Posts

“We’re Getting Fingerprint Scanners!” – Wait… Did Anyone Do a DPIA?

There’s a certain kind of email that arrives in a school inbox that immediately raises eyebrows. It starts with something like:

“Exciting news! We’re trialling new biometric scanners in the canteen to speed up lunch queues!”

It’s followed by promises of efficiency, reduced lunch line chaos, and fewer forgotten PINs. On the surface, it sounds brilliant. Who wouldn’t want a futuristic solution to an age-old problem?

But here’s the thing: before you ask a group of eleven-year-olds to hand over their fingerprints for a chicken nugget, you need to stop and ask a bigger question… Have we done a Data Protection Impact Assessment (DPIA)?

You may wonder why it is so important. A DPIA isn’t just some bureaucratic hoop to jump through. It’s a vital safeguard designed to help schools understand how a new system or process might affect people’s privacy, especially when you’re dealing with sensitive or high-risk data.

In schools, we hold data about children who are arguably some of the most vulnerable individuals in society. Introducing new tech that collects biometric data (like fingerprints or facial recognition) raises serious privacy concerns. Biometric data is classed as “special category data” under the UK GDPR, which means it requires extra care and justification.

A DPIA helps you figure out: What data is being collected, why you need it, what risks it poses to individuals and, how to mitigate those risks. Even more crucially, it helps you decide whether the shiny new system is really necessary in the first place.

Let’s return to that canteen scanner idea. The supplier promises that fingerprinting pupils will slash queue times and reduce cash handling. Sounds efficient, right?

But have we asked:

  • Do we really need biometric data for this?
  • Could a swipe card or QR code achieve the same result with less risk?
  • What happens if a student refuses to give their fingerprint?
  • How securely will this data be stored and, who can access it?

Without a DPIA, these questions may never even surface.

Or take another example: your school is rolling out a new online safeguarding tool that uses artificial intelligence to flag potential risks based on student writing. Impressive? Maybe. Intrusive? Potentially. A DPIA would help you assess whether the tool’s benefits outweigh the privacy implications, and what safeguards should be in place.

Remember… behind every “data point” is a real child. Their birthday. Their behaviour record. Their image. Their fingerprint.

A DPIA isn’t about red tape. It’s about respecting the trust families place in us. It’s about making thoughtful, informed choices, not just because it’s the law, but because it’s the right thing to do.

And honestly, it’s also about protecting your school. If things go wrong, if a data breach happens, or parents push back, a completed DPIA shows you took privacy seriously. It shows you were proactive, not reactive.

A Culture Shift, Not a Paper Exercise

The best schools aren’t just doing DPIAs to tick a box. They’re building a culture where people ask early on:

“Could this new system affect how we handle personal data?”

“Do we need to speak to the Data Protection Officer before we go ahead?”

“Have we thought this through, not just for us, but for our students?”

That’s where real digital responsibility begins. Not in a policy document, but in everyday conversations.

So next time someone suggests a new app, platform, or process… pause. Before you roll it out, before the training sessions and the excited emails, check whether a DPIA is needed.

Because in a world where data is power, doing a DPIA is how we wield that power wisely. Not to impress with tech, not to dazzle with dashboards but, to protect, to consider, and to educate with integrity.

/by

Curtain Up, Camera Out: Navigating Photos, Videos and GDPR at the School Play

It’s opening night. The school hall smells faintly of paint and paper mâché. There’s a Year 5 pupil with a cardboard crown that’s just a little too large for their head, nervously adjusting their costume backstage. Parents are streaming in, phones at the ready, clinging to the best seats like it’s Glastonbury. You’ve made it to the school play and so has the annual data protection dilemma.

Because as predictable as last-minute prop malfunctions and forgotten lines, come the whispered queries: “Can I film this?” “What if someone else’s child is in the shot?” “Are we even allowed to take photos anymore?”

Ah yes, welcome to the wonderfully confusing world of data protection and school performances. Where nativity scenes meet nuanced legislation, and Mary’s not the only one cradling something precious.

Let’s start with the basics. Parents taking photos or videos for personal use? Absolutely fine. UK GDPR isn’t interested in mums and dads snapping a picture of their little star as the third shepherd from the left. That’s considered a “purely personal or household activity,” and data protection laws don’t apply. Parents can cheer, film, and Instagram away, within reason.

But let’s say a parent asks for a copy of the school’s official video of the play. Now we’ve stepped into a different category. If the school is recording or photographing the event, it’s processing personal data. That means GDPR applies. The school must be clear about what it’s capturing, why, and how that footage will be used or shared.

It’s here that things can get thorny.

For instance, imagine you’ve got a pupil in Year 4 whose parent has specifically requested their child not be photographed, perhaps due to safeguarding concerns. If that child ends up in the wide-angle shot of the final scene, and the video is later shared on the school’s website, that’s not just a mistake, it’s a potential data breach.

So schools have to tread carefully. It means thinking ahead. It means letting parents know in advance what will be filmed, how long the footage will be kept, and getting clear consent for public use, especially if the content might be shared beyond the school community.

Then there’s the grey area of social media. Suppose a proud grandparent posts a clip of the school play on Facebook, featuring multiple children in the background. No malice, no agenda, just pride. Still, if that video ends up widely circulated or accessible to people outside the immediate circle, concerns can start to surface. And suddenly, the school may get complaints from parents who hadn’t realised their child might appear in someone else’s family montage.

Educators often find themselves caught between celebrating achievements and navigating consent. You want to showcase the joy, the creativity, the culmination of weeks of rehearsal. But you also don’t want to inadvertently violate someone’s privacy or their trust.

So what can be done?

Communication, as always, is your best friend. Set expectations early. Let families know what the school’s policy is on filming and photography. Provide opportunities for opt-outs and be clear that personal recordings must not be posted publicly without consent from all those featured.

And if you’re recording the event as a school, make sure your privacy notices are up to date, your consents are meaningful, and your editing software is ready just in case someone needs to be cropped or blurred.

One school I worked with handled it beautifully: before the play, the headteacher gave a warm, informal announcement. “We know you’ll want to remember tonight,” she said. “Feel free to take photos of your own child, but please be mindful of others. Let’s celebrate the magic without forgetting that we all have different comfort levels.”

The audience appreciated the reminder. Phones were out, but respectfully so. And not a single complaint followed.

Ultimately, the aim isn’t to dampen the occasion, it’s to protect the people in it. Children deserve to shine on stage without worrying about where that footage might end up. And parents deserve clarity about how their children’s images are being used.

So as the lights dim and the narrator clears their throat, take a breath. You’ve got the play under control. And with a little forethought, you’ve got the data protection side covered too.

Break a leg, and maybe set your camera to “portrait mode.”

/by

“But Why Do We Still Have That?” – Why Data Retention in Schools Matters More Than You Think

Picture this: You’re clearing out a dusty old cupboard in the staffroom and stumble across a stack of paper files labelled “Year 11 – 2009”. A mix of test scores, behavioural logs, and, oddly, a permission slip for a trip to Alton Towers.

Your first thought? How did this survive the last clear-out?

Your second? Should we even still have this?

If you’ve ever found yourself asking those questions, you’re not alone. But when it comes to managing personal data in schools, it’s not just about tidiness or storage space, it’s about legal responsibility, privacy, and respect for the individuals behind the information.

Let’s talk about data retention, and why getting it right is more than just best practice, it’s the law.

Data Isn’t Just Data. It’s Someone’s Life Story

In education, we collect a lot of data: names, addresses, medical notes, academic records, safeguarding files, staff performance reviews, you name it. And it all serves a purpose… for a time.

But once that purpose is fulfilled? Keeping it longer than necessary can be a breach of the UK GDPR and Data Protection Act 2018 (DPA).

The GDPR (General Data Protection Regulation), still part of UK law post-Brexit, tells us that personal data must be:

  • Accurate
  • Kept up to date
  • Not kept longer than necessary

In other words: Just because you have it, doesn’t mean you should still keep it.

“Just In Case” Isn’t a Policy

One of the most common phrases you’ll hear in schools when asking why old data still exists is:
“We might need it one day.” But the law says otherwise.

Every piece of personal data must have a defined retention period based on its purpose. These periods should be recorded in your data retention policy or information asset register, which should be reviewed regularly.

Let’s look at a few examples:

  • Safeguarding records? Kept until the child is 25 (or 6 years after the last entry if the child was not looked after).
  • Recruitment records for unsuccessful applicants? Typically 6 months.
  • Staff employment files? Usually retained for 6 years after employment ends.

These timeframes aren’t arbitrary. They’re based on legal, educational, and best practice guidance (such as from the IRMS toolkit for schools).

Imagine if a former pupil, now 30, asked for all the information you still held about them. Could you confidently justify why you still have that Year 8 report from 2006?

Or worse, what if their data was part of a breach and it turned out it should have been deleted a decade ago?

This isn’t just theoretical. Schools have been fined for poor data management practices, including keeping data for far longer than necessary.

So what can schools do to stay compliant and responsible?

Have a Clear Retention Schedule

Refer to sector-specific guidance (like the IRMS Records Management Toolkit) and document retention periods in your data protection policy.

Build a Culture of Data Hygiene

Make data deletion as routine as fire drills. Annual “digital spring cleans” can be helpful for reminding staff to review and remove old files.

Use Technology Wisely

Modern MIS and HR systems often allow automated data archiving or deletion after a set period. Use these tools, but make sure they’re configured correctly.

Train Your Staff

Teachers and admin staff are on the frontlines of data processing. Make sure everyone knows why data retention matters—and what they’re responsible for.

Final Thoughts: Respecting the Past Without Hoarding It

Data retention might not be the most glamorous part of running a school, but it is one of the most important for protecting your pupils, your staff, and your reputation.

Ultimately, it comes down to this: Respect the data as you would respect the person it belongs to.

You wouldn’t keep old student essays or report cards pinned to a noticeboard for years, so why keep their digital (or paper) equivalents indefinitely?

Managing data well isn’t just about compliance, it’s about ethics, trust, and good governance.

So next time you come across a file from five headteachers ago, ask yourself: Why do we still have this? And if there’s no good answer, it might be time to let it go.

/by

“Can I Share That?”: Why Regular GDPR Training Matters in Schools

It’s a typical Tuesday morning in the staffroom. Someone’s burnt their toast, the last tea bag has mysteriously vanished, and your inbox flashes up with a reminder: “Mandatory GDPR Refresher – 20 minutes.” There’s a quiet groan. Not because anyone doubts its importance but because, for many, data protection training sits firmly in the category of necessary but dry.

And yet, in schools, the relevance of GDPR couldn’t be more real. Far from being a background compliance exercise, it’s something woven into nearly every task we undertake whether we realise it or not. It’s in the way we send emails to parents, the way we store SEN reports, or how we display pupil names on classroom walls.

The truth is, GDPR awareness isn’t a one-off event. It’s a practice. And like all good practice, it requires routine reflection, updated understanding, and yes, refreshers.

Take, for example, a school that proudly circulated a birthday list to families in a class newsletter. A small act of celebration, warmly intended. But one child on the list was under a court order that required their identity to be protected. The result wasn’t malicious, but it did amount to a serious lapse in data handling, one that could have been avoided with more regular, scenario-based reminders.

Every member of staff in a school; teachers, support staff, lunchtime supervisors, even volunteers, comes into contact with personal data. That might be in the form of a safeguarding note, an attendance register, or a photo taken during a school trip. It’s not the presence of data that’s the issue, but how thoughtfully and lawfully it is used.

Regular GDPR training and awareness sessions provide the confidence and clarity staff need to navigate this landscape. They help reinforce the day-to-day decisions like locking screens, avoiding personal email use, or checking consent for photographs, that protect children’s rights and safeguard the school from reputational and legal risk.

Some schools are rethinking the format of these refreshers. One primary school incorporated short GDPR tips into their weekly staff briefings: “This week’s reminder is about using BCC in group emails.” It was informal, quick, and incredibly effective at keeping privacy principles front of mind without overwhelming staff.

Others have taken a more reflective approach, using anonymised real-life incidents from within the school to frame learning: “Remember when a report was accidentally emailed to the wrong parent?” These moments serve as powerful learning tools. They aren’t theoretical, they’re rooted in the real and immediate experience of the staff team.

In a world of competing priorities, it’s easy for GDPR to feel like a tick-box activity. But when an incident happens, be it a data breach, a complaint, or a safeguarding issue, it instantly becomes urgent and central. At that point, it’s not just about compliance. It’s about trust.

GDPR, at its core, is about respecting people, their privacy, their safety, their dignity. Educators are entrusted with not only children’s learning, but their stories, their vulnerabilities, and their personal details. That trust deserves care and vigilance, not just once a year, but as part of our professional mindset.

So, the next time a GDPR refresher request lands in your inbox, perhaps see it for what it is, a professional check-in that helps you protect your pupils, your school, and yourself. It’s not about ticking a box, it’s about reinforcing a culture of thoughtful, respectful data handling.

Because good data protection practice in schools isn’t about fear. It’s about professionalism, empathy, and safeguarding, both online and offline.

/by

Careless Talk Causes Breaches

(and can be costly too!)

 

GDPR is not normally associated with parties, but recently I heard the end of a conversation about an office Christmas party and it set me thinking about the impact that a misplaced sentence can have. Friendships and working relationships can be badly damaged, in some cases, irreparable.

If I choose to pass on my unvarnished opinion about a colleague during the Christmas bash, then I can find myself in a lot of trouble. If on the other hand, I whisper information that has come from the data controller then not only am I in hot water, but I’ve also given the extra present of a data breach.

Paragraph 4, Article 32 of the GDPR says:

“The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.”

Put more simply, you must ensure that people are given clear guidance about what they can and can’t do with personal data and you must ensure they stick to those rules.

Bear in mind that it doesn’t matter how information is disclosed for it to be a breach. Whether you’ve been hacked, sent an email to the wrong person, lost a paper file or repeated information to someone who shouldn’t know it, a breach has occurred.

With verbal disclosure the situation is often made worse by the fact that our natural desire is to share more ‘interesting’ information, which is also usually more confidential and leads to greater upset.

We’ve seen examples where incidents have been dealt with from a disciplinary standpoint but have gone unrecognised as a data breach. Obviously, if you need to report the breach to the ICO, you’ll have to explain why you missed the 72-hour deadline for reporting. It is difficult to say that you have a sound regime for data protection but missed this high-profile target.

What steps should you take to avoid these issues:

Training
  • All your staff need to know about the risks of verbal disclosure. Include it in your normal GDPR training but you may need to provide a special briefing. As well as knowing that they need to notify your DPO or GDPR lead, it’s a great time to remind people of the perils of letting information slip.
Easy reporting
  • Take away any barriers that prevent staff from alerting you to an issue. Have an email address just for staff to alert you of issues or consider an online form.
A response procedure
  • If people do report issues then you need to have a well-established procedure to deal with them. Get it recorded and you can even practice to make sure the 72-hour deadline can be met.
Joined up processes
  • Issues which trigger disciplinary procedures may relate to data protection issues and vice-versa. Make sure that there is a section in the guidance for both areas that highlights the risks and include this in your general training and particularly induction training.

So, as you contemplate the upcoming festivities, it may be worth a timely reminder to everyone that we have to consider what we’re saying just as much a what goes into an email.

/by

How the Department for Education ran into trouble with the ICO

Being as clear as mud when it comes to Data Protection

A key principle of data protection is transparency. You must be upfront about what you plan to do with personal data.

A failure to be transparent has recently brought the Department for Education into the Information Commissioner’s Office’s sights. Information from the annual census returns was apparently shared with Immigration Officials, without the data subjects being informed. This is the opposite to what you should be doing.

According to an article in the Guardian the ICO position is that:

“Our view is that the DfE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far reaching issues, impacting a huge number of individuals in a variety of ways.”

It’s not clear yet what the consequences for the DfE will be from these findings.

Just a few days before the news about the DfE broke, the Information Commissioner felt compelled to ensure that political parties understood their data protection responsibilities as we head towards the election in December.

In addition to telling the parties that they needed to follow the principles of data protection, she also specifically addressed the controversial issue from the Brexit Referendum and subsequent elections – advertising on social media.  You can read the Commissioner’s full statement here.

These concerns are about transparency. How do you know what someone is doing with your personal data and how that usage might affect your rights and freedoms? The GDPR is very clear about the information that should be provided especially when your personal data is being used. It’s not always clear how well individuals understand the information presented to them, if they are given any at all.

The principle of transparency doesn’t just apply to political parties and government departments. It should be the cornerstone of the data protection policies and practices for every organisation.

So, what does Transparency mean for an organisation in the Education sector?

  • You must be clear about why you are processing personal data
  • You must be able to show you’re using the minimum data necessary
  • You must be able to show you have a legal basis for your processing and sharing of data
  • You must take action to inform individuals about how their data is being processed

How can you demonstrate that you’re meeting these requirements?

Your data mapping, providing it follows the model set out by the ICO will address the first three and your privacy notices should address the last item.

Our experience is that many schools and colleges haven’t mapped their use of personal data to the level of detail that the regulation expects, and this could become a problem if a complaint is raised by a data subject.

You may know in detail how data is collected, stored, updated and shared, but the legislation requires that this is documented. Does your documentation fully cover the movement of personal data around the organisation?

Do your privacy notices strike the balance of informing individuals about how their data is used while being accessible and unambiguous.

While you try and figure out the fake news from the real around the election it may be a good time to ensure that you’re being properly open about the way you collect and use personal data.

If you are unsure how you process data, or would like some guidance on how to document this, please contact our GDPR experts on 0113 804 2035 or click here.

/by