This will be updated on an ongoing basis with support documentation as we continue to prepare for the introduction of the new Data Protection legislation ahead of May 2018.
Guidance for Schools: Consent to use Personal Information
Schools should be aware that there are circumstances where consent may be required to use pupils’ personal information. The guide below sets out when consent may be required and how it should be obtained and recorded. It also includes useful template forms that can be adapted for use by schools when seeking consent.
GDPR: Schools' FAQs
Following the recent GDPR workshops with schools, EA has begun to develop a set of FAQs to address a range of queries that have been raised by Principals and others. This document will be updated regularly.
GDPR Action Plan for Schools
The GDPR Action Plan for schools provides a summary of the key actions your school should take to prepare for GDPR.
Data Protection Policy
Each School must have a Data Protection Policy. Please find a template below. You should download the template, read and review it and revise the relevant highlighted sections.
Please note: you will need to revise the Data Protection Policy depending on whether or not you have chosen to use EA as your Data Protection Officer (DPO). This is clearly explained in the actual Data Protection Policy template itself.
Each school should have three Privacy Notices:
- Privacy Notice - Pupils and Parents/Families/Carers/Legal Guardians
- Privacy Notice - Teaching Staff
- Privacy Notice - Non Teaching Staff
The Privacy Notice for Pupils and Parents/Families/Carers/Legal Guardians is standard across all schools and one template is provided below.
The Privacy Notice for Teaching Staff and the Privacy Notice for Non Teaching Staff are specific to your school type. A template for each is provided below. Please download the two relevant Privacy Notices for your school type, read and review them and revise the relevant highlighted sections.
Voluntary Grammar/Grant Maintained Integrated/Grant Maintained Irish Medium
Data Protection Statement
Where schools are collecting personal information through paper or electronic forms, a Data Protection Statement must be included. Below is a template statement which schools can use on data capture forms.
The Data Protection Statement informs people of the reasons why schools are collecting information and what the purpose is. It also directs people to where they can find further information in relation to schools’ privacy information.
Data Breach Management
Reporting a personal data breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Many personal data breaches are accidental, for example sending personal data to an incorrect recipient or the loss of a file or computing device containing personal data, while others are deliberate such as unauthorised access by a third party.
If you believe that a personal data breach may have occurred you should report this to your school’s Data Protection Officer (DPO) immediately. If your school has appointed the Education Authority (EA) as its DPO, it should report any data breaches to EA’s Information Governance (IG) team. It is crucial that breaches are reported as soon as a breach becomes known in order that any remedial actions can be taken at once. To report a breach to EA please download the data breach report form below, complete the form providing as much detail as possible and return to the IG team following the instructions on the bottom of the form.
If your school has appointed EA as its DPO, the IG team will provide support and advice in the event of a data breach. The team will assist in considering whether the breach poses a risk to people and the likelihood and severity of the risk to people’s rights and freedoms following the breach. Not all data breaches are reportable to the Information Commissioners Office (ICO). However if it’s likely there will be a risk to individuals then the ICO must be notified. If your school has appointed EA as its DPO, the IG team will manage the reporting of all notifiable breaches to the ICO.
EA has developed some useful resources which can be printed and used in school to remind staff of the need to carefully handle personal information.