Schools’ obligations data controllers

Schools’ obligations as data controllers

Yes, as a school you are classed as the ‘data controller’ so you should make sure that you observe a few things when processing any personal data. Anyone else you are connected with, such as 3rd party suppliers, that also process personal data are called the ‘data processor’. Under GDPR data controllers and data processors will have equal liability should there be a data breach.

There are some rules that you must follow as a data controller:

  • Personal data must be processed legally and fairly
  • The data must be collected for legitimate purposes and used accordingly
  • The data must be adequate and relevant and it must not be excessive in relation to the reason it has been collected (or processed)
  • It must be updated regularly and it must be accurate
  • You must ensure that it can be rectified, removed and that it can be blocked if it is incorrect
  • Anything that identifies individuals must not be kept too long
  • Anything personal must be protected against accidental, unlawful destruction, alteration and disclosure; especially when it involves processing data over networks

Data controllers must implement appropriate security measures and these measures need to have the appropriate level of protection for the data stored and processed.

If an individual (staff member, parent, student) believes that their data has been compromised they can send a complaint to the ‘data controller’, if they feel that the schools handling of their complaint is not to their satisfaction they can then file a complaint with the national supervisory data protection authority.

Every EU country must provide one or more independent authority to monitor its application. In the UK, this is the Information Commissioners Office (ICO), you can find out more about their role by visiting their website.

Our infographic below shows the role of a data controller and a data processor – click on the image to download it.