GDPR
The EU General Data Protection Regulation (GDPR)
The Data Protection Act 2018 (DPA) is the UK’s implementation of the General Data Protection Regulation (GDPR) and both came into force on 25th May 2018.
The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998.
The DPA sits alongside the GDPR, and tailors how the GDPR applies in the UK.
Everyone responsible for using personal data has to follow the ‘data protection principles.
They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
Schools must comply with the following statutory duties:
Data Protection Act 2018 (DPA)/The General Data Protection Regulations 25th May 2018
- Register with the Information Commissioner’s Office.
- Be able to demonstrate compliance with the Data Protection Principles of fair processing.
- Provide privacy notices describing what personal data the School processes.
- Respond to subject access requests.
- Respond to requests for rectification and the new right of erasure.
- Have in place a serious DPA breach management process.
- Where data is processed only on the basis of consent to provide an easy ‘opt out’.
Education Pupil Information (England) Regulations 2005
- Allow a parent to inspect his/her child’s education record.
Freedom of Information Act 2000 (FOI) and Environmental information Regulations 2004 (EIR)
- Publish information in accordance with a publication scheme.
- Respond to requests for information.