The purpose of this resource is to provide targeted and practical guidance on data protection practices to support your professional placement in a school. It focuses on how to document your experiences in a legally compliant way. We will look at the types of personal information you are likely to encounter in a school setting and the ways in which it may or may not be processed. You will also learn what to do if something goes wrong and where to find help and advice.
Through completion of this resource, you should be able to:
- Recognise what constitutes personal data and meta data;
- Recognise the boundaries between processing domains;
- Identify good practices in common scenarios;
- Act swiftly and appropriately should something go wrong.
What this resource does not do
This is not a formal guide to GDPR, data protection or privacy as a broader subject area. It does not replace or supersede any data protection training you may be required to complete during your placement or elsewhere. If you encounter a conflict with the guidance provided here with that you receive from your placement host, you should discuss this with your supervisor.
What is the difference between data protection and privacy?
Both data protection and privacy are concerned with the processing of personal data.
Data protection is defined by the Information Commissioner's Office (ICO) as 'the fair and proper use of information about people'. It is primarily concerned with securing personal data and ensuring that only authorised people can access it.
Privacy is concerned with what happens to personal data by those who are authorised to access it.
Personal data is information that relates to an identified or identifiable individual. If it is possible to identify an individual directly from information, then that information may be personal data. Even if you cannot directly identify an individual from the information, then you still need to consider whether identification might be possible when combined with additional information (meta data) or means. Read the full definition on the ICO website.
Why is data protection and privacy awareness important in teacher training?
During your placement, you will have access to a lot of personal data about the children, teachers, and possibly even parents you work with. That places you in a position of responsibility and as a handler of personal information, your activities need to be legally compliant - and ethically-informed too.
You also have a duty to protect information about the pupils you work with and sometimes help them to make informed decisions. Children may be more vulnerable to manipulation, particularly via digital technologies, and may not be prepared or capable of handling privacy violations. Their parents and other adults also may not be aware of the possible implications of the processing of their child's data using digital apps and services.
As trainee teachers, you will be expected to play a part in making privacy-positive decisions and protecting any personal data you handle while on placement.
Which laws apply in the UK?
The UK data protection regime is set out in the Data Protection Act 2018 (DPA), along with the General Data Protection Regulation (GDPR), which also forms part of UK law. It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.
You can learn more about data protection regulation from the Information Commissioner's Office (ICO) website.
When do they apply?
The law applies to any ‘processing of personal data’. Personal data means information about a particular living individual. This might be anyone, so in a school this might include teachers, pupils, parents, other school staff, visitors and former staff and pupils.
Who needs to comply?
Anyone who controls or processes personal data is required to comply with GDPR.
Processing can be almost anything you do with data, including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.
A controller is the person that decides how and why to collect and use the data. This will usually be an organisation, so this would include schools, local authorities and sports clubs. If you are an employee acting on behalf of your employer, the employer would be the controller. The controller must make sure that the processing of that data complies with data protection law. So, when you are on your placement, the school and local authority will be controllers, but you may encounter others too.
A processor is a separate person or organisation (not an employee) who processes data on behalf of the controller and in accordance with their instructions. Processors have some direct legal obligations, but these are more limited than the controller’s obligations. In a school setting, processors might include online learning services or a private coach company hired for field trips.
What does the law say?
The GDPR sets out seven key principles according to which personal data may be processed:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
These principles should be reflected in any activity involving the processing of personal data.
What constitutes personal information?
Personal data is information that relates to an identified or identifiable individual.
- If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
- If you cannot directly identify an individual from that information, then you need to consider whether the individual could still be identified e.g. by combining the information available.
For example, if a pupil has dyslexia, then the fact that they have dyslexia may not identify them. However, if this information was combined with another piece of information, such as ethnicity, it might be possible to identify the individual pupil.
Let's look at some of the types of information you may have access to and sometimes handle, while working in a school environment.
Think about the types of personal information you might find in a school environment or associated context. Select 'Examples' under each category to reveal some suggestions.
Information that uniquely or semi-uniquely identifies a specific individual.
name, user name, unique identifier, national insurance number, picture, biometric data.
e.g. Pictures of pupils, names and classes, health information.
Information that describes an individual's physical characteristics.
height, weight, age, hair colour, skin tone, tattoos, gender, piercings etc.
albinism, joora (sikh hair bun).
Ethnicity and religion
Information that describes an individual's origins and lineage.
Information describing an individual's behaviour or activity, including online behaviour.
social interactions, internet browsing, links clicked, calls made, attitude, interpersonal characteristics.
e.g. class reward chart, learning analytics, additional support needs.
Medical and health
Information about a person's health, medical conditions, or healthcare.
Physical and mental health, disabilities, family health history, blood type, prescriptions.
Gender and sexuality
Information that describes an individual's gender or sexual identity.
Gender identity, sexual preferences, sexual history.
e.g. LGBTQ+ identification, gender identity and pronouns used.
Information that describes individual characteristics shared with a socioeconomic or other type of group.
Age ranges, income brackets, home neighbourhood, educational background.
e.g. Curriculum for Excellence, free school means, nurture groups, Gaelic-medium pupils.
Information about an individual's educational background, history, and attainment.
Attainment levels, school transfer history, exam results, records, disciplinary actions.
e.g. new pupils, attainment sets, school reports, exclusions, literacy levels.
Information about an individual's general reputation, social status, political affiliation.
Public profile locally, nationally, or internationally. Links to a political or religious group, activism, gang affiliation.
e.g. pupil has a high profile e.g. have been in broadcast media or associated with public figure.
Family and personal
Information about a person's family background.
Marital status of parents, foster care and adoption, siblings, bereavement, life experiences.
e.g. links between pupils' families, paternity disputes, relatives with criminal records, social services involvement.
Recreation / interests
Information about personal preferences, extracurricular activities, interests, hobbies, pastimes.
Club membership, being a fan of a group or individual, sports and instruments played, regular event attendance.
e.g. supporter of a specific football club, fan of a pop music band, member of church choir.
Information used for administration including communications, authentication, computing, contact details.
Voicemails, emails, phone numbers and addresses, IP address, PINs and passwords, authentication data.
e.g. email address or actual email content, pupil reference number; data for authentication like mother's maiden name, name of first pet etc.
As you can see, there is a vast amount of information to which you might have access during your placement. As an extended member of the teaching staff, there will already be procedures in place to legally allow this.
Some of the types of information listed above would constitute special category personal data, that is, highly sensitive pieces of information.
The GDPR defines special category data as:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
Thinking back to the GDPR principles, schools can reasonably rely on a combination of consent, legitimate reasons, and other bases to enable them to process personal information as required. But legal problems can arise when a principle used in one context is transferred to another. For example, where consent obtained to use a pupil's image in a school newsletter is translated as a basis to share their image on social media. Or, where a retired teacher's home address is on record for legal purposes, but a colleague looks it up in order to send them a birthday card.
So, even though you may be legally permitted to handle some personal information during your placement, this will only be for approved purposes. And if you are permitted to process the information using specific technologies, there may be further limitations to consider.
In order to understand who is responsible for compliant processing of personal information, it can help to think of individuals and organisations as actors operating inside domains.
A domain is a ‘sphere of control’ (Cronk 2018, p135). Information within the domain may be within an individual’s control, or an organisation’s control. In a digital environment, we might also use the terms ‘user’ and ‘service provider’ respectively instead. There can be multiple actors within a domain and an actor can be operating within multiple domains simultaneously. Lots of actors and domains together make up an information system.
Actors and domains within a school
Make a list of the types of individuals, organisations and services who might be involved in the processing of personal information within a school environment.
When you have listed as many as you can think of, reveal our suggestions below.
Actors and domains
This list is not exhaustive, there will be many more example domains and actors.
In digitally-mediated environments there may be various external services supporting the operation of these primary domains. For example, the digital communication and record-keeping tools used by public and commercial sectors often rely on external sources for analytics, hosting of websites, marketing initiatives, and cybersecurity. So, when you’re using a digital application or visiting a website, you are often entering more than one new domain. Altogether, this may create a complex system of interconnected and overlapping domains.
The following map illustrates how information domains might overlap within and around a school setting. Each of the numbers on the map represents an actor operating within one or more domains.
Can you match each of the following situations to a location number on the map above?
The domains of a map will vary from school to school and may change according to the activities and needs of the school at any time.
The Department for Education recommends schools create maps like this to define their ‘personal data ecosystem’. They can then be used to identify risks and inform school policies on things like document retention, IT security, and external communications.
Our map shows a range of professional domains, but every individual operating within those domains will also exist within their own personal information domain. This will include their:
- handwritten notes and letters;
- conversations with others;
- phone calls;
- mobile phone apps and files;
- personal devices e.g. laptop, digital camera, fitness tracker; and
- anywhere they have a presence, including social media.
Just imagine how complicated the map would be if we added all the personal domains of every individual who enters the school domain.
Whenever all or part of a domain is digitally facilitated, there is a likelihood of overlap with other domains. For example:
- If you take a photo on your phone and store it using the “Photos” app, Google will automatically upload the image to the cloud. Google services will be a new domain and you will have permitted Google to use this information according to their license.
- When you scan a document on a wireless home printer/scanner, the WIFI network, other household members, and any associated cloud storage become additional domains.
- You chat with a colleague after work using your personal Zoom accounts. Zoom, and any affiliated services, would be information domains.
What about UHI?
The University and its many departments, technologies and networks of information represent a domain, or information ecosystem too. We will look at that that means for your portfolio work in the 'Your placement' section.
Image credits: Arlington Research, CDC, Fatos, Taylor Wilcox on Unsplash, Fauxels on Pexels.
With so many creative and resourceful ways to capture and use information within a digitally-enhanced or -mediated environment, it may be tempting to capture and use whatever you can. However, the capacity to gather and potential to use personal information does not in itself justify doing so.
In order to remain compliant with GDPR, you need to follow a logical process.
Reasons for processing personal data
You must have a valid lawful basis in order to process personal data.
There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
You must determine your lawful basis before you begin processing, and you should document it.
What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Note: the law does not prevent information about children being shared with specific authorities if it is for the purposes of safeguarding. Speak to safeguarding professionals if you require assistance.
When is processing 'necessary'?
Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice.
What about consent?
Consent means giving people genuine choice and control over how you use their data. If the individual has no real choice, consent is not freely given and it will be invalid.
This means people must be able to refuse consent without detriment, and must be able to withdraw consent easily at any time. So, for example, consent would not be considered to have been freely given if participation at a school sporting event depended on consent to publish their image in the school newsletter.
Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved. In England, Wales and Northern Ireland there is no set age at which a child is generally considered to be competent to provide their own consent to processing. In Scotland children aged 12 or over are presumed to be of sufficient age and maturity to provide their own consent for data protection purposes, unless the contrary is shown. If you are relying on consent in order to process information, then you should consider whether the individual child has the competence to understand and consent for themselves.
Conditions for valid and demonstrable consent
The individual must be fully informed about the processing activity; its purpose, scope, longevity, any sharing, any risks. We achieve this by providing accurate privacy notices at the time consent is given.
An affirmative action (opt-in)
Consent must be opt-in only – the GDPR prohibits the use of pre-ticked consent boxes. We make our seeking of consent prominent so that is clearly understood. Consent must be separate from all other terms and conditions so that it is not agreed to by mistake.
Consent must be granular, this means that we must seek separate consent for each processing activity.
Consent must be freely given; we must not pressure or coerce individuals into giving consent, deliberately or otherwise. We must avoid making consent a precondition of service and should not rely on consent for processing where a power imbalance exists between the data controller or processer and the individual. Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.
If you can meet the conditions, you should:
- Name third party controllers who will rely on the consent
- Make it easy to withdraw consent and tell people how
- Make it easy to withdraw consent and tell people how
- Keep consent separate from all other terms and conditions
- Keep evidence of consent – who, when, how, and what you told people
- Keep consent under review; how long will it last? And refresh it if anything changes
- If the processing changes then your consent may not be valid for the new processing.
The definition of ‘personally identifiable’ information might seem overcautiously broad, particularly when the chance of someone being identified will sometimes seem remote, or the likelihood of someone wanting to discover an identity in the first place might seem highly unlikely. However, we cannot assume to understand the complexity of an individual’s personal context or predict the long-term implications of our decisions.
Take the advancement of artificial intelligence and facial recognition software, for example. An image of an unfamiliar person could not tell you who they are or much about them, without additional information. But if you were to upload the image to social media, facial recognition software might immediately recognise them and connect that piece of data with a wealth of information captured through their extensive networks. Just imagine how the technologies of the future may be able to read and use personal data.
Of course, there needs to be some common sense applied to most situations and this tends to come in the form of a risk assessment. Just as you might plan a sports activity or field trip, acknowledging some levels of risk, the balance of whether something is justifiable may come down to whether risks can be sufficiently mitigated. Consider the likelihood of something happening against the severity of the impact of it happening. If it was highly unlikely that someone could discover the sexuality or religious affiliation of an individual, the risk would still be high because the sensitivity of the information could have a catastrophic impact on an individual, if made public.
Image: Fa Barboza on Unsplash
As a school professional, you could legally process quite a lot of personal information about pupils, parents and colleagues, within the school domain. You may be able to share some of that information, for specific purposes, within other approved domains. However, you will also always be operating within your own, personal domain, which could pose a risk to information security. You must consider this carefully, particularly when it comes to uploading evidence and reflections to your online placement record.
Like a school or local authority, UHI has a ‘personal data ecosystem’ of its own. This will include a range of administrative and learning technologies and processes. Your personal data can only be processed by UHI staff and their legally-contracted services according to the principles of GDPR and its other policies. So, there will be legitimate reasons and lawful purposes for processing your personal data.
When entering a school environment for your placement, you will be performing a professional role and will be required to operate within the policies and procedures of the school. For the purposes of your PGDE programme, you will be expected to record your experiences and document evidence and reflections within a digital portfolio. This will be in a format approved by UHI, in line with its own privacy and security policies. However, because UHI is a separate information domain, personally identifiable information gathered within the school environment may not be transferred to places in the UHI domain, unless you have been granted specific permission to do so. Such places include UHI Brightspace, UHI Mahara, and UHI OneDrive spaces.
You must not provide external access to your UHI OneDrive folder to anyone other than your mentor/supervisor, unless otherwise advised it is appropriate to do so.
You will need to document your experiences in such a way that protects the identities of the pupils and parents you work with, as far as possible. At times this might be quite challenging, as your experiences may be difficult to describe without referring to specific people. As we have learned, simply redacting names does not necessarily amount to anonymisation, if an identity may still be revealed through other information you provide.
The first thing you must do before adding any information to your portfolio is to minimise what you gather. Gather only what is necessary to meet the portfolio and any assessment criteria. It is extremely unlikely that you would ever need to gather highly identifying information, like pupil names or dates of birth. This type of information should not appear anywhere in personal or scholastic notes that are then to be taken outside of the school domain.
If you want to use evidence that necessarily has some personal information included, then this must be redacted or fully obscured before it leaves the school domain. This would apply to, for example, a piece of artwork with a pupil name at the bottom, or a photo with a person, or other personal information visible in the background. This could also mean redacting (removing or hiding) names in a document. But be careful about any other information present that could still reveal their identity. E.g. a class list is often in alphabetical order and may have other revealing features.
For more information on anonymisation strategies you may find the ICO document: Anonymisation: managing data protection risk code of practice useful.
Other things to consider
Avoid using specifics to refer to individuals; refer, perhaps, to a ‘senior manager’ rather than a job title, for example.
It is possible, where required, to link different pieces of information about an individual, while to protecting their actual identity – but be aware it is more challenging to anonymise in these circumstances. For example, you might want to track the progress of some pupils over time and, in your notes, you might refer to the pupil as “Pupil A”. This kind of privacy can be illusory in that it is often possible to identify them from the other information you provide – especially when you refer to them a lot. You must look very carefully at the sum of your information to determine whether any identities may be extracted, even if that seems unlikely.
You may be tempted to design strategies to talk about people or their characteristics using codes or symbols. For example, using the abbreviation “AS” to note additional support needs. But be very careful or avoid this altogether. When a code is used on a regular basis, patterns become apparent and often those patterns can be recognised as individual people. Don’t using coding in lieu of proper minimisation and anonymisation.
Processing securely and compliantly
If you have established appropriate reasons for processing personal data, then you need to do so in line with the principles of GDPR and the policies of the associated domain e.g. UHI, local authority.
You must be fair and transparent
- Are you processing the information in a way the individual would reasonably expect?
- Could there be any unintended consequences?
- Are you doing so in an open and honest way?
- Is it clear why you are processing the information and what you will then do with it?
Keep data to a minimum
- Is it adequate and sufficient to properly fulfil your stated purpose?
- Is it relevant, with a clear and rational link to that purpose; and
- Have you limited the information to what is necessary and not more than you need for that purpose?
Make sure data is accurate
- Have you taken care to ensure the information is correct?
- If you find information that is inaccurate, misleading or out of date, have you taken steps to have it erased or corrected? E.g. informed the person responsible, if this is not you.
Only retain the information for as long as necessary
- Only retain information for the intended purpose and no longer than necessary; or
- Retain only for the duration stipulated by the relevant record retention policy.
- Only use approved storage facilities and communication methods.
- Password protect or lock information away when it is not in use.
- Make sure you can demonstrate that you have processed information in line with all principles.
Devices and software
- Turn off or lock devices when you are away from them or no longer using them. Locking computers (window + L).
- Only use devices provided by the school to capture, record or communicate information.
- Only use software approved by the school to carry out the duties of your role during placement.
- Only use UHI approved technologies to upload, communicate and store information relating to your course documentation I.e. reflective notes, lesson plans.
- Be aware of what you are sharing on screen.
- Lock paper-based documents in secure, appropriate locations e.g. locked filing cabinet in staff office.
- Shred, destroy or delete information that you no longer need and are not required to retain.
- Protect documents in transit.
- Only take the information you need with you, and know what you have taken.
Communications and administration
- Don’t leave personal information in voicemails.
- Check e-mail addresses, telephone numbers, postal addresses. Send a test email.
- Update details on systems (e.g. SITS).
- Use watermarks/indicators for who has a copy of a report.
- Proof read and remember that one day the person might request to see their information: keep it professional.
- Be careful where you leave information; can it be read through a window?
- Check your surroundings – e.g. is supermarket the right place for that conversation? Should you be making certain comments over the phone in a crowded office?
- Verify who has a right to data – inside and outside of the organisation.
- Keep work in work times.
Situations will sometimes arise that require you to make a quick decision affecting personal data.
When you arrive at your placement make sure to ask how the school wishes you to handle such situations. Some schools may give you guidelines or policies to make your own decisions on how to react, other schools may have local data protection/safeguarding staff who will take over in such scenarios.
Make sure you find out how to handle these situations, and follow the instructions you are given.
For example, If the decision to provide personal data is necessary to mitigate another risk, then this may be justifiable. If there is an immediate risk to someone’s safety, which can be mitigated by providing access to otherwise protected information, then it could be argued that ‘vital interests’ apply. Each school will have its own procedures for making these judgement calls.
When something goes wrong
Sometimes things go wrong and personal data is put at risk or breached. E.g. you or someone else accidentally shares personal information with an unintended email recipient; suspected unauthorised access to account.
It is important to know how to react to such incidents, or suspected incidents. You placement school will have procedures in place detailing what to do if you suspect, or receive a report that, personal data may be at risk or been breached. Make sure, when you arrive, that you find out how to react and who to contact for support and follow these instructions if the need arises.
Privacy awareness resources
Promoting privacy awareness and a positive culture around data protection is one of the best ways to mitigate risk. Making sure that everyone understands their basic rights and the importance of privacy helps adults and even children play a part in protecting themselves and each other.
ICO resources for schools
The ICO provides a set of lesson plans and resources for promoting privacy awareness in schools: https://ico.org.uk/for-organisations/in-your-sector/education/resources-for-schools/
My Privacy Toolkit
The London School of Economics developed a privacy toolkit to help children, parents and educators improve their understanding of privacy issues: https://www.lse.ac.uk/my-privacy-uk
Protecting Childrens Personal Information Online by ICO Schools
Breaux, T.D. (2020) An introduction or privacy for technology professionals. Portsmouth, USA: International Association of Privacy Professionals
Cronk, R.J. (2018) Strategic privacy by design. Portsmouth, USA: International Association of Privacy Professionals
Department for Education (2018) Data protection: a toolkit for schools Open Beta: Version 1.0. Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747620/Data_Protection_Toolkit_for_Schools_OpenBeta.pdf. Accessed 10/10/2020
Department for Education (2018) GDPR Guidance for Schools. (video) Available at https://www.youtube.com/watch?v=y09IHXv6u6M. Accessed 15/10/2020.
European Union Agency for Fundamental Rights and Council of Europe (2018) Handbook on European Data Protection Law: 2018 Edition. Luxembourg: Publications Office of the European Union
Livingstone, S. Stoilova, M. Nandagiri, R. (2018) Children’s data and privacy online: Growing up in a digital age: An evidence review. LSE Media Communications. Available at: https://www.lse.ac.uk/media-and-communications/assets/documents/research/projects/childrens-privacy-online/Evidence-review-final.pdf. Accessed: 15/10/2020
Ustaran, E. (ed.) (2019) European data protection law and practice 2nd edition. Portsmouth, USA: International Association of Privacy Professionals
Some content has been sourced and adapted from content on the Information Commissioner's Office (ICO) website, which is available under the Open Government Licence v3.0.
This resource was written and developed by Liz Hudson (Educational Development Unit) and James Nock (Data Protection Officer), in consultation with the UHI PGDE programme team.