Data protection myth-busting guide for schools

2 February 2023

Data protection myths in schools - Veritau - Our education experts cover common queries and myths
7 common data protection myths in schools: our debunking guide

Data protection can be complicated. There are many myths out there making things even harder to get your head around.

Our education experts have put together guide to debunk some of these common data protection myths in schools.

If you need additional guidance on the technical terms, check out our A-Z guide to data protection jargon, or visit the ICO’s website.

Myth 1: You can’t give out class lists for Christmas cards

Data protection myths in schools - Veritau "Can we give out class name lists for Christmas cards?" "Yes, you can provide a list of the names of children in a child’s class to their parent or guardian. The information can be limited by providing only the first name and initial of the surname. You should only provide the list for the relevant class i.e. a parent or guardian of a child in year 4 does not need the class list for year 1." - Alison, Senior Information Governance Officer

Myth 2: You can’t send paper copies of pupil reports home

We would recommend sending documents containing children’s data electronically wherever possible.

However, paper copies of reports can be either handed to parents or guardians when they come into school or sent home in the child’s book-bag if necessary.

We would just suggest that the personal information on any paper documents should be kept to a minimum, to reduce the risk if a report is lost.

Myth 3: Parents and guardians can’t record school plays and events

Data protection myths in schools - Veritau "Can parents and guardians record school plays and events?" "It is fine to take photos and video recordings of school events for personal use. However, parents and guardians should be asked not to share these more widely on social media, for safeguarding and privacy purposes." - Rosie Kelly, Information Governance Manager

Myth 4: You must have consent to process someone’s personal data

As an organisation carrying out a public task, schools process most personal data because it is necessary to be able to carry out their statutory functions.

You only need to ask for consent to process someone’s information if it’s for something that isn’t compulsory, for example using children’s photos on the school website or social media.

Myth 5: You must keep allergy or dietary information locked away at all times

Data protection myths in schools - Veritau "Do we need to keep allergy or dietary information locked away at all times?" "This information should be readily available to the appropriate people in the event of a medical emergency, so you can display it in appropriate places such as the dining hall or kitchen. Just remember to only display the minimum detail necessary."

Myth 6: You can’t have school leaver hoodies with pupil names on

This is fine, so long as the personal information on school leaver hoodies is limited to only the pupil’s name.

We recommend using the first name and, where necessary, the initial of the surname.

Primary schools should inform parents in advance so that they have an opportunity to object if they don’t want their child included.

Myth 7: The police can have any personal information they ask for

The school must be confident that you have a lawful basis for sharing information with a third party, including the police.

Depending on the situation, it may be necessary and proportionate to share information.

Each request should be carefully considered, and you should only share the minimum information for the purpose.

Need some additional support?

Veritau provides data protection services to over 600 schools and academies across the UK, from local primary schools to large MATs.

We can act as your DPO, work with your existing DPO, or provide ad-hoc advice and support. Get in touch with our team of experts or download our schools brochure for more information.