equivalent security measures.
The information provided throughout this guide helps you comply with all 8 of these principles.
Security Measures
Security measures need to be appropriate to the data being held. Furthermore, procedures should be in place to respond to any security breaches and prevent unauthorised access. Not all security measures need to be complicated: sometimes just a simple check-in and check-out system can help reduce risks.
Possible security measures for data protection include:
- Shredding all confidential waste.
- Using strong passwords.
- Installing a firewall and virus checker on your computers.
- Encrypting any personal information held electronically.
- Disabling any ‘auto-complete’ settings.
- Holding telephone calls in private areas.
- Checking the security of storage systems.
- Keeping devices under lock and key when not in use.
- Not leaving papers and devices lying around.
You must ensure that a hard drive is erased securely if you are physically disposing of it. Technical support may be required as simply erasing the data or formatting the drive might not be enough.
Sharing Personal Information
There are occasions where sharing personal data with local authorities, other schools, different departments or social services cannot be avoided. It may be that without sharing the data, actions cannot be completed.
For example, you may need to pass on details about a child showing signs of harm to social services, or another school may need to know which pupils will be present at their sports day event.
You must consider all the legal implications and ensure that you have the ability to share the specified data.
For example, what is the intention behind sharing? Who requires the data, which data is needed and what will it be used for?
Consent must be given by the individual before their personal information can be shared. This is usually part of the privacy notice issued when the data is first collected.
This applies whether you are sharing data between people or online, such as photographs on the school’s Facebook page.
Letters sent from schools to parents should have a data protection statement at the bottom where relevant. For example, if a reply slip is included and requires providing personal data).
Data should only be transferred to other countries if they have suitable or equivalent security measures.
All European Union countries have equivalent data protection rules, so it’s safe to transfer to them if necessary. However, explicit consent should be acquired from the individual if personal data needs to be processed outside of the Luxembourg. If the school cannot establish a safe system of data protection with a country outside the EU, they should not even consider sharing personal data.
Sensitive Personal Identifiable Information (SPII)
This refers to information about more sensitive topics. For example: a person’s race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality, and criminal offences.
There are greater legal restrictions on sensitive personal data than regular personal data. Most schools will hold some form of sensitive data about pupils and staff, so processing this requires extra care.
Holding Data and Keeping it Up-to-Date
During the time when you hold data about a person, and for as long as it is being used, it must be monitored for accuracy. It’s essential that you ensure it remains relevant and up-to-date.
Carry out an information audit at least annually.
- Write a letter at the start of each school year asking parents and students to check that their details are correct. This also helps prevent emergency risks, e.g. if an old address or phone number is on record.
- Check that ‘live’ files are accurate and up to date.
- Any time you become aware that information needs amending, do so immediately
Any personal data that is out of date or no longer needed should be ‘destroyed’. This may involve shredding documents or deleting computer files securely so that they cannot be retrieved. - Schools must follow the disposal of records schedule. This schedule states how long certain types of personal data can be held for until it must be destroyed. Some stipulations are legal obligations while others are best practice.
You are violating the Data Protection Law if you keep any data for longer than it is needed.
Schools must not acquire data and process it in any manner that doesn’t relate to the intended purpose. For example: data acquired about students for assessments can’t then be used on the school’s website.
Determining what may be excessive includes looking at forms and deciding what information is absolutely critical for the intended purpose. Anything else may be considered excessive and irrelevant.
Taking Photos in Schools
When is consent needed/not needed for photos?
- Personal use: parents photographing/videoing the school play. Consent is not needed.
- Official school use: photos or videos taken for use in the school prospectus and on the website.
- Consent is needed from the person being videoed or photographed. Media use: photos taken for a newspaper article. Consent is needed.
If an image of a student is used their name must not accompany it and vice versa.