GDPR: A guide for teachers

While much of the work on GDPR will be handled at a leadership level, the working routines of teachers will also be affected. Here is a brief overview of what will change.
GDPR article image
While much of the work on GDPR will be handled at a leadership level, the working routines of teachers will also be affected. Here is a brief overview of what will change.

There is no doubt about it, the General Data Protection Regulation (GDPR) will demand a change in the behaviour of teachers. While their day-to-day teaching will go on as normal, the way they handle data and conduct administrative tasks will need to be adapted. 

Watch: How GDPR will affect teachers


Culture change

Let's be clear, this will not be a revolution of what teachers do, more an evolution. 

GDPR Training will give teachers all of the information they need about being compliant, and from then on it is about ensuring a cultural change in how teachers behave. 

Basic security protocols that often go ignored — leaving a laptop logged in when you leave the room, having pupil data displayed on walls in unlocked staffrooms, sharing passwords between staff members — will have to be reiterated and enforced. The expectation will have to be that these rules are followed, with staff picking each other up when they are not. 

Teachers will also be required to automatically report suspected personal data breaches or security risks. Currently, they may delay informing the leadership team, or even try to cover up a breach or security risk. That simply cannot happen now (and should not have happened before, of course).

And finally, GDPR will formalise some of a teacher's freedom to try out new apps or IT tools in the classroom. A proper process will have to be set in motion for even the briefest use of a new tool. 

“For example, if I as a member of staff want to use a new platform to monitor something or manage something, historically, I may have just done it or may have had a chat with one other person to say 'we are looking to do this, is it ok?' And they might have said yes," says Toks Oladuti, director of information services at an independent girls’ schools trust in London. 

“Now, that sort of activity needs to be a bit more formal, where they are specifying what they want to use, why they want to use it, and the sorts of personal data that will be involved. They will also need to assess the risk of using it.”

To learn more about GDPR, see our other guides:

Personal data changes

GDPR will also greatly affect how teachers look after personal data. This includes information that is taken out of the school or used in emails.

“Within education, you will often have staff taking hard-copy documentation home without considering whether personal data is in there," says Dai Durbridge, education specialist and partner at law firm Browne Jacobson. If that documentation gets stolen or lost, there is a major problem. 

"[Teachers] may also remotely access material at home and save it onto a home computer, and that home computer can be accessed by others in the household," he adds. “If others in the household find some juicy personal information and share that stuff around, that is going to be a significant data breach.

"You have governors within education who use personal email addresses and a child or family is named within the body of the email. If that email were to go astray or were to be read by somebody on that governor’s home computer, that again is going to be a very serious data breach.”

If you are taking personal information out of school on a laptop, device or a phone, ensure that it is encrypted, so if it does get lost or stolen, it is not easily accessed by whoever finds it. 

Handling data about themselves

The defining feature of GDPR is giving inidividuals more rights to how their data is processed by organisations. This means teachers also have a right to access to their data, even within their current school.

For example, in principle, you would be able to make a subject access request on emails between the SLT on your union membership, as long a third party's information rights are not harmed. In this scenario, the names of those in the conversation would need to be anonymised, but you still should be given access to this.

Dmitrije Sirovica, solicitor at Browne Jacobson, says if you requested this, it "would be reasonable to disclose that (information) in the circumstances."

As well as access to your personal data, GDPR grants you the right to erasure of your information. For example, this could be your CV held by previous employers. Schools are required to have a process in place for how long they can keep this information and need to have a reasonable purpose for why they are keeping it.

Learn more about how GDPR will impact your recruitment practices