The UK Information Commissioner’s Office has released a report which gives practical advice on how to comply with the Data Protection Act.

The advice was prompted by a survey of 400 schools across nine local authority areas that showed that whilst awareness of data protection laws was generally good, schools need to pay more attention to complying with data protection law.

The survey showed 95% of schools provided some information to pupils and parents about what was done with personal information.

A third of schools with password-protected computer systems conceded the passwords were not necessarily strong enough and not changed regularly, with 20% admitting email systems were not secure.

Louise Byers, ICO Head of Good Practice, helped draft the report: “The survey results showed that whilst awareness of the law was broadly good, knowledge on how to comply with it wasn’t always there. In many respects that should come as no surprise – it’s not teachers’ area of expertise – and it is precisely what our report is aiming to address.

“I’d urge teachers and heads to take a look at our recommendations and make sure they’re complying with the law. The sensitive personal data that schools handle means it is crucial they get this right, and we hope the ICO’s report will help them achieve that.”

A summary of the main recommendations is below:

  • Notification. Make sure you notify the Information Commissioner of the purposes for your processing of personal data
  • Personal data. Recognise the need to handle personal information in line with the data protection principles
  • Fair processing. Let pupils and staff know what you do with the personal information you record about them. Make sure you restrict access to personal information to those who need it
  • Security. Keep confidential information secure when storing it, using it and sharing it with others
  • Disposal. When disposing of records and equipment, make sure personal information cannot be retrieved from them
  • Policies. Have clear, practical policies and procedures on information governance for staff and governors to follow, and monitor their operation
  • Subject access requests. Recognise, log and monitor subject access requests
  • Data sharing. Be sure you are allowed to share information with others and make sure it is kept secure when shared
  • Websites. Control access to any restricted area. Make sure you are allowed to publish any personal information (including images) on your website
  • CCTV. Inform people what it is used for and review retention periods
  • Photographs. If your school takes photos for publication, mention your intentions in your fair processing/privacy notice
  • Processing by others. Recognise when others are processing personal information for you and make sure they do it securely
  • Training . Train staff and governors in the basics of information governance; recognise where the law and good practice need to be considered; and know where to turn for further advice
  • Freedom of information (FOI)/ After consultation, notify staff what personal information you would provide about them when answering FOI requests.

Find the full report here.