Subscribe to our free fortnightly newsletter and stay ahead with the latest news in edtech

Be safe and secure with data protection

Jessica Cumming, Solicitor at Gordons, considers how academies can ensure compliance with data protection legislation

Posted by Hannah Oakman | November 03, 2016 | Law, finance, HR

Like all organisations that process personal data, academies must comply with data protection legislation. In light of the forthcoming General Data Protection Regulations (GDPR), which will replace the Data Protection Act 1998 (DPA 1998) from May 2018, this is more important than ever.

It is important to have compliant data processing measures and procedures in place sooner rather than later, especially as there will be severe penalties for failure to comply with GDPR.

Here are some of the main changes and tips for academies to ensure compliance:

Privacy Notices

Privacy notices should be provided to parents or pupils at the point their personal data are collected or within a reasonable time where data is obtained from a third party. The GDPR builds upon the current requirement to provide data subjects with details of the data controller, the purpose of the processing, recipients of data and rights of access to include information such as the legal basis for processing, period of time the data will be stored and the right of rectification or erasure of data, amongst others.

Procedures for obtaining consent

As with the DPA, the GDPR will require data controllers to have a legitimate reason for processing personal data. If you rely on the consent of the data subject, under GDPR you must be able to demonstrate it was freely given and communicated by a statement of clear affirmative action such as an ‘opt in’ box rather than an ‘opt out’ box.

Silence, inactivity or pre-ticked boxes will no longer constitute consent. In addition consent must be obtained from a parent or guardian of a child for the provision of internet services for remuneration. In the UK, the age of consent will be set at 13.

Procedures in place to deal with data subjects rights

The GDPR expands upon data subjects rights. In addition to subject access, data subjects will have the right to require inaccuracies to be corrected, information erased, prevent direct marketing and automated decision making, a right to withdraw consent and data portability (the right for data to be provided in a usable/commonly used format such as electronic format). Procedures will need to be put in place to deal with such requests.

Subject access requests

There is currently a requirement to respond to such requests within 40 days. Under the GDPR, this will be reduced to one month and additional information must be provided such as data retention periods, the right for data to be deleted, inaccurate data to be corrected and right to lodge complaints with the data protection authority.

Data breach notification

Currently, it is good practice to report personal data breaches to the ICO. Under the GDPR, such breaches should be reported immediately and within 72 hours of becoming aware of the breach.

Data Protection Officer

Appointing or designating an individual as a data protection officer to oversee an organisation’s compliance with data protection legislation is considered good practice. Under the GDPR, this will be a requirement for public authorities and organisations that undertake regular and systematic monitoring of data subjects on a large scale.

Data Protection Policy

A data protection policy helps to ensure member of staff are aware of their data protection duties. As the GDPR requires organisations to be able to demonstrate their compliance through technical and organisational measures, it is safe to say a data protection policy is essential and should be updated to take account of the changes introduced by GDPR.

Data Processing agreements

Any arrangements with third parties to process data on your behalf must be in writing and contain various guarantees of compliance with the GDPR, including but not limited to; only acting on instructions of the data controller, notification of breaches, restriction on sub-processing without consent, assistance with data subjects rights, requirement for personal data to be kept confidential, access to premises to check compliance, return or destruction of data upon request. Such provisions should be included within any new agreements entered into. Existing agreements which will continue beyond 25 May 2018 should be checked and amended as appropriate.

To find out more about Gordons, visit    

Subscribe to our free fortnightly newsletter and stay ahead with the latest news in edtech

Related stories

Ensuring that small remains beautiful in academy world

A HR check-up: an opportunity not to be missed

After GDPR - what comes next?

Market place - view all


Education Solutions for your School
Webanywhere provide the pri...

S&C Slatter

S&C Slatter have over 20 years experience as specialists in constru...


Sparkol makes tools to engage your audience. They're like nothing y...