With the GDPR shaking up all things data protection, we know you have plenty of questions that need answering. In this article, we’ve rounded up our most frequently asked questions; so, whether you’re looking for information on consent, privacy notices, data storage, breaches, or you’re just interested in what we’ve been asked, hopefully you will find the answer to at least one of those questions on your mind.

1. How should exercise books that contain pupils’ full names, and possibly photos, be stored in classrooms?

As pupils are likely to know the names of their peers, there is not a huge risk in leaving exercise books in view, as there isn’t the potential for a hugely damaging security breach. That being said, it is good practice to store exercise books in a cupboard.

2. Can we display pupils’ photographs in school displays and include their full names?

Wherever possible, schools should avoid identifying pupils – if names are required, only first names should be used.

Photographs and videos taken by staff on school visits may be used for educational purposes, e.g. on displays or to illustrate the work of the school, where consent has been obtained.

Find more information in our Photography and Videos at School Policy.

3. Do we need consent to print full names on leavers’ hoodies?

As hoodies and other memorabilia do not fall under the usual activities of a school, schools could not rely upon the legitimate interests right to be able to process the data for that purpose and, as a result, consent would be needed.

4. Can we display the photographs of school leavers and include their name?

Past pupil photographs can be used as part of a display if a school has a lawful basis for doing so, such as their consent; however, depending on the purpose of the use consented to prior to the photograph being taken, the individual’s consent may need to be refreshed.

More information can be found in our article here.

5. Can we display pupils’ work around school which includes their full name?

It is perfectly reasonable to display pupils’ work around school and include their full name without consent.

6. Can we provide work that includes a pupil’s full name to a company that are running a competition, without parental consent?

This does not fall under the usual activities of a school, so it would be good practice to apply pseudonymisation (anonymising the data as much as possible, e.g. blurring a photograph of a pupil) to the art work to reduce the risk of it being identified. If you are unable to use pseudonymisation, consent would be required.

7. What personal data breaches need to be reported to the ICO?

Breaches that are likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO (within 72 hours). Examples may include:

      • Access by an unauthorised third party
      • Deliberate or accidently action by a controller or processor
      • Sending personal data to an incorrect individual
      • Computing devices containing personal data being lost or stolen, e.g. USB stick
      • Alteration of personal data without permission
      • Loss of availability of personal data

For more information, refer to our Data Security Breach Management Plan Flowchart and our Data Breach Log..

8. What are the rules when writing about a pupil in a publication?

If it is for a legal publication, then schools should consider whether and why the name is needed. If it is for marketing, then schools should consider pseudonymisation – the individual has the right over what their identity is being used for, unless they have already given a blanket consent for marketing purposes.

9. Has the age that a child should give their own consent been confirmed?

Pupils aged 13 and over can provide consent themselves for schools to use their personal data. A pupil aged 13 and over must be able to fully understand what they are consenting to, and the advantages and disadvantages of providing consent. If this is not the case, the consent is not ‘informed’ and is therefore invalid.

More information can be found in our article here.

10. What is the age of consent for biometric data?

This has not yet been confirmed.

11. How often should consent be refreshed?

The GDPR does not specify how long consent is valid for or how often it needs to be reviewed; however, it is likely that it will degrade over time, so how long the consent lasts depends on the context. It also depends on what the consent was given for – if the processing activities have changed, the consent will need to as well.

For more information, read our consent guidance.

12. Are we able to display exam timetables in school?

Displaying exam timetables is a legitimate activity and way of communicating, so this is valid – consent is not required.

13. Where do we stand on retweets from other organisations? Tweets may include pupil photographs, for example.

If consent has already been provided for use of an image on social media, the consent would cover retweets from other organisations.

14. Do we need to list every third party we share information with in our privacy notice?

Privacy notices must be transparent, and no information should be withheld – meaning every third party needs to be listed.

More information can be found in our article here.

15. Are images of pupils and staff considered personal data?

Images are considered to be personal data – find more information here (this applies to staff too).

16. How often do privacy notices need to be signed?

Similar to question 11, consent should be kept under review and it should be refreshed if anything changes, so consent only needs to be sought once, unless anything changes.

More information can be found in our article here.

17. Are separate privacy notices needed for parents?

If a privacy notice is intended for pupils and their families, it would be appropriate to outline how a school uses parents’ information within this privacy notice – a separate privacy notice would not be required.

More information can be found in our article here. You can also access our Privacy Notice for Pupils and their Families, which includes how a school may uses parents’ information, here.

18. Do privacy notices need to be published on the school website?

Privacy notices must be communicated to data subjects to satisfy their right to be informed; however, this does not mean privacy notices have to be published on the school website.

More information can be found in our article here.

19. Who can be a school’s data protection officer (DPO)?

The role of DPO can be undertaken by an internal or external individual, as long as they have professional experience and knowledge of data protection law.

More information can be found in our articles on appointing a DPO and any restrictions on becoming a DPO.  .

20. How can we ensure our suppliers are compliant with the GDPR?

There is no set criteria for proving compliance with the GDPR – you should review their relevant policies and procedures, however, and ensure their processes are in line with the GDPR.

More information can be found in our article here. Take a look at our GDPR Compliant Agreement for Suppliers, which establishes an effective agreement for data processing, sharing and storage between a school and their supplier.

For more information on GDPR, take a look at our resource pack which contains numerous downloads to ensure you are GDPR-compliant.



ICO (2018) ‘Personal data breaches’, ‘What is a personal data breach?’, para.1 <https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/> [Accessed: 10 May 2018]

Mitchell, Steve (2018) (Email conversation regarding common GDPR questions) [Personal communication: 8 May 2018]