Data Protection Commissioner’s Toolkit for Schools

The Data Protection Toolkit offers essential guidance for schools on managing children’s data, handling access requests, and ensuring compliance. With key insights on consent, third-party data sharing, and CCTV policies, the guidance should be considered by schools. Read our expert analysis to stay ahead of evolving data protection obligations.

The Data Protection Toolkit was published on 19 December 2024. Given the complexities of data protection in schools, the Toolkit is a valuable resource for principals, teachers, and Boards of Management nationwide. At the forefront of the Toolkit is the principle that the best interests of the child will be considered by the Data Protection Commission (DPC). It is important to note that the Toolkit focuses on the processing of children’s data, as opposed to the processing of employee or parent data.

We regularly assist schools with Data Access Requests. Since the introduction of GDPR, we have noticed a sharp increase in these requests, often made by parents, on behalf of their children. Further guidance has been provided regarding the handling of these requests. Importantly, the DPC has confirmed that “the clock does not stop” during school closure periods. Schools should be particularly mindful of this during the summer months, as they must respond to data access requests within the one-month time limit. Therefore, it is very important that the school email and post are regularly monitored during July and August.

The Toolkit provides some clarification regarding the age of consent. It confirms that once a child has turned 17, their data protection rights should not be exercised by their parent/guardian. Schools must deal directly with the student. There has never been official guidance on this before so this will be very helpful for schools going forward.

Third parties

It is important to remember that there must be a basis for sharing data with an outside agency. By way of example, schools regularly share data with Tusla, the child and family agency, regarding a student’s attendance record. This is a statutory obligation. Schools should always ask the question: do I have a lawful basis for sharing this data with an outside party? The Toolkit provides detail guidance around the various scenarios where schools share data with third parties. In particular, it stresses the importance of having a robust processing agreement in place to protect shared data.

CCTV

It is important to remember that CCTV footage qualifies as data. Schools should have a clear policy in place regarding CCTV. The Toolkit advises that schools should have appropriate signage in place which informs staff and students that CCTV is in operation.

Data Protection Impact Assessment

Schools should regularly review and update their Data Protection Policy. It is important that the policy is “child friendly”. The policy is not just intended for staff and parents, but for students also. The DPC advises schools to carry out a Data Protection Impact Assessment which identifies the risks associated with processing children’s data. The Toolkit provides in-depth guidance on conducting these assessments.

Conclusion

It is important that schools are aware of their statutory obligations as data controllers. Schools should take the time to become familiar with the Toolkit.

The deadline for submitting feedback on the Toolkit to the DPC was 31 January 2025. Now that the submission period has closed, we anticipate further guidance to be issued.

For more information, contact a member of our Education Law team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.