Schools must produce a data protection policy, which should be reviewed at least every two years. Data protection aims to protect people’s personal information from misuse by placing controls on organisations and people who handle personal information. The principal piece of legislation is the Data Protection Act 1998 (DPA). Schools are classed as 'Data Controllers' under the DPA.
Schools must comply with the DPA in respect of all the personal information that it holds about individuals whether they are an employee, pupil, parent or member of the public.
The DPA places a number of obligations on schools when they process personal data.
For example, schools must notify the Information Commissioner’s Office (ICO) about the information it holds and the purpose for holding such information and it must also comply with 8 data protection principles.
Personal data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to countries without adequate protection
Cloud software services and the Data Protection Act
The Department for Education (DfE) has produced advice for all schools on how they need to consider data security when moving services and sensitive information to internet-based facilities of cloud computing ('the cloud').