Legal Basis

The submission of the school census returns, including a set of named pupil records, is a statutory requirement on schools under Section 537A of the Education Act 1996.

This means that

  • schools do not need to obtain parental or pupil consent to the provision of information

  • ensures schools are protected from any legal challenge that they are breaching a duty of confidence to pupils

  • helps to ensure that returns are completed by schools1.2.2 Data protection and data sharing

  • The General Data Protection Regulation (GDPR) mandates certain safeguards regarding the use of personal data by organisations, including the department, local authorities and schools. GDPR gives rights to those (known as data subjects) about whom data is processed such as pupils, parents and teachers. This includes:

    • the right to know the types of data being held

    • why it is being held

    • to whom it may be communicated

      For the purposes of data protection legislation, the terms ‘process’, ‘processed’ or ‘processing’ apply to any activity involving the personal data, such as:

      • collecting

      • storing

      • sharing

      • destroying

please note: this list is not exhaustive

However, as data processors and controllers in their own right, it is important that schools process all data (not just that collected for the purposes of the school census) in accordance with the full requirements of the GDPR. Further information on the GDPR can be found in the Information Commissioner’s Office (ICO) overview of the General Data Protection Regulation (GDPR).

Being transparent and providing accessible information to individuals about how you will use (process) their personal data is a key element of GDPR. The most common way to provide such information is through a privacy notice. Please see the Information Commissioner’s Office (ICO) website for further guidance on privacy notices.

For schools, this means that you must provide clear and accessible privacy notices that inform parents, pupils and staff:

  • what data is collected about them
    for what purposes the data is collected

  • how the data is used (processed)

  • what the lawful basis is for processing

  • for how long the data is retained

  • with whom the data is shared

  • why the data is shared

The department provides suggested wording for privacy notices that schools may wish to use. However, where the suggested wording is used, the school must review and amend the wording to reflect local business needs and circumstances. This is especially important, as the school will process data that is not solely for use within census data collections. As such, to comply with GDPR, the privacy notice should contain details of all uses of data within the school, which may include, for example, information used locally for pupil achievement tracking and (where relevant) the use of CCTV data. The privacy notice should also include this link to the gov.uk webpage, which provides information on how the department processes data.

It is recommended that the privacy notice is included as part of an induction pack for pupils and staff, is made available on the school website for parents, as well as featuring on the staff notice board / intranet. Privacy notices do not need to be issued on an annual basis, where:

  • new pupils and staff are made aware of the notices

  • the notices have not been amended

  • they are readily available in

  • electronic or paper format

However, it remains best practice to remind parents of the school’s privacy notices at the start of each term (within any other announcements / correspondence to parents) and it is important that any changes made to the way the school processes personal data are highlighted to data subjects.

Schools have a (legal) duty under the General Data Protection Regulation (GDPR) to ensure that any personal data they process is handled and stored securely. Further information on data security is available from the Information Commissioner’s Office.