The aim of a data protection policy is to help staff understand how to safely and fairly process personal information.

The policy should include practical guidance on what can and cannot be done with data. Furthermore, it should be communicated to employees regularly. It’s important that all staff receive guidance on the confidentiality of personal information.

The policy will stipulate how individuals can use the internet and email for private communications securely. It should also cover issues of security when the school’s intranet is accessed from outside of the school grounds via a phone or tablet etc.

Aspects that a use policy should cover include:

• Email – is homework or other personal data allowed to be shared between students and staff via email? Can it be done securely? Can emailing parents sensitive data be avoided? When sending bulk emails, are staff using BCC so that potentially hundreds of email addresses not disclosed?
• Chat rooms – students should only have access to chat rooms that are educational in nature and are moderated. As part of e-safety education, teach students to never give out their or others’ personal data over chat.
• Mobile technology – the policy should stipulate how these can be used securely and safely and what restrictions apply where needed. Aspects to consider include video messaging, mobile access to the internet, entertainment services (e.g. streaming), and information-based services.
• School websites – a clear, detailed privacy statement should be displayed on the website. It should state how any information the school acquires will be used