What do teachers need to know about GDPR? 5 myths busted
There seems to be a little confusion about what teachers can and cannot do now under the new EU GDPR regulations. Here are five common myths cleared up.
Myth 1: ‘You must get consent each time you want to publish a picture of a pupil’
GDPR regulations state that there needs to be ‘clarity and accountability’ in the way that data is processed. If your current consent forms stipulate all the potential uses for the image, giving different options of where they may be published and making it clear that consent for the use of that image can be withdrawn at any time, then this is sufficient.
Myth 2: ‘You must report every data breach to the ICO within 72 hours of the breach’
Not all breaches have to be reported to the ICO. Only those breaches with the potential of damaging a person’s rights and freedom need be reported. If this is the case, these breaches need to be reported within 72 hours of the discovery of the breach, not of the breach itself. If you are ever unsure, ask your Data Protection Officer (DPO) to contact the ICO to ascertain whether they do indeed require a formal report. All data breaches should be recorded with your school’s DPO.
Myth 3: ‘You can no longer take your work laptop offsite’
So long as you have taken the correct security measures, including using up-to-date anti-virus software, the appropriate level of encryption and use of sufficiently strong passwords that haven’t been shared, then this shouldn’t be a problem.
Myth 4: ‘You can still use new management software without consulting your DPO’
If you decide to use new subject-specific or data management software, you must raise its use with your school’s DPO. This is to make sure that the software complies with GDPR in the way it processes data.
Myth 5: ‘A parent can request that you delete their child’s data at any time’
Any request for data to be erased should only be honoured if there is no lawful basis for that pupil’s data to be held. Secondary schools are legally obliged to retain a pupil’s records until they are aged 25. If such requests as these are made it is important to consult your school’s GDPR policy or DPO.
Want to know more?
For our Digital Schools members, we’ve produced a factsheet for pupils ‘GDPR: What are your rights?’ and a ‘GDPR: Key changes for schools’ teacher factsheet. At the end of the month, members will also have a set of GDPR compliant policies and procedures for their schools. Find out more about becoming a member here or email firstname.lastname@example.org for further details.
For further information on how GDPR affects teachers and schools, take a look at the Education and families section of the ICO website.