Another part of the ICO/DfE presentation that we thought was particularly useful was the ‘legal basis’ on which we process personal data. We’ve been concerned we’d need to actively seek consent for just about everything from parents which could be hugely time consuming and bureaucratic – as we know there are always a handful of parents where it seems impossible to get a response. They made it clear that some schools were seeking consent for things where this is simply not required – parents don’t have an option!
In practice the ICO presenter seemed to be saying that almost everything we do in schools will fall under categories where we must comply with an existing ‘legal obligation’ such as collecting attendance data or teaching the National Curriculum, as well as to ‘ensure the vital interests of the individual’ such as for safeguarding purposes.
We have come to the conclusion that the only thing where we will be actively seeking consent for GDPR purposes at Chase Bridge will be for the use of photos and video that we use in school documents, displays and on-line.
The ICO also said that when consent is being asked for the reasons must be put in a way that can be clearly understood and comprehensible – they have seen some letters going out that are written in two pages of legal-ese which is not only unhelpful but not in the spirit of how GDPR should be applied.
Permission for trips and visits doesn’t seem to us to be a GDPR issue as such. We will continue to seek permission but this will be assumed unless we are told otherwise by the parents. We will let parents know about visits and what is happening (and obviously include details such as times, dates, places, information about lunches, coats, all the usual …) but not be seeking their consent for every occasion.
If you are interested in looking at the draft letter we have produced for parents please feel free to download from here.
Hope it’s useful.