About this resource
Aims
The purpose of this resource is to provide targeted and practical guidance on data protection practices to support your professional placement in a school. It focuses on how to document your experiences in a legally compliant way. We will look at the types of personal information you are likely to encounter in a school setting and the ways in which it may or may not be processed. You will also learn what to do if something goes wrong and where to find help and advice.
Learning objectives
Through completion of this resource, you should be able to:
- recognise personally identifiable information that you are likely to handle during your placement;
- select the most appropriate tools to gather and store your notes and any evidence you gather; and
- act appropriately should something go wrong or cause concern.
What this resource does not do
This is not a formal guide to GDPR, data protection or privacy as a broader subject area.
Legal overview
Which laws apply in the UK?
The UK data protection regime is set out in the Data Protection Act 2018 (DPA), along with the UK General Data Protection Regulation (UK GDPR), which also forms part of UK law. It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.
You can learn more about data protection regulation from the Information Commissioner's Office (ICO) website.
When do they apply?
The law applies to any ‘processing of personal data’. Personal data means information about a particular living individual. This might be anyone, so in a school this might include teachers, pupils, parents, other school staff, visitors and former staff and pupils.
Who needs to comply?
Anyone who controls or processes personal data is required to comply with GDPR.
Processing can be almost anything you do with data, including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.
Controller
- Decides how and why to collect and use the data.
- Usually an organisation.
Examples:
- Local authority;
- School;
- UHI.
Processor
- Separate person or organisation (not an employee) who processes data on behalf of the controller.
Examples:
- Brightspace;
- Classroom app like Class Dojo.
Personal data
What constitutes personal information?
Personal data is information that relates to an identified or identifiable individual.
- If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
- If you cannot directly identify an individual from that information, then you need to consider whether the individual could still be identified e.g. by combining the information available.
For example, if a pupil has dyslexia, then the fact that they have dyslexia may not identify them. However, if this information was combined with another piece of information, such as ethnicity, it might be possible to identify the individual pupil.
Information categories
Let's look at some of the types of information you may have access to and sometimes handle, while working in a school environment.
Think about the types of personal information you might find in a school environment or associated context. Select 'Examples' under each category to reveal some suggestions.
Identification
Information that uniquely or semi-uniquely identifies a specific individual.
name, user name, unique identifier, national insurance number, picture, biometric data.
e.g. Pictures of pupils, names and classes, health information.
Physical characteristics
Information that describes an individual's physical characteristics.
height, weight, age, hair colour, skin tone, tattoos, gender, piercings etc.
e.g. albinism, joora (sikh hair bun).
Ethnicity and religion
Information that describes an individual's origins and lineage.
Information describing an individual's behaviour or activity, including online behaviour.
social interactions, internet browsing, links clicked, calls made, attitude, interpersonal characteristics.
e.g. class reward chart, learning analytics, additional support needs.
Medical and health
Information about a person's health, medical conditions, or healthcare.
Physical and mental health, disabilities, family health history, blood type, prescriptions.
Gender and sexuality
Information that describes an individual's gender or sexual identity.
Gender identity, sexual preferences, sexual history.
e.g. LGBTQ+ identification, gender identity and pronouns used.
Demographic
Information that describes individual characteristics shared with a socioeconomic or other type of group.
Age ranges, income brackets, home neighbourhood, educational background.
e.g. Curriculum for Excellence, free school means, nurture groups, Gaelic-medium pupils.
Education
Information about an individual's educational background, history, and attainment.
Attainment levels, school transfer history, exam results, records, disciplinary actions.
e.g. new pupils, attainment sets, school reports, exclusions, literacy levels.
Public life
Information about an individual's general reputation, social status, political affiliation.
Public profile locally, nationally, or internationally. Links to a political or religious group, activism, gang affiliation.
e.g. pupil has a high profile e.g. have been in broadcast media or associated with public figure.
Family and personal
Information about a person's family background.
Marital status of parents, foster care and adoption, siblings, bereavement, life experiences.
e.g. links between pupils' families, paternity disputes, relatives with criminal records, social services involvement.
Recreation / interests
Information about personal preferences, extracurricular activities, interests, hobbies, pastimes.
Club membership, being a fan of a group or individual, sports and instruments played, regular event attendance.
e.g. supporter of a specific football club, fan of a pop music band, member of church choir.
Administrative
Information used for administration including communications, authentication, computing, contact details.
Voicemails, emails, phone numbers and addresses, IP address, PINs and passwords, authentication data.
e.g. email address or actual email content, pupil reference number; data for authentication like mother's maiden name, name of first pet etc.
What does the law say?
The GDPR sets out seven key principles according to which personal data may be processed:
7 Principles
- Lawfulness, fairness and transparency:
processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’); - Purpose limitation:
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’); - Data minimisation:
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); - Accuracy:
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); - Storage limitation:
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’); - Integrity and confidentiality (security):
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’); - Accountability:
The controller shall be responsible for, and be able to demonstrate compliance with, all of the principles.
Processing securely and compliantly
If you have established appropriate reasons for processing personal data, then you need to do so in line with the principles of GDPR and the policies of the associated domain e.g. UHI, local authority.
You must be fair and transparent
- Are you processing the information in a way the individual would reasonably expect?
- Could there be any unintended consequences?
- Are you doing so in an open and honest way?
- Is it clear why you are processing the information and what you will then do with it?
Keep data to a minimum
- Is it adequate and sufficient to properly fulfil your stated purpose?
- Is it relevant, with a clear and rational link to that purpose; and
- Have you limited the information to what is necessary and not more than you need for that purpose?
Make sure data is accurate
- Have you taken care to ensure the information is correct?
- If you find information that is inaccurate, misleading or out of date, have you taken steps to have it erased or corrected? E.g. informed the person responsible, if this is not you.
Only retain the information for as long as necessary
- Only retain information for the intended purpose and no longer than necessary; or
- Retain only for the duration stipulated by the relevant record retention policy.
Secure it
- Only use approved storage facilities and communication methods.
- Password protect or lock information away when it is not in use.
Take responsibility
- Make sure you can demonstrate that you have processed information in line with all principles.
Lawful bases for processing
With so many creative and resourceful ways to capture and use information within a digitally-enhanced or digitally-mediated environment, it may be tempting to capture and use whatever you can. However, the capacity to gather and potential to use personal data does not in itself justify doing so.
In order to remain compliant with GDPR, controllers need to follow a logical process and must have a valid lawful basis in order to process personal data.
There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
It will usually be your school determining your lawful baes for processing personal data of students.
What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Why is it important to protect personal data?
Protecting personal data is important because it helps...
- ... protect the fundamental rights and freedoms of persons that are related to that data
- ... prevent criminal activity e.g. identity theft, fraud, manipulation of health information
- ... promote fair and consumer-friendly products and services
Special category data
Special category data is sensitive data that requires more protection in the law. Special category data includes:
- race
- ethnic origin
- politics
- religion
- trade union membership
- genetics
- biometrics
- health
- sex life
- sexual orientation
- criminal convictions
Normal data
Sensitive data
Article 6 basis
(ordinary basis)
Article 9 basis
(special category condition)
People, places and the hats we wear
All of us wear different hats in our day to day live and move between different places.
What about UHI? - Gathering evidence compliantly
The University and its many departments, technologies and networks of information represent one of the places you will operate in. We will look at what that means for your portfolio work in the 'Your placement' section.
However, you should remember the following to ensure you are gathering evidence compliantly to ensure that personal data is processed appropriately.
- Minimise it– only gather what you really need to
- Anonymise it– make sure you redact/obscure all personally identifiable information where required
- Only use approved software/devices/storage
- Secure it – lock and encrypt if possible, do not leave unattended, do not provide access to unauthorised others
- Destroy / delete – as soon as you no longer need it, or are no longer required to
Personal Spaces
Personal spaces include:
- handwritten notes and letters;
- conversations with others;
- phone calls;
- e-mails;
- mobile phone apps and files;
- personal devices e.g. laptop, digital camera, fitness tracker; and
- anywhere they have a presence, including social media.
Whenever all or part of a domain is digitally facilitated, there is a likelihood of overlap with other domains. For example:
- If you take a photo on your phone and store it using the “Photos” app, Google will automatically upload the image to the cloud. Google services will be a new domain and you will have permitted Google to use this information according to their license.
- When you scan a document on a wireless home printer/scanner, the WIFI network, other household members, and any associated cloud storage become additional domains.
- You chat with a colleague after work using your personal Zoom accounts. Zoom, and any affiliated services, would be information domains.
Professional conduct and private self / private spaces
None of you would do this, but it demonstrates that mixing work with personal domains gets messy very quickly.
And how personal spaces can get dragged into work processes if you mix these up… don’t be tempted.
For further information: https://www.bbc.co.uk/news/uk-scotland-north-east-orkney-shetland-61467612
Your placement
As a school professional, you could legally process quite a lot of personal information about pupils, parents and colleagues, within the school domain. You may be able to share some of that information, for specific purposes, within other approved people and spaces. However, you will also always be operating within your own, personal space, which could pose a risk to information security. You must consider this carefully, particularly when it comes to uploading evidence and reflections to your online placement record.
UHI space
When entering a school environment for your placement, you will be performing a professional role and will be required to operate within the policies and procedures of the school. For the purposes of your ITE programme, you will be expected to record your experiences and document evidence and reflections within a digital portfolio. This will be in a format approved by UHI, in line with its own privacy and security policies. However, because UHI is a separate information space, personally identifiable information gathered within the school environment may not be transferred to places in the UHI spaces. Such places include UHI Brightspace, UHI Mahara, and UHI OneDrive spaces.
You must not provide external access to your UHI OneDrive folder to anyone other than your mentor/supervisor, unless otherwise advised it is appropriate to do so.
Always follow the instructions of your UHI academic department on how to administer your placement work.
Placement documentation
You will need to document your experiences in such a way that protects the identities of the pupils and parents you work with, as far as possible. At times this might be quite challenging, as your experiences may be difficult to describe without referring to specific people. As we have learned, simply redacting names does not necessarily amount to anonymisation, if an identity may still be revealed through other information you provide.
Minimise
The first thing you must do before adding any information to your portfolio is to minimise what you gather. Gather only what is necessary to meet the portfolio and any assessment criteria. It is extremely unlikely that you would ever need to gather highly identifying information, like pupil names or dates of birth. This type of information should not appear anywhere in personal or scholastic notes that are then to be taken outside of the school space.
Anonymise
If you want to use evidence that necessarily has some personal information included, then this must be redacted or fully obscured before it leaves the school space. This would apply to, for example, a piece of artwork with a pupil name at the bottom, or a photo with a person, or other personal information visible in the background. This could also mean redacting (removing or hiding) names in a document. But be careful about any other information present that could still reveal their identity. E.g. a class list is often in alphabetical order and may have other revealing features.
For more information on anonymisation strategies you may find the ICO document: Anonymisation: managing data protection risk code of practice useful.
Other things to consider
- Avoid using specifics to refer to individuals; refer, perhaps, to a ‘senior manager’ rather than a job title, for example.
- It is possible, where required, to link different pieces of information about an individual, while to protecting their actual identity – but be aware it is more challenging to anonymise in these circumstances. For example, you might want to track the progress of some pupils over time and, in your notes, you might refer to the pupil as “Pupil A”. This kind of privacy can be illusory in that it is often possible to identify them from the other information you provide – especially when you refer to them a lot. You must look very carefully at the sum of your information to determine whether any identities may be extracted, even if that seems unlikely.
- You may be tempted to design strategies to talk about people or their characteristics using codes or symbols. For example, using the abbreviation “AS” to note additional support needs. But be very careful or avoid this altogether. When a code is used on a regular basis, patterns become apparent and often those patterns can be recognised as individual people. Don’t using coding in lieu of proper minimisation and anonymisation.
What is a breach?
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
For example, emailing personal data to the wrong person or leaving a paper document being stolen because it was unattended.
Reactive decisions
Unforeseen circumstances
Situations will sometimes arise that require you to make a quick decision affecting personal data.
When you arrive at your placement make sure to ask how the school wishes you to handle such situations. Some schools may give you guidelines or policies to make your own decisions on how to react, other schools may have local data protection/safeguarding staff who will take over in such scenarios.
Make sure you find out how to handle these situations, and follow the instructions you are given.
- Risk assess the situation;
- Seek guidance before allowing domains/actors to change;
- Reschedule, document decisions.
When something goes wrong
Sometimes things go wrong and personal data is put at risk or breached. E.g. you or someone else accidentally shares personal information with an unintended email recipient; suspected unauthorised access to account.
It is important to know how to react to such incidents, or suspected incidents. You placement school will have procedures in place detailing what to do if you suspect, or receive a report that, personal data may be at risk or been breached. Make sure, when you arrive, that you find out how to react and who to contact for support and follow these instructions if the need arises.
Stay calm. Next, immediately report the breach to the relevant domain controllers (data protection reps) and follow instructions.
General Advise
Devices and software
- Turn off or lock devices when you are away from them or no longer using them. Locking computers (window + L).
- Only use devices provided by the school to capture, record or communicate information.
- Only use software approved by the school to carry out the duties of your role during placement.
- Only use UHI approved technologies to upload, communicate and store information relating to your course documentation I.e. reflective notes, lesson plans.
- Be aware of what you are sharing on screen.
Paper documents
- Lock paper-based documents in secure, appropriate locations e.g. locked filing cabinet in staff office.
- Shred, destroy or delete information that you no longer need and are not required to retain.
- Protect documents in transit.
- Only take the information you need with you, and know what you have taken.
Communications and administration
- Don’t leave personal information in voicemails.
- Check e-mail addresses, telephone numbers, postal addresses. Send a test email.
- Update details on systems (e.g. SITS).
- Use watermarks/indicators for who has a copy of a report.
- Proof read and remember that one day the person might request to see their information: keep it professional.
- If you are sending an email to more than one parent/carer, use the BCC function, so that you don't share addresses with others.
- If you are collecting examples of pupil work for University assignments make sure to anonymise the work and not to include any faces or identifying features.
Environment
- Be careful where you leave information; can it be read through a window?
- Check your surroundings – e.g. is supermarket the right place for that conversation? Should you be making certain comments over the phone in a crowded office?
- Verify who has a right to data – inside and outside of the organisation.
- If you are taking the register (e.g. Seemis platform) make sure that you don't display this to the class as it may include symbols/notations for medical and learning needs. The 'freeze' function on data projectors is useful or screen extension facility to avoid displaying personal information.
- Keep work in work times.
Further reading
Breaux, T.D. (2020) An introduction or privacy for technology professionals. Portsmouth, USA: International Association of Privacy Professionals
Cronk, R.J. (2018) Strategic privacy by design. Portsmouth, USA: International Association of Privacy Professionals
Department for Education (2018) Data protection: a toolkit for schools Open Beta: Version 1.0. Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747620/Data_Protection_Toolkit_for_Schools_OpenBeta.pdf. Accessed 10/10/2020
Department for Education (2018) GDPR Guidance for Schools. (video) Available at https://www.youtube.com/watch?v=y09IHXv6u6M. Accessed 15/10/2020.
European Union Agency for Fundamental Rights and Council of Europe (2018) Handbook on European Data Protection Law: 2018 Edition. Luxembourg: Publications Office of the European Union
Livingstone, S. Stoilova, M. Nandagiri, R. (2018) Children’s data and privacy online: Growing up in a digital age: An evidence review. LSE Media Communications. Available at: https://www.lse.ac.uk/media-and-communications/assets/documents/research/projects/childrens-privacy-online/Evidence-review-final.pdf. Accessed: 15/10/2020
Ustaran, E. (ed.) (2019) European data protection law and practice 2nd edition. Portsmouth, USA: International Association of Privacy Professionals
Credits
Some content has been sourced and adapted from content on the Information Commissioner's Office (ICO) website, which is available under the Open Government Licence v3.0.
This resource was written and developed by Liz Hudson (Educational Development Unit), James Nock (Data Protection Officer), and Carolin Hunter (Learning and Teaching) in consultation with the UHI PGDE programme team.
