GDPR (General Data Protection Regulation) FAQs for RM's School Checking Exercise website

What is GDPR?

  • The General Data Protection Regulation is a new, European-wide law that regulates the handling of personal data. It is interlinked with the new Data Protection Act 2018 which replaced the Data Protection Act 1998 and came into effect on the 25th May 2018. Both pieces of legislation place greater obligations on how organisations handle and protect personal data.

What kind of information does the GDPR apply to?

  • Much like the Data Protection 1998, the GDPR applies to personal data and sensitive personal data, which is now called 'special category data'.
  • Personal data is: "Any information relating to an identified or identifiable natural person ('data subject'). This is anyone who can be identified directly or indirectly, by a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person."
  • 'Special Category Data' is data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, crime, health, sex life or sexual orientation.

Is the department providing support to schools?

  • Yes. The department is keen to support schools in thinking through what GDPR may mean for them. We have produced non-prescriptive guidance in the form of a blog for schools outlining steps that can be taken in preparation for GDPR.
  • There is also another blog here that was produced with the support of the ICO. A video has been produced as well. It is aimed at helping schools review and improve handling of personal data in preparation for the GDPR.
  • The DfE has also published a Data Protection toolkit for schools for schools to help them develop policies and processes for data management, from collecting and handling the data through to the ability to respond quickly and appropriately to data breaches.

What has changed for data subjects under the GDPR?

  • More rights to individuals over their data: GDPR expands the rights of data subjects to include the right to be forgotten, the right to data portability, the right to subject access requests (SARs – the timeframe for responding to these has also changed from 40 days to one month) and the right to prevent customer profiling.

What about "the right to be forgotten"? Does it mean that we must delete all personal education data under the 'right to erasure' provision?

  • The 'right to erasure' does not provide an absolute 'right to be forgotten'. Individuals have a right to have personal data erased and to prevent processing in specific circumstances. This may be applicable where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed or when the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR), or where the personal data has to be erased in order to comply with a legal obligation.

Do schools and the DfE need pupil/student consent i.e. from parents, to collect and use their data?

  • Consent is not required when data collections are covered by law and have a legal basis. This personal education data is collected to enable the Department for Education (DfE) to fulfil its statutory obligations and therefore schools do have a legal duty to provide it.
  • The DfE collects personal data from educational settings and local authorities via various statutory data collections. Schools are required to share information about their pupils with the DfE either directly or via their local authority for this purpose.
  • The DfE has provided schools with guidance and privacy notice templates for all DfE data collections.

Does the DfE have a legal basis to collect and use pupil/student data?

Yes. The following legislation outlines DfE's legal basis that we rely on to enable us to collect and use pupil/student data:

Section 537A of the Education Act 1996 and Regulation 6 (d) of the Education (Individual Pupil Information) (Prescribed Persons) (England) Registrations 2009.

Section 47 of the Statistics and Registration Service Act 2007 and the Statistics and Registration Service Act 2007 (Disclosure of Pupil Information) (England) Regulations 2009.

Article 6 of the General Data Protection Regulation (GDPR), Section 8, Data Protection Act 2018 - Lawfulness of processing

Data Protection Act 2018

Article 9 of the General Data Protection Regulation (GDPR), Section 10 & Schedule 1 Data Protection Act 2018 Processing of special categories of personal data

Why is pupil information being collected from schools?

Statutory duties are placed upon schools to support DfE data collections. DfE collect and use pupil information, for the following purposes:

a)   to support pupil learning
b)   to monitor and report on pupil attainment progress
c)   to assess the quality of education services
d)   to underpin school funding, which is calculated based upon the numbers of children and their characteristics in each school.
e)   to informs 'short term' education policy monitoring and school accountability and intervention (for example, school GCSE results or Pupil Progress measures).
f)   to support 'longer term' research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school

The above list is not exhaustive, to find out more about the data collection requirements placed on schools by the Department for Education go to

What is the specific pupil information that is collected and used by the DfE?

Legislation allows the DfE to collect the following *information from pupils and their education providers:

  • personal identifiers and contacts (such as name, unique pupil number, contact details and address)
  • characteristics (such as ethnicity, language, and free school meal eligibility)
  • safeguarding information (such as court orders and professional involvement)
  • special educational needs (including the needs and ranking)
  • medical and administration (such as doctors information, child health, dental health, allergies, medication and dietary requirements)
  • attendance (such as sessions attended, number of absences, absence reasons and any previous schools attended)
  • assessment and attainment (such as key stage 1 and phonics results, post 16 courses enrolled for and any relevant results)
  • behavioural information (such as exclusions and any relevant alternative provision put in place)

* please note that this list is not exhaustive.

Where will the DfE be holding or publishing the information / data they collect from schools?

The data we collect will be used for the following products and services, all of which are key components of the government's school accountability and transparency policy:

What is the National Pupil Database and why is personal data held here?

  • Much of the data about pupils in England goes on to be held in the National Pupil Database (NPD).The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department.
  • It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
  • To find out more about the NPD, go to

Who does DfE share the personal pupil data with?

  • Data is only shared when it is both lawful and ethical to do so. The law allows the Department to share pupils' personal data with certain third parties, they include:
    • schools
    • local authorities
    • researchers
    • organisations connected with promoting the education or wellbeing of children in England
    • other government departments and agencies
    • organisations fighting or identifying crime
  • To ensure transparency and public confidence in the use of data held by DfE, the department publishes details of all external personal level data shares here:
  • For more information about the Department's data sharing process, please visit:

How do you ensure that the personal information / data is not lost, damaged or unlawfully accessed?

  • All parties involved in collecting, processing and storing this data are trained to apply appropriate information security controls and technical and organisational measures against unauthorised or unlawful handling, transferring or processing of personal data and against accidental loss or destruction of, or damage to, the personal data.

How long is the information / data kept for?

  • Information generally needs to be kept for as long as necessary but it will never be kept for longer than this. How long information is kept for will depend on the nature of the information being collected and processed. It will also be subject to periodic reviews to determine if the DfE has further need for it.
  • Personal data will need to be retained for longer in some cases than in others for example where data is required to be kept for archiving purposes in the public interest or for historic or scientific purposes. This data will be subject to appropriate safeguards in that technical and organisational measures are in place to ensure respect for the principle of data minimisation. How long we retain different categories of personal data is based on individual business needs.
  • When the data is no longer needed it will be destroyed or archived securely

Are pupils or their parents able to request access to this personal education data?

  • When data is processed only for scientific or historical research purposes or statistical purposes it is exempt from the right of access to personal data pursuant to Part 6, Schedule 2 of the Data Protection Act 2018 (Article 15 GDPR) provided the data is processed in accordance with the Data Protection Act and the product of the research or statistics are not published in a form which identifies any of the data subjects.
  • For data items held within DFE which are processed for purposes which could be considered operational in nature, Part 6, Schedule 2 of the Data Protection Act 2018 (Article 15 GDPR) is not relevant and the data items used to support decisions relating to the data subject will be considered for release on request. Pupils and parent have the right to:
    - object to processing of personal data that is likely to cause, or is causing, damage or distress
    - in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed.

How can complaints be made about the way personal data is being collected or used?

  • If anyone has a concern or complaint about the way their data is being collected or used, they should raise their concern with the school or the DfE in the first instance or go directly to the Information Commissioner's Office at

What is the ICO and how can I contact them?

  • The Information Commissioner's Office (ICO) regulates compliance with data protection legislation and can provide you with independent and impartial advice and guidance.
  • The ICO can be contacted by telephone or online chat – contact details are: and 0303 123 1113.

Will GDPR be maintained post-Brexit?

  • Information on the ICO website states that the government has confirmed that the UK will continue to implement the EU's GDPR standards after it leaves the EU.