Southwark Education, Learning and Achievement logo Southwark Education, Learning and Achievement
Sign in

Sign in to Southwark Education, Learning and Achievement or Complete a task any time of day with your dedicated, personalised account Create account

Data Management & GDPR Compliance Guidelines

COLLECTION AND RETENTION OF DATA 

Educational institutions routinely collect data pertaining to their employees, students, and other stakeholders. Safeguarding this data is of paramount importance, necessitating strict adherence to GDPR (General Data Protection Regulation) guidelines.

LEGAL RESPONSIBILITIES 

Under the GDPR, the act of obtaining personal data is split into two roles – the data processor and the data controller – and these come with different responsibilities.

DATA CONTROLLER

  • Who: The educational institute will be the data controller. This means it determines whose information to collect, what types of data they need and why it’s necessary.
  • Determining Purposes and Means: The data controller is responsible for determining why and how personal data is processed. This includes specifying what data is collected, for what purpose, and through which methods.
  • Legal Compliance: Ensuring that all data processing activities comply with relevant data protection laws, including obtaining proper consent from data subjects when necessary.
  • Data Minimisation: Collecting and processing only the data that is necessary for the specified purpose. Data controllers should avoid collecting excessive or irrelevant data.
  • Security Measures: Implementing appropriate security measures to protect the personal data they are responsible for, including encryption, access controls, and regular security assessments.
  • Data Subject Rights: Informing data subjects about their rights regarding their personal data, such as the right to access, rectify, and delete their data.
  • Data Breach Reporting: Reporting data breaches to the appropriate authorities and affected individuals within the required timeframe.
  • Record Keeping: Maintaining records of data processing activities, including purposes, data categories, and retention periods.
  • Data Protection Impact Assessments (DPIAs): Conducting DPIAs when processing activities are likely to result in a high risk to data subjects' rights and freedoms.

 

DATA PROCESSOR

  • Who: The data processor may be a third-party supplier that the school has hired to complete these tasks, or it may be a department within the school itself.
  • Cooperation with Authorities: Cooperating with supervisory authorities (e.g., data protection authorities) if necessary, including allowing audits and inspections.
  • Record Keeping: Maintaining records of all processing activities they carry out on behalf of the data controller.
  • Sub-Processors: If the data processor uses sub-processors (e.g., cloud service providers), they must inform the data controller and obtain their consent.
  • Data Breach Reporting: Informing the data controller of any data breaches without undue delay so that the controller can comply with reporting requirements.
  • Data Subject Rights: Assisting the data controller in fulfilling data subject requests, such as providing access to or deleting data.
  • Security Measures: Implementing appropriate security measures to protect the personal data they are processing, as specified by the data controller.
  • Processing on Behalf of the Controller: Data processors act on behalf of the data controller and only process personal data based on the controller's instructions. They must not use the data for any other purpose.

 

Data controllers and Data Processors are equally responsible for GDPR compliance, which means that both parties could face disciplinary action in the event of a data breach. It is important to note that these roles can sometimes overlap, especially in cases where a single entity acts as both the data controller and data processor for different processing activities.

It is therefore essential that schools clearly define these roles and responsibilities to ensure compliance with data protection regulations and to protect the rights and privacy of data subjects.

This helps both parties understand exactly what is expected of them, and will mitigate the school’s responsibility should a data breach occur.

DATA RETENTION GUIDELINES 

This guidance template was developed wih Southwark Information and Governance, to provide information to schools on retaining data.

Schools are advised to still liaise with their Data Protection Adviser. 

Data Retention Guidelines Checklist

PERSONNEL RECORDS

Personnel records, whether maintained in hard copy or electronically, should be systematically organized to facilitate easy retrieval and efficient management.

ELECTRONIC PERSONNEL FILES

Schools should consider the benefits of electronic HR files over traditional paper-based files. 

a.  Accessibility and convenience

b.  Time efficency - easier to use keyword searches to locate data, which is much faster than flipping through paper documents. 

c.  Space saving- there is no need for physical storage space, reducing the cost and clutter associated with paper records.

d.  Version control - Electronic files can track revisions and changes, providing a clear audit trail. This is essential for compliance and legal purposes, ensuing you can demonstrate who made changes and when.

e.  Backup and disaster recovery - Electronic files can be regularly backed up, making it easier to recover data in case of hardware failure or disasters. This reduces the risk of data loss compared to physical records susceptible to damange from fire, floods or other catastrophes.

f.  Envionmental sustainability - This reduces paper consumption and waste. 

Personnel File Checklist This templates sets out the detail of what should be included in a personnel file. 
Guidance - Transitioning to Electronic Personnel Files This guidance sets out how to transition to electronic personnel files. 

USEFUL LINKS

Data protection: toolkit for schools - GOV.UK (www.gov.uk)

Information Commissioner's Office (ICO)