This will be updated on an ongoing basis with support documentation as we continue to prepare for the introduction of the new Data Protection legislation ahead of May 2018.
- Guidance for Schools: Consent to use Personal Information
- Guidance for Schools – Completing a Surveillance Camera/CCTV Data Protection Impact Assessment
- Template School CCTV Policy
- GDPR: Schools' FAQs
- GDPR Action Plan for Schools
- Information Asset Register
- Data Protection Policy
- Privacy Notices
- Data Protection Statement
- Data Breach Management
- ICO Promotional Materials
- Useful Resources
- Online Privacy and the Children’s Code
Guidance for Schools: Consent to use Personal Information
Schools should be aware that there are circumstances where consent may be required to use pupils’ personal information. The guide below sets out when consent may be required and how it should be obtained and recorded. It also includes useful template forms that can be adapted for use by schools when seeking consent.
Guidance for Schools – Completing a Surveillance Camera/CCTV Data Protection Impact Assessment
The use of CCTV Systems and other surveillance technologies must comply with the UK GDPR and the Data Protection Act and also take into account the privacy of those caught on camera. In order to ensure such compliance, it is essential that Schools who have or are considering installing surveillance camera or CCTV systems carry out a Data Protection Impact Assessment (DPIA).
It is recommended that the joint Surveillance Camera Commissioner and Information Commissioner’s Office CCTV Data Protection Impact Assessment Template (the ‘SCC &ICO Joint Surveillance Camera (CCTV) DPIA Template’), which is specific to surveillance cameras and surveillance camera systems, is used for this purpose.
The SCC & ICO Joint Surveillance Camera (CCTV) DPIA Template is linked below. The EA Information Governance Team have also prepared the below Guidance in order to assist NI Schools with completing the SCC/ICO joint CCTV DPIA Template.
Template School CCTV Policy
We previously published Guidance to assist NI Schools with completing the SCC/ICO joint CCTV DPIA Template. Leading on from this, the EA Information Governance Team have now prepared the below Template School CCTV Policy.
The Template School CCTV Policy is suitable for use by all Schools with CCTV in place, whether or not they have completed a CCTV DPIA and whether or not they have used the updated SCC/ICO joint CCTV DPIA Template.
The SCC & ICO Surveillance Camera (CCTV) DPIA (or any other form of CCTV DPIA) completed by the School, may inform the contents of the School’s CCTV Policy and vice versa. Therefore relevant Sections within the SCC & ICO Surveillance Camera (CCTV) DPIA (and our Guidance relating to it) have been highlighted in green throughout this template CCTV Policy for your ease of reference.
The Template School CCTV Policy, is designed for you to download, read/review and revise/complete any relevant highlighted sections as appropriate to your School.
GDPR: Schools' FAQs
Following the recent GDPR workshops with schools, EA has begun to develop a set of FAQs to address a range of queries that have been raised by Principals and others. This document will be updated regularly.
GDPR Action Plan for Schools
The GDPR Action Plan for schools provides a summary of the key actions your school should take to prepare for GDPR.
Data Protection Policy
Each School must have a Data Protection Policy. Please find a template below. You should download the template, read and review it and revise the relevant highlighted sections.
Please note: you will need to revise the Data Protection Policy depending on whether or not you have chosen to use EA as your Data Protection Officer (DPO). This is clearly explained in the actual Data Protection Policy template itself.
Each school should have three Privacy Notices:
- Privacy Notice - Pupils and Parents/Families/Carers/Legal Guardians
- Privacy Notice - Teaching Staff
- Privacy Notice - Non Teaching Staff
The Privacy Notice for Pupils and Parents/Families/Carers/Legal Guardians is standard across all schools and one template is provided below.
The Privacy Notice for Teaching Staff and the Privacy Notice for Non Teaching Staff are specific to your school type. A template for each is provided below. Please download the two relevant Privacy Notices for your school type, read and review them and revise the relevant highlighted sections.
Voluntary Grammar/Grant Maintained Integrated/Grant Maintained Irish Medium
Data Protection Statement
Where schools are collecting personal information through paper or electronic forms, a Data Protection Statement must be included. Below is a template statement which schools can use on data capture forms.
The Data Protection Statement informs people of the reasons why schools are collecting information and what the purpose is. It also directs people to where they can find further information in relation to schools’ privacy information.
Data Breach Management
Reporting a personal data breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Many personal data breaches are accidental, for example sending personal data to an incorrect recipient or the loss of a file or computing device containing personal data, while others are deliberate such as unauthorised access by a third party.
If you believe that a personal data breach may have occurred you should report this to your school’s Data Protection Officer (DPO) immediately. If your school has appointed the Education Authority (EA) as its DPO, it should report any data breaches to EA’s Information Governance (IG) team. It is crucial that breaches are reported as soon as a breach becomes known in order that any remedial actions can be taken at once. To report a breach to EA please download the data breach report form below, complete the form providing as much detail as possible and return to the IG team following the instructions on the bottom of the form.
If your school has appointed EA as its DPO, the IG team will provide support and advice in the event of a data breach. The team will assist in considering whether the breach poses a risk to people and the likelihood and severity of the risk to people’s rights and freedoms following the breach. Not all data breaches are reportable to the Information Commissioners Office (ICO). However if it’s likely there will be a risk to individuals then the ICO must be notified. If your school has appointed EA as its DPO, the IG team will manage the reporting of all notifiable breaches to the ICO.
EA has developed some useful resources which can be printed and used in school to remind staff of the need to carefully handle personal information.
Online Privacy and the Children’s Code
Resources for teachers to use when discussing privacy and the Children’s code.
Teachers can use these to help children identify where they can go to for support, including what they should do if they suspect an app, game or website is misusing their data or not conforming to the Children’s code .They cover the curriculum in all parts of the UK and can be downloaded for free from the ICO website.
Visit the ICO website for further information on the Children’s Code.