Information for education providers on how to remain compliant with data protection laws when the UK leaves the EU.
Data controllers and data processors in the education sector, who transfer personal data between the UK and the EU or within the EU, will be aware of the need to prepare for the UK’s departure from the EU. Educational establishments, such as schools, colleges and universities, are data controllers in their own rights.
No deal data protection planning for the education sector
If the UK leaves the EU without a deal, it will impact how you process personal data. You need to make sure transfers of personal data in your organisation continue to comply with data protection laws.
This guidance is not designed to cover every incidence of where you process personal data or replace your own risk review. This is also not a substitute for legal advice that you may seek relating to the processing of personal data.
This information supplements advice on data protection included in our related sector guidance, available for:
Example types of data:
- contact information about pupils, students, learners, staff and carers
- health information
- details about recipients of pupil premium
- employee references
- safeguarding information about an individual
- passport information, if planning trips to the EU
- exam pupil references and results
Steps to take
If you only work within the UK and you do not transfer data within the EEA, there is no immediate change. You will need to ensure you continue to comply with UK data protection law.
If you transfer data within the EEA, you will need to follow these steps.
Read the Information Commissioner’s Office website for further advice and guidance around data protection and EU exit.
Reassure people with whom you share personal data in the EEA that you can continue to do this lawfully once the UK leaves the EU, since the UK will continue to allow personal data to be sent from the UK to the EEA.
Identify the incidents where you receive data from the EEA and, for each incident, identify who the data controllers and processors are, and where the data is stored.
If a data controller is based in the EEA (for example, when you run school exchange visits), you may want to consider whether Standard Contractual Clauses (SCC) are suitable. The ICO’s free interactive tool will help you decide whether this is the case.
If SCCs are not appropriate, the General Data Protection Regulation (GDPR) has other articles in it which will provide you with the additional safeguarding measures. You can find these in Article 46 and Article 49 of the GDPR. More information can be found on the ICO website.
If the UK leaves the EU without a deal, the GDPR would be brought into UK law. This and the Data Protection Act 2018 will continue to apply to data transferred within or from the UK.
In addition to any existing contracts, you will need to make sure that any new contract you put in place after EU Exit which includes the processing of personal data in the EU, provides the additional safeguards required.
You will need to make sure all your documentation such as Data Protection Impact Assessments (DPIA) and privacy notices are up to date, to reflect any changes you are making to your ways of working.
Data controllers and data processors should keep following the ICO website for progress of the discussions with the EU on the adequacy agreement with the EU, which will allow the UK to process personal data freely across the EEA. You should also keep up to date with guidance from the department on data protection issues.
In this note, the following terms are afforded the definitions provided by Article 4 of the General Data Protection Regulation (GDPR):
- ‘personal data’ is a broad concept that covers any information that relates to an identified or identifiable individual
- data ‘controller’ refers to any person, company, or other body that determines the purpose and means by which personal data is processed
- data ‘processor’ is any person who handles personal data on the instructions of a controller (for example storing, collecting or analysing data as part of a service provided to the controller)