Language you can understand
The Information Commissions Office – sometimes referred to as the UK Supervisory Authority, which is the organisation that oversees data protection in the UK, There are offices in Scotland, NI, and Wales but they all apply the same law.
Any piece of information that can identify a person, directly or indirectly. In particular, where it can be referenced to things like names, location, online IDs, or to specific things such as physical, physiological, genetic, mental, economic, cultural or social identity of someone. You will often see this in referent to the term Natural Person.
As applied to personal data but this is called Special Category personal data and needs to be looked after very carefully; it refers to very specific groups of personal data which could be particularly harmful to individuals if in the wrongs hands, not available when needed or not correct.
Details about an individual which identifies them uniquely, such as finger prints or DNA.
A collective term when you collect, use, share or store data. The GDPR focuses specifically, but not completely, on digital data such as used in computers, phones and tablets, and on websites.
If you say what needs to be done with the data you are the DATA CONTROLLER.
There are instances where there is a combination of both controller and processor but most processing you do at school falls into the categories above.
If another organisation controls what you can do with the data then you are the DATA PROCESSOR.
If it’s your data then you are the DATA SUBJECT.
You must have a data sharing agreement with any person or organisation where you share data. It will clearly say what can and can’t be done with the shared data. It will ask for reassurances on issues such as storage security, how long the data is kept and how is the data disposed. There are good examples of data sharing agreements on the web and ICO has guidance on their website.
This is your notice to the world about the way you handle information you have access to. Every school must have one already and it’s important that all staff know what it says and means. It should also be in clear language so it can be easily understood by parents and children, where relevant.
Also referred to as legal basis for processing, no person or organisation can process data unless there is a legal reason for doing so. There are six main categories for lawful processing. You must find a lawful basis that fits the reason you are processing data. If you can’t, and you still process personal data, then you are breaking the law.
This is when the data is jumbled up. You need a ‘key’ to unjumble it otherwise it looks like rubbish. Personal data that leaves a safe and secure environment, for example, it goes out of school or is sent in an email, must be encrypted.
This is a breach of security, a breach of availability or data that is not correct when it should be; where accidentally or unlawfully personal data has been destroyed or misused. This might lead to physical or mental harm to an individual.
The use of existing information about someone to predict how they might behave in the future. If you shop online, you’ll see it all the time when the website suggests things you should buy as you have bought them before or they compliment a purchase. Profiling is used in education to predict students’ end of key stage or examination performance.
Also sometimes referred to as part of a PIA or Privacy Impact Assessment. It sounds very grand, but is just formalising and structuring considerations you probably already do. When you start or review a project or process you consider all the things that can go wrong regarding aspects of personal data. You then think about how to put it right or if it’s worth the risk doing nothing. A DPIA is written evidence that you have been through this thought process. Schools are already used to Risk Assessments for safeguarding and Health and Safety, so this is part of what schools need to consider.
This means you consider data protection and privacy from every angle in everything you do or plan.
A tool used to identify and reduce the privacy risks.
An individual can ask the Data Controller to remove and stop processing their personal data. If the Data Controller can justify it needs to process this data, then the request can be refused.
The ability to take data from one Data Controller and transferring it to another. A good example of this is changing banks or energy suppliers. In schools, data is regularly ported when students change establishments. Some data may not be portable due to it only being usable in a particular system but every effort should be made to make it available.
An expert on data protection who works independently to oversee that data protection policies and issues are correctly managed.
Sounds complicated, but it really isn’t! It’s used a lot in education where data is analysed and presented in reports or for examples, but the links to identify individuals are removed.
Also known as the Right to Access or SAR. If you hold data on anyone, they have the right to ask you for a report which says what, where, how and with whom you share that data.
A legal term used to be specific about individual human beings rather than a Legal Person, which may be a private or public organisation. Staff, learners, their parents and others whose data is processed by schools will generally be a Natural Person.