Terrace Road Primary School

Home Page

Terrace Road Primary School

Home Page

Frequently Asked Questions

Frequently Asked Questions regarding GDPR at Terrace Road Primary School


Q: Does the GDPR really affect schools?

Yes, every organisation or business that handles personal data needs to review its data protection policies and bring them in line with the General Data Protection Regulation.


Q: What is personal data?

Any information that can identify a natural person (‘the data subject’). This person can be identified, directly or indirectly, such as – name, email address or where they are, but also online identifiers such as IP address, types of website cookies and other device identifiers. Thus, an email from a parent carrying data such as their name, email address, and their child’s name can clearly identify both the child and the parent. 


Q: What will the GDPR change in my school’s existing data protection processes?

If you have implemented processes in line with the existing data protection act, DPA (1998), then you are well placed to meet the new requirements. Changes are mainly based on clarification and qualification of existing directives. A major change is that you can no longer say you meet the requirements you must be able to offer evidence that this is happening.


Q: Who are data controllers, processors and sub-processors?

A data controller, in the context of schools, is the organisation that determines purposes and means of processing personal data. Data processors provide services to the data controller and must follow the conditions laid down in the data controller’s instructions. The GDPR applies to both data controllers and processors. When data controllers collect data from the data subject, they must clearly tell them how they will use the data. They must also establish the legal basis for processing. Another category is called sub-processors or third-party data processors. These process data for a data processor and although they do not have direct communication with the data controller they are still wholly accountable for the protection of personal data.


Q: How can my school benefit by complying with the GDPR?

Without a doubt, reviewing your data protection processes throughout the school will help you to restore confidence and trust in both your internal procedures and those of your suppliers. A review of the Data Protection Act is long overdue. The previous Act became law in an era when some technologies were just emerging. Ensuring that you protect an individual’s fundamental rights will give you confidence in your policies and data sharing agreements.


Q: Does my school need a Data Protection Officer (DPO)?

Yes, as a public sector organisation you are obliged to have a DPO. However, you shouldn’t allow the fact that you don’t yet have a DPO to delay your journey to compliance with the GDPR.


Q: Who is a DPO and what do they do?

In simple terms, the DPO oversees GDPR compliance – independently – and acts as an intermediary between the organisation, data subjects, and the supervisory authority, ICO. The minimum tasks of a DPO are defined as:

  • To educate the organisation and its employees regarding their data protection obligations and the rights of individuals
  • To monitor compliance with the GDPR
  • To act as the first point of contact for supervisory authorities and individuals whose personal data is processed (e.g. staff, students, parents, carers)


Q: Explain why special categories of personal data, known as sensitive data must be treated with extra care?

Sensitive personal data which “uniquely identify a person” are classed in the GDPR as Special Category Personal Data. For example, genetic and bio-metric information. This data must be limited to only the people entitled to see or use it and extra provision must be taken to ensure this happens


Q: What happens when personal data is breached under the GDPR?

The GDPR is introducing a duty on all organisations to report certain types of data breaches to the “relevant supervisory authority” and to individuals when they have been affected. Even if a data breach is not reported to an authority outside school, it is important to get a full overview where minor breaches are taking place and ensure they are not repeated.


Q: Why do I need a privacy notice?

Since you hold and process data on individuals, you must tell them in simple terms how their data is processed. The regulation states that this should be clear, easy to access and free of charge.
If the privacy notice applies to children, you’ll need to write it in a way they will understand.


Q: Is there any extra funding to implement GDPR in schools?

Data Protection has always been an ongoing area that schools should be complying with already. As such, there is no additional funds at the moment to support any changes and improvements.