Here is a collection of GDPR Tutorials, that are included to help increase your awareness of the importance of Data Protection with students and staff. These videos were recommended by the DfE in a guidance document that they produced April 2018.
There is also lots of interesting information available on The Key for School Leaders website.
No data can be processed unless there is a legal basis for processing. It is important that schools understand the meaning of this term and can identify which legal basis should be used, where and when. This short video will help to bring clarity to each reason and help schools make the best choice for justifying personal data processing.
A visual demonstration of how important data mapping is to give schools a clear view of their school data eco-system.
There is no better preparation for GDPR in schools than to ensure staff - your key assets are fully aware of their responsibility for personal data protection. This short awareness video introduces simple ideas and things to do to your stakeholders to ensure that can embrace data protection into their role in school.
General Data Protection Regulation comes into effect in May 2018. Is your school ready? Iain Bradley from the DfE explains how you can review and improve your handling of personal data.
Before responding to a request like this, consider whether the child is mature enough to understand their data protection rights and the implications of making a request.
Children over the age of 12 are usually considered old enough, but it should be a case-by-case decision. If you think they are mature enough, you should usually respond directly to the child, but you may respond to the parent if the child authorises it or if it's evident that this is in the best interests of the child.
If you don't think the child is mature enough, respond to their parents, as they can exercise these access rights on their child's behalf.
When can you refuse a request?
This article gives some information around refusing a request for personal data.
Actions to undertake
When you refuse a request, you must:
- Respond within 1 month
- Explain why you're refusing the request
- Tell the individual they have the right to complain to the ICO
- Tell the individual they can seek to enforce their subject access right through the courts
You don’t have to confirm whether you hold the requested data.