Under GDPR, schools will need to have a legal basis for processing data. GDPR gives the following potential bases which will be relevant for schools:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
While consent comes first in the list, the vast majority of the time schools will wish to rely on legal obligations or the performance of a task carried out in the public interest. Schools have many legal obligations and it is necessary to process data to comply with those legal obligations or carry out their task of providing education. It would be impossible to provide an education to a child if you could not process their name, data of birth and other key information relating to their education.
The reason that schools will want to rely on these bases, rather than consent, is because consent can be withdrawn. So to give an example, a school will require the name and address of a student for the purposes of registering them at the school and sending relevant information to students/parents. However, it would not be lawful to then pass that personal data to a third party for marketing purposes. The key thing to consider is the purpose for which the information is being processed.