Registered office: 1 Saltmore Farm | New Inn Rd | Hinxworth | Baldock | SG7 5EZ  |  Telephone: 0800 0862018  |  Email:

Yesterday, the government confirmed that its Data Protection Bill will bring the GDPR into UK law. Unlike the Data Protection Act, there is very little that member states can adapt within the GDPR to meet their own circumstances, this is because it is a law and not an act. One point that can be adapted is the age at which individuals (data subjects) can consent to their personal data being processed. Member states can choose any age between 13 and 16 and the UK has chosen 13.

What does this mean for young people?
A central point of the GDPR is to place the data subject at the heart of and in control of their personal data. Bringing the age of consent to 13 helps young people to understand and recognise the value of their personal data, the ways they share it as part of their online lives and the risks this poses to them. Indeed, we will all be much more conscious of the personal data trail we leave. Recognising this at a young age can only help pupils to be more in control of their personal data.

What does this mean for schools?
Under the GDPR, the first data principle states that personal data must be processed fairly and lawfully. Meaning that you must have a lawful purpose for processing the data, ie don't just collect it because you want to. There are six basis and consent is only one of these, meaning that you don't need to ask permission for every piece of data you process. Indeed, there are very few circumstances where consent will be the lawful basis for the data you collect. One case would be photographs that aren't required for teaching purposes, such as for a school brochure or website.

Much of the data you collect is done so to meet statutory obligations, such as the data for statutory returns, This data is also collected to help protect the vital interests of your pupils as well as to perform contractual duties to teach them. As you work through your data audit, consider why you are processing each piece of personal data and the basis for doing so, not forgetting that this applies to staff and parental data too. It is critical that pupils, staff and parents clearly understand why you are processing their data in your privacy policy.

Here are the six lawful basis.

  1. Consent
    The data subject has given their explicit consent for you to process their data. For children under the age of 13, this consent must be given by their parents. Consent may also be withdrawn.
  2. Contractual
    Such as employment contracts for staff.
  3. Legal obligation
    Such as collecting attendance data for statutory returns.
  4. Protecting vital interests
    Such as disclosing medical information to health professionals or information for references.
  5. Public interest
    This applies to data collected for statutory purposes.
  6. Legitimate interest
    Such as for marketing purposes, not relevant for most schools. If you do use email marketing, consent is the most appropriate basis for processing this data.

Further reading

Teaching data protection
The Information Commissioner's Office includes resources for schools including lesson plans. Click here

Auditing your data
Our previous blog outlines how to audit the personal data you process.