Author – Ben Wood of Eversheds Sutherland LLP. Eversheds Sutherland are a supplier on the National Education Legal Services Framework. Eversheds Sutherland are a supplier Lot 1 (East Anglia), Lot 4 (Northern Ireland), Lot 7 (Scotland), Lot 9 (South West England), Lot 10 (Wales), Lot 13 (Channel Islands) and Lot 14) National One-Stop-Shop).
The day to day management of school life relies upon the school or academy, as a controller (being the entity that makes decisions about what personal data is collected and how and for what purpose(s) it may be used), processing its pupils’ and former pupils’ personal data, including disclosure of data to third parties. The General Data Protection Regulation 2016/670 (GDPR) and Data Protection Act 2018 (DPA) have introduced new requirements for processing personal data which schools and academies must consider carefully to ensure their processing activities are carried out lawfully, especially considering the potential fines of up to £17 million for non-compliance.
Third parties’ requests for personal data
Personal data may only be processed if there is a lawful basis for doing so. Accordingly, prior to agreeing to third parties’ requests for access to pupils’ personal data, schools and academies must consider if one of the lawful bases listed below can be relied upon. If the third party requests sensitive personal data, such as information on a child’s health, ethnic origin or religion, the list of applicable lawful bases that are required becomes much stricter and is likely to require a legal requirement or explicit consent.
Third parties may legitimately request personal data of pupils and former pupils from schools: for instance, the police or social services may request records when conducting investigations relating to pupils or former pupils. Prior to such disclosure, schools should consider whether there is a lawful basis for doing so. That said, providing third parties such as social services and the police with information about a pupil or former pupil can be crucial in safeguarding the child in question. Indeed, when sharing a pupil or former pupil’s sensitive personal data in such circumstances, schools and academies can rely upon “safeguarding of children and individuals at risk” as a processing condition under the DPA.
Government guidance stresses that information should be shared proactively with appropriate parties as early as possible. If a school or academy is concerned about a child’s welfare or risks of harm to a child, it should share that information with social services and/or the police, albeit in circumstances and in a manner which meets the requirements of data protection laws. Despite the onerous obligations imposed by data protection legislation, the guidance makes it clear that “fears about sharing information must not be allowed to stand in the way of the need to promote the welfare, and protect the safety, of children” (Working Together to Safeguard Children, HM Government 2018).
Schools and academies should aim to obtain the consent of the pupil (or their parent or guardian if under 13 years old) before sharing any information. However, sharing may take place without consent if the institution feels obtaining consent is not possible or would place the child at risk and another lawful basis can be relied upon. The consent must comply with the GDPR, as is discussed in further detail below.
Lawful bases for processing
The lawful bases for processing are set out in Article 6 of the GDPR:
|Personal Data||Sensitive / Special Categories of Personal Data|
|Consent: the individual (or their parent or guardian if under 13 years old) has agreed that the school or academy may process their personal data for a specific purpose.||
Explicit consent: the individual (or their parent or guardian if under 13 years old) has consented to the particular processing in question for the given purpose.
|Contract: the processing is necessary to perform or enter into a contract with the data subject.||
Preventative medicine: the processing is necessary for medical diagnosis or preventative health reasons.
|Legal obligation: the processing is necessary for the school or academy to comply with the law or a binding request, such as a court order.||
Employment or social protection legal obligation: the processing is necessary for the school or academy to comply with an obligation or to enable the school/academy or a data subject to exercise its rights in the field of employment and social protection law.
|Vital interests: the processing is necessary to protect the data subject (or someone else) from death or serious harm.||
Vital interests: the processing is necessary to protect the data subject (or someone else) from death or serious harm and the data subject is not capable of giving their consent.
|Public task: the processing is necessary for the school or academy to perform a task in the public interest or for the school or academy’s official functions which are provided for statute or common law.||
Legal claims: the data controller needs to use a data subject’s personal information to investigate, take advice on bring or defend legal claims.
Legitimate interests: on balance and being fair to the data subject, the data controller has a good and lawful business reason for processing. Public authorities, such as schools and academies are more limited in their ability to rely upon legitimate interests, as they may only do so for processing which is not part of the performance of their tasks as a public authority (such as alumni fundraising or commercial activities). For processing which is necessary for tasks in the public interest, schools and academies should consider relying upon the “public task” basis instead.
Substantial public interest: the processing is necessary for reasons of substantial public interest or the greater public good. The processing must be proportionate to the aim pursued, taking account of the rights and interests of the data subjects and must be carried out in a way which ensures that their personal data is protected.
GDPR compliant consent
The GDPR has introduced more stringent requirements for consent to be “freely given”, “specific”, “informed” and “unambiguous”. If schools and academies want to rely on consent as a lawful ground for processing, the consent must:
- include a positive opt-in which involves an affirmative action, such as signing a consent form or ticking a box. If asking for consent for processing sensitive personal data, the consent must be explicit, meaning it is confirmed in words, rather than by another positive action;
- specifically identify the processing which is to take place;
- be granular in that it identifies and asks for consent for each of the different types of processing;
- be clear, easy to understand, prominent and unbundled from other terms and conditions; and
- be properly documented and easily withdrawn.
If the consent obtained does not meet these requirements, a different legal basis must be relied upon. Further, consent can be withdrawn by the data subject at any stage. If another legal basis cannot be identified, the school or academy cannot lawfully continue processing the data in that way. It is recommended that schools and academies rely upon other lawful bases, in addition to consent.
Schools and academies can continue to process their pupils’ and former pupils’ data, including sharing it with third parties, but they must ensure that they respect the pupils’ rights, and meet the obligations under the GDPR and DPA, in doing so. Schools and academies should not allow the fear of data protection law to stop them fulfilling their key duties, but should ensure they are guided by their obligations in that regard.
A key factor in a school or academy’s decision-making would be to ascertain whether a pupil’s or former pupil’s safety and welfare would be at risk if the information requested was either shared or withheld from the third party that has requested it. It may be lawful to refuse the request if it would not promote the welfare of the relevant child or young person concerned.
Author – Ben Wood of Eversheds Sutherland LLP.
This article is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.