Registered office: 1 Saltmore Farm | New Inn Rd | Hinxworth | Baldock | SG7 5EZ  |  Telephone: 0800 0862018  |  Email:

GDPR data hoarding


Are you a Data Hoarder or a Data Generator?

Key points

  1. Under the GDPR’s data protection principles, your school will no longer be able to keep personal data for longer than it is needed.
  2. The GDPR will raise the profile of data protection and the rights of data subjects, including their right to a copy of all the data you hold on them – known as a subject access request or SAR.
  3. Over 20% of schools we surveyed say they have had a subject access request and this is likely to rise under GDPR.

Basically, the more data you hold – no matter how old it is, the more difficult it is for you to comply with the GDPR and the bigger headache subject access requests will be.

Now is the time to review how and what data you store as well as if your school is guilty of generating more data through, for example, poor email management.

Hoarding data
Think about what your school does with old data files, are they under the stage, in a confidential cupboard or in rows of filing cabinets? And what happens to old software and system back-ups? If the personal data is no longer needed – and unlikely to be needed, it should be securely destroyed.

Companies such as Shred-it offer on-demand shredding and hard drive destruction services and will come to your school and destroy and remove the data there and then.

Generating even more data
I recently spoke to a school that realised, following a subject access request, that it held 15,000 emails on one child. In a five-year school career, it is difficult to imagine how this many emails could be generated about one pupil but poor email management may well be the culprit. Here are two important tips to reducing the data you generate and hoard through email.

  1. Use CC sparingly
    It is easy to get into the habit of CCing people in, especially through pre-set staff lists, but it should only be used if the other people really need to see the email. Otherwise, you are generating more and more data with each email you send.
  2. Delete emails
    Never deleting emails is another way of hoarding data. Ask your IT department if they can automate this, train staff to only store the emails they need and add reminders to staff calendars to delete unnecessary emails at the end of each term. Getting staff into this habit will dramatically reduce the number you keep and the amount of personal data your school holds.

I recently started to watch a GDPR webinar and, after presenter introductions, the webinar focussed on the ICO’s enhanced fining powers. Whilst their powers have been enhanced, this kind of scare mongering is why the ICO’s new blog series focusses on the misconceptions surrounding the GDPR.

Here's five (of many) misconceptions that apply to schools. We dispell these and others in our awareness sessions and other training. Visit here to read about them

1. Organisations that do not comply with the GDPR face massive fines.
This law is not about fines but about putting the individual first. Whilst the ICO will have the power to impose higher fines than the data protection act limit, fines are only issued as a last resort and don’t fund the workings of the ICO.

“It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.” Elizabeth Denham, The Information Commissioner.

2. Schools can relax as they have a two-year grace period

Steve Wood, Head of International Strategy & Intelligence at The ICO explains, “You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy. What you will see is a common-sense, pragmatic approach to regulatory principals”

3. All schools must have a data protection officer
The term ‘large-scale’ has not been defined by the ICO so it is unclear whether independent schools need a DPO. As for maintained schools, it is unclear if the DPO role will be their responsibility or that of their local authority. For both types of schools however, as well as for academies, appointing a DPO demonstrates that you value data protection to your pupils, staff and parents. We addressed this in another blog.

4. A subject access request must be completed within 31 days
The GDPR states that a subject access request must be responded to within one month, but does not define what one month is. Is it a 28 or 31-day month? In time, this will be defined but your school should plan to respond to a request more quickly than 28 days. If you put plans in place to respond within 21 days, this gives you a cushion for staff absence or other circumstances. Remembering that school holidays and weekends are included in the timescale and it is not only working days.

5. The GDPR doesn't apply to personal information that isn’t electronic
The GDPR is about personal information that identifies living individuals and not the format of that personal information. This includes personal information held in places such as mark books, on classroom and staffroom walls or on print outs. Consider the consequences of losing this information, or it being accessed by unauthorised people, before you write it down or print it out and if there is a way of anonymising it.

Data Protection Officer Service Level Agreements are now available. Click here for more information


In this article, we explore the role of the data protection officer (DPO), whether your school needs one and who this should be.

Updated 12th January 2018 (and again 14 February)
This week, the following was proposed concerning DPOs and maintained schools as part of a reading of the Data Protection Bill.

87A Insert the following new Clause “Where a school maintained by a local authority is unable to designate a data protection officer, the relevant LA must designate a DPO for that school or any group of schools maintained by that LA”

The full document can be read here:

At this stage, this is only a possibility (it didn't make it out of committee and into the final reading in the House of Lords, but may be re-proposed in the Commons - watch this space)and the terms 'unable' and 'designate' are not explained.

So we recommend that if you are a maintained school, speak to your local authority about any services they may be offering as a managed service.


Under the GDPR, do schools need a data protection officer?
The GDPR outlines three circumstances when an organisation must appoint a DPO. If you:

  1. are a public authority (except for courts acting in their judicial capacity);
  2. carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  3. carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

As a public authority, circumstance 1 applies to maintained schools and academies, meaning that you do need a data protection officer.

What about independent schools?
The terms ‘large scale’ have not been defined by the Information Commissioner’s Office (ICO), so it cannot be assumed that independent schools fall into circumstance 2. Because of the nature of the data that all schools collect and process and that your data subjects are children, it would be wise however, for independent schools to appoint a data protection officer. Indeed, appointing a DPO demonstrates that you take the data protection of your pupils seriously.

How can schools afford a data protection officer?
A data protection officer can be employed fully by you, shared across schools or you can engage in a DPO service from an external provider. Each has its merits and should be reviewed as to which is the most suitable for your school, in terms of the appropriateness for the size of your school and the types of personal data you collect and process, as well as affordability and value for money. Talk to local schools to see if there is an opportunity to share one across the group. If you are part of a trust, speak to your central office about their plans.

What does a DPO do?
The DPO takes an advisory and monitoring role and should guide your school to be GDPR compliant. It is your school’s responsibility to follow this guidance. If you choose not to, the DPO is not responsible if anything goes wrong.

The DPO’s minimum tasks are defined in Article 39:

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities (the ICO) and for individuals whose data is processed (employees, customers etc).

What does the GDPR say about your duties when employing a DPO?
As a school or trust, you must ensure that.

  • The DPO reports to the highest management level of your school, i.e. the governing body or the trust board.
  • The DPO operates independently and is not dismissed or penalised for performing their task.
  • Adequate resources are provided to the enable DPO to meet their GDPR obligations.

Can we allocate the role of DPO to a member of staff?
Yes, but only if their professional duties are compatible with those of the DPO and do not lead to a conflict of interests. This means that they must be in an impartial role, report directly to the governing body and have no conflict of interest in their other duties. It is difficult to think of a role in school where there wouldn’t be a conflict of interest.

Anyone who makes decisions about which systems your school uses or how they are used, has line management responsibilities or decides what personal data is collected or processed, is not a suitable data protection officer. Remembering that this person cannot be sacked for performing their DPO role.

Can a governor be the data protection officer?
If the governor has no other responsibilities, then yes. For many schools, a governor with the right skills and authority, as well as time, would be suitable.

Does the data protection officer need specific qualifications?
Whilst the GDPR does not specify precise credentials, it does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your school carries out, taking into consideration the level of protection the personal data requires.

How we can help
Data Protection Education offers a data protection on demand service, contact us to discuss your school's context and how we can support you on This email address is being protected from spambots. You need JavaScript enabled to view it.  

Further reading
Accountability and Governance, an overview from the ICO:



In a statement of intent, the Government has committed to updating and strengthening data protection laws through a new Data Protection Bill that will bring the European General Data Protection Regulation (GDPR) into UK law.

The Data Protection Bill will.

  • Make it simpler to withdraw consent for the use of personal data
  • Allow people to ask for their personal data held by companies to be erased
  • Enable parents and guardians to give consent for their child’s data to be used
  • Require ‘explicit’ consent to be necessary for processing sensitive personal data
  • Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
  • Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
  • Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
  • Make it easier for customers to move data between service providers

Age of consent to be set at 13

A key point for schools is that, under the GDPR, the UK government will legislate to allow a child aged 13 years or older to consent to their personal data being processed. For children under the age of 13, parents will be asked to consent. For much of the data collected by schools, consent will not be the lawful basis for collection but you must consider this when deciding what data to collect and process.

Read more and access the statement of intent

In this series of articles, we will outline practical steps to compliance, In this one, we introduce data audits.

The GDPR is the General Data Protection Regulation which is a new data protection law coming into force across the EU on May 25th 2018. The government has confirmed that leaving the EU will not affect the commencement of the GDPR. The law is changing to align with the ways we all share and process data in today’s digital world. It is an opportunity for your school to review and update the data it collects and how it is managed and secured as well as train your pupils and staff to be more careful with their data and that of others.

The most important point for your school is that you must be fully compliant on May 25th and not working towards compliance.

Auditing your data
There is much you can do to prepare for the new regulations and one of the first steps is to audit the data you hold in a spreadsheet.

What data are we collecting and processing?
List what personal data you hold across the school, where and how securely it is held, how it is collected or processed and who it is shared with. Identify which data you collect yourselves and which you receive from elsewhere, such as via the CTF or from other agencies. Adding a column about how better it can be secured is also helpful.

Ask staff what software and websites they use that gather personal data to map a complete picture across school.

Why are we collecting it?
To meet the GDPR, you must have a lawful basis for collecting and holding personal data and there are strict categories for this. From step one, identify a lawful reason for collecting or processing it, from the list below. Without a lawful basis, you should not be collecting or holding it.

  1. Consent
    The data subject has given their explicit consent for you to process their data. For children under the age of 16, this consent must be given by their parents. Consent may also be withdrawn.
  2. Contractual
    Such as employment contracts for staff.
  3. Legal obligation
    Such as collecting attendance data for the DfE.
  4. Protecting vital interests
    Such as disclosing medical information to health professionals or information for references.
  5. Public interest
    This applies to data collected for statutory purposes.
  6. Legitimate interest
    Such as for marketing purposes, not relevant for most schools.

Special category data
Data about race and ethnic origin, genetics, health and biometrics (including finger printing), beliefs such as religion, political opinions and trade union membership and sex life or sexual orientation is classed as sensitive data. The rules for this information are stricter than for other personal data. The Information Commissioner’s Office outlines these here. If your school using finger printing for school lunches or attendance, you should already have sought parental permission for doing so.

What’s the risk?
It is important to understand the risk to the individual and the school if any of the data you hold is lost or accessed by those without permission, known as a data breach. RAG rating each type of data will help you to prioritise staff training and data security. For example, losing the child protection register is potentially much more devastating compared to an attendance register.