Steps data protection officers and organisation heads of education providers should take to stay compliant with data protection laws now the UK has left the EU.
Read this guidance if you:
- are the head of an organisation, a data protection officer (DPO), or are responsible for data within an organisation
- transfer personal data between the UK and the EU, Iceland, Liechtenstein and Norway (EEA)
- transfer personal data within the EU, Iceland, Liechtenstein and Norway (EEA)
This guidance is:
- not designed to cover every incidence of where you process personal data
- not designed to replace your own risk review
- not a substitute for legal advice
General Data Protection Regulation (GDPR)
GDPR will be brought into UK law and the Information Commissioner will remain the UK’s independent supervisory authority on data protection.
The Data Protection Act 2018 will continue to apply to data transferred within or from the UK.
Personal data includes, but is not limited to:
- contact information about pupils, students, learners, staff and carers
- health information
- details about recipients of pupil premium
- employee references
- safeguarding information about an individual
- passport information, if planning trips to the EU
- pupil exam references and results
Data controller means a person, company or other body that determines the purpose and means by which personal data is processed.
Educational establishments, such as schools, colleges and universities, are often data controllers in their own right.
Data processor means anyone who handles personal data on the instructions of a controller. Examples include, storing, collecting or analysing data as part of a service provided to the controller.
Data protection officer
GDPR requires all organisations to appoint a data protection officer. Data protection officer duties include advising on data protection obligations, monitoring internal compliance and providing advice on data protection impact assessments. Read the ICO guidance about data protection officers.
Steps you should take
These steps will help you to continue sharing and receiving personal data lawfully.
- continue to carry out your own risk review
- get legal advice if you are not sure
- make sure you are complying effectively with GDPR
- use the ICO free web resources to determine what changes, if any, you may need to make
There will be no immediate changes to data protection law or any new restrictions on sharing data with the EU, Iceland, Liechtenstein, or Norway, from 1 February 2020.
Sharing data with the EU, Iceland, Liechtenstein and Norway
Contact anyone you share personal data with within the EU, Iceland, Liechtenstein or Norway.
You should explain you can still share personal data lawfully with them now that the UK has left the EU..
Receiving data from the EU, Iceland, Liechtenstein and Norway
Identify where you receive data from the EU, Iceland, Liechtenstein, or Norway, and determine:
- who the data controllers and processors are
- where the data is stored
Contracts: new and existing
Ensure that contracts, which include the processing of personal data in the EU, provide the additional safeguards required, and where appropriate, standard contractual clauses (SCCs).
This includes where data is being transferred from a data controller within the EU, Iceland, Liechtenstein and Norway to a UK data controller, or a UK data processor.
This applies to:
- existing contracts
- new contracts you put in place
Use the ICO free interactive tool to determine what contract changes, if any, you may need to make.
Data Protection Impact Assessments (DPIA) and privacy notices
Review and update with your data protection officer (or whoever has responsibility for data protection in your organisation):
- Data Protection Impact Assessments (DPIA)
- Privacy Notices
Make sure they:
- are up-to-date
- reflect any changes you are making to your ways of working
Read the guidance on the Information Commissioner’s Office website for more information on data protection.