First, we need to understand what personal data are. Personal data are information which relate to living individual; processing these data means collecting, using, disclosing or disposing of information. The data protection principles apply to all information held electronically or in structured files that tells us something about the individual. These principles also extend to all information in the education records. Examples would be: full names of staff and children at school, dates of birth, home addresses, national insurance numbers, school marks, medical information, exam results, SEN assessments and staff reviews. Sensitive personal data are information related to race and ethnicity, political opinions, religious beliefs, physical or mental health, sexuality and criminal offences. The difference between processing personal data and sensitive personal data is that there are greater legal restrictions on the latter. Educational settings hold sensitive personal data in pupils’ and staff’ records so we need to be aware of the extra care this requires.
Also, we need to differentiate between personal information that individuals would expect to be treated as private and confidential, and personal information we can make freely available.
The Data Protection Act 1998 (DPA) requires teaching and non-teaching professionals to understand the correct balance in processing personal information in order to respect individuals’ privacy where it needs protection. Most schools now use an electronic information management system, where information should be kept safe and secure by using passwords, and many operate their own websites. However, schools are also likely to hold some information on paper. Personal data should always be processed fairly and lawfully. Fairness includes being clear and transparent about how every member of staff should use the personal information they collect. Practitioners should give a fair processing or privacy notice to parents and pupils before or as soon as they obtain their personal information. Practitioners have a legal duty of confidence with regards to person information that they hold about children, young people and their families. Any information they receive about young people and their families should only be shared with professionals, and all child protection records should be kept securely. In fact, schools and other educational settings should only collect information for a specific purpose; for example, the children’s address and parents/carers contact information. Every information must be kept up to date, by sending letters out to parent/carers to inform of a change of address or telephone number, etc. The information about a child should be kept for as long as the child attends the school; after a certain amount of time the files containing the personal data can be deleted and paper documents can be shredded. The method of destruction of personal data should consider the nature of the information. In all cases you must ensure that data is disposed of in a way that creates little risk of an unauthorised third party using it to the data subject’s detriment. Some of the children may be on the child protection register and this information should be available only to the designated safeguarding officer. If the safeguarding officer has been notified of some child protection issues in relation to any child, then they must disclose it to the child’s teacher in confidence to ensure the information shared is in the strictest confidence. The main organisations that schools share personal data with are:
• local authorities;
• other schools and educational bodies;
• social services.
Personal information can also be shared with pupils once they are old enough to be considered responsible for their own affairs, although information can also be shared with their parents or guardians.
The three most important aspects to consider when sharing data are:
• making sure the information can be shared;
• ensuring that adequate security (considering the nature of the information) is in place to protect it;
• providing an outline in a fair processing notice of who is receiving the personal information from the school.
The information the safeguarding officer holds must also be kept secure at all times and it is imperative that the information stored does not become public knowledge. In fact, information security is probably the most important area for schools to concentrate on. The loss of or unauthorised access to personal information is likely to cause a big harm to pupils, parents or staff. Individuals have a right to take action for compensation if the loss of personal data causes them damage.