Information Governance


Data Protection Legislation

The Data Protection Act (DPA) 2018 and General Data Protection Regulation (GDPR) became law in May 2018, and regulate how organisations (including schools) must handle personal data, to make sure it is not misused.

The GDPR sits alongside the DPA, which sets out how the GDPR applies in the UK.

The GDPR introduces significant changes to individuals’ rights and the requirements for processing personal data, which schools have to comply with.

Some of the key areas requiring policy reviews and updated procedures include: lawful bases for processing, consent, privacy notices, records of processing activities, data protection impact assessments, data breach management and subject access requests.

The tabs below cover the key areas in relation to the GDPR and DPA, and are regularly updated to provide the latest advice and guidance tailored specifically to schools.