Data protection and school websites
General Data Protection Regulation (GDPR)
Accountability is a key requirement of GDPR. The Information Commissioner’s Office (ICO) requires all Data Controllers to have documented processes and procedures in place, as well as the relevant privacy notices and policies. Some of these must be made easily available to stakeholders, so although it is not statutory to publish documents relating to GDPR on your website, we would strongly recommend that you do so, as well as having hard copies available on request. You may wish to consider creating a specific page for all the GDPR resources.
The following is a list of the key documents for showing compliance with GDPR, along with suggestions on how they should be shared.
- Contact details of DPO - preferably on Contact details page.
We recommend creating a generic email address i.e. dpo@. -
Privacy notice for pupils - how you process pupil data.
For a ‘layered’ approach, use the simple version with links to the full version. -
Privacy notice for parents - how you process contact data.
For a ‘layered’ approach, use the simple version with links to the full version. -
Data Protection Policy
-
Online Safety Policy
-
Subject Access Request - how to submit a request.
Preferably directly on a page on the website, but also in the privacy notices and data protection policy.
GDPR templates and guidance
GDPR templates and guidance are contained in the Herts for Learning GDPR toolkit. This toolkit is only available by subscription.
Safe use of images
Guidance for photographing and recording children during events and activities, and sharing images on school websites and social media can be found on the NSPCC and ICO websites linked below.