The Data Protection Act 1998 is designed to safeguard personal data and allow organisations to collect and process this data for legitimate purposes.
All schools are required to have a registration under the Data Protection Act 1998.
To ensure you are compliant with this law, you need to notify the Information Commissioner's Office of the type of personal data you hold.
Failure to notify is a criminal offence.
A notification registration lasts for one year and it will cost you £35 to register your school.
Under the Data Protection Act 1998 all schools processing personal data must comply with the eight data protection principles:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept longer than necessary
- Processed in accordance with the data subject's rights
- Not transferred to other countries without adequate protection.
Guidance and resources for schools
The Information Commissioner's Office (ICO) website has guidance and resources for school. Please visit:
Practice notes summary
- All employees need to ensure that other people’s information is protected and kept safe at all times
- If personal information is taken from one location to another it must be done in the safest possible way
- Equipment should be fully password protected and encrypted, and kept secure at all times
- Files, diaries, notepads or computer equipment must never be left unattended in vehicles or on public transport.
Ealing Council documents
Data security and the LGfL support site - a headteacher’s guide (pdf)
General advice on data security and guidance for headteachers on essential tasks on the LGfL support site.
Dos and don'ts of data protection* (pdf)
Some guidance on how to comply with the act.
Ealing data protection policy* (pdf)
Information includes the council's responsibilites, what the act means for the individual and the Ealing framework.
Ealing data protection principles* (pdf)
Detailed explanation of the eight principles of data protection.
Changes to the GDPR - May 2018
On 25 May 2018, the European Union (EU) General Data Protection Regulations (GDPR) will come into effect in the UK.
The government has confirmed that the UK’s decision to leave the EU will not prevent the introduction of the GDPR.
As schools are data controllers they are required to comply so it is important that governors and trustees begin to consider any potential impact.
The GDPR apply to all personal data collected by an organisation.
Schools might find the following document useful:
Tel: 020 8825 5512