3. Lawful Basis for Processing

The current Data Protection Act requires that Schools have a lawful basis for processing personal data. The GDPR updates these lawful basis and also makes Schools accountable for clearly identifying which legal basis they are using to collect personal data.

Template documentation is included in the full GDPR pack for those who choose to purchase it.

The current Data Protection Act requires that Schools have a lawful basis for processing personal data. The GDPR updates these lawful basis and also makes Schools accountable for clearly identifying which legal basis they are using to collect personal data.

The GDRP permits out  six lawful bases. These are consent, contract, legal obligation, vital interests, public interest and legitimate interests.

Much of the personal data that schools collect about their pupils is collected to meet a legal obligation of the School e.g. to provide census data to the Department of Education. Some data will be collected as part of a contractual obligation. The remainder of the data is collected with the consent of the parents, this will cover things like photographs for school marketing and sending fundraising emails to parents.

A common misconception is that consent is widely required. However it would be misleading to ask for consent where the personal data will be processed anyway e.g. pupil census information

It is important to consider the lawful basis and get this right at the start of your project. Our record of processing activities has suggested a lawful basis for all commonly collected personal data. Schools need to work out the legal basis at this stage as you will need to explain it to pupils, parents and staff later on.

An additional complication is where the School processes special categories or personal data. These are currently called sensitive personal data. The GDPR expands these to include racial or ethnic data, political opinions, religious or philosophical beliefs, or trade union membership, , and the processing of genetic data, data concerning health or concerning a person’s sex life or sexual orientation. Processing of special categories of data is only permitted if the School can show that one of the exemptions applies. While some of this special data can be collected because of employment or special educational needs, the main way to collect this data is to get the explicit consent of the data subject. We’ll talk about consent in our next video.

Our record of processing activity has suggested a lawful basis for each data category. You need to review this and agree that this is the appropriate basis for your School.

Previous Tutorial Next Tutorial

£395.00Add to cart

Home

View

1. Mobilisation & Awareness

View

2. Record of Processing Activity

View

4. Consent

View

5. Children

View

6. Communicating Privacy Information

View

7. Rights of the Individual

View

8. Breaches

View

9. Design & Default

View

10. DPO

View

11. Training

View

12. Sharing of Data

View

What's in the Schools GDPR pack?

Find out how Schools GDPR helps you