Our specialist information law team understands that navigating the landscape of information law can be challenging for education providers, especially when time and resources are in short supply. To help effectively manage your organisation’s legal obligations, we have prepared a comprehensive Toolkit (available here), comprising a full suite of documentation, which includes:
- Privacy notices: organisations must provide privacy information to individuals in order to comply with UK GDPR. We have developed clear, user-friendly privacy notices designed specifically for education providers to help you meet your obligations.
- Policy documentation: accountability is central to effective data protection compliance, and the law requires organisations to put in place appropriate technical and organisational measures to meet their obligations. A key part of this is implementation of effective policy documentation. We have developed a range of template policy documentation for education providers to enhance information law compliance and protect the information you hold.
- Guidance documents: we understand the benefits of internal resources to help your staff understand and comply with their obligations under data protection law. We have produced guidance notes covering areas such as data protection impact assessments (DPIAs) and records of processing activities (ROPAs).
- Other templates: we have prepared a range of useful template documents that have been designed with education providers in mind. These include a template data processing agreement, due diligence questionnaire, and a subject access request log and progress tracker.
All of the documents in the Toolkit are available to purchase individually, or as part of a bundle for a discounted price. For further information about the contents of the Toolkit and for more detail about the bundles, please see below.
|Privacy notice for pupils||A privacy notice aimed at pupils with versions tailored to state funded schools, academy trusts and colleges, and independent schools and colleges. These documents contain the privacy information you are legally required to provide under Articles 13 and 14 UK GDPR|
|Privacy notice for parents||A privacy notice aimed at parents and carers with versions tailored to state funded schools, academy trusts and colleges, and independent schools and colleges. These documents contain the privacy information you are legally required to provide under Articles 13 and 14 UK GDPR|
|Privacy notice for staff||A privacy notice aimed at staff with versions tailored to state funded schools, academy trusts and colleges, and independent schools and colleges. These documents contain the privacy information you are legally required to provide under Articles 13 and 14 UK GDPR|
|Data protection policy for staff (including information rights policy addendum)||This is an internal document that helps staff understand and comply with their obligations under data protection law. It includes an information rights policy covering all individual rights, including the right of access.|
|Bring your own device (BYOD) policy||Essential if you permit your staff to work from any personal device including simply checking their work emails from a personal smartphone.|
|Retention and deletion policy||This policy will help you comply with the storage limitation principle under UK GDPR.|
|Policy on the use of images and video||Essential if you use pupil images or video on your website, social networking platform, for marketing, development, or fundraising. We have different versions of this policy available for state funded schools and independent schools|
|Subject access request policy (external facing)||This is an external-facing policy that explains to individuals how you deal with subject access requests.|
|Biometrics policy and template consent form||If you use biometrics (e.g. for cashless catering, library book borrowing, building access) the Department for Education expects you to have a biometrics policy in place. This policy and consent form will help your organisation comply with its obligations under data protection law and the Protection of Freedoms Act (POFA).|
|Freedom of information and environmental information policy||This policy is aimed at organisations subject to these regimes only and details how requests are treated.|
|Data breach protocol||To help you comply with the GDPR accountability principle and manage a personal data breach.|
|Information security policy||This policy is an essential part of your data protection compliance and sets out staff obligations to help your organisation comply with the security principle.|
|Data protection impact assessment (DPIA) guidance||This guidance document walks you through the process for carrying out a DPIA.|
|Guidance on completing and maintaining records of processing activities (ROPA)||This guidance explains your obligations when creating a ROPA and how to manage it in line with your legal obligations under UK GDPR.|
|Data breach log||UK GDPR requires you to document all personal data breaches, regardless of whether they need to be reported to the ICO or not. This serves as your statutory record.|
|Freedom of information publication scheme||This is a statutory requirement for public authorities.|
|Record of processing activities (ROPA) template||A ROPA is a statutory requirement of the UK GDPR. This one is specifically designed for educational establishments.|
|Subject access request log and progress tracker||This resource will help you to keep track of subject access requests and manage them effectively.|
|Subject access request policy (external facing)||This policy provides individuals with information about the way your organisation manages subject access requests|
|Template data processing agreement for schools||UK GDPR requires a written contract to be put in place between a controller and processor containing specific contract clauses and imposing contractual obligations on the processor. This template may be used as a template contract or as a useful guidance resource to assist you when reviewing agreements.|
|Pre-contract due diligence questionnaire||For use when contracting with a processor e.g. data destruction company, mail fulfilment, IT company. UK GDPR requires you to check your processors before you contract with them. This template questionnaire is detailed enough to be adapted to suit multiple scenarios. See how you prospective contractors “measure-up” before you sign on the dotted line.|
|Appropriate policy document||This is a legal requirement where you are relying on certain conditions to process special category personal data, for example, the safeguarding condition (substantial public interest) or the employment condition. This is almost always relevant for education providers.|
|These documents are the most complex and have been drafted to comply with specific legal requirements set out in the UK GDPR.||£450 + VAT per document|
|These documents consist of template policy documentation that can be adapted to suit your organisation.||£300 + VAT per document|
|These documents consist of guidance notes and simple templates to help your organisation meet its compliance obligations.||£150 + VAT per document|
Comprehensive and clear privacy notices are an essential part of data protection compliance. We have taken the hard work out of privacy notice drafting by preparing templates that require minimal effort to finalise and adopt. These privacy notices contain all of the information required by law in a user-friendly format that you can adapt to meet your organisation’s needs.
We have two versions of this bundle available, depending on whether you are a state funded school, trust or college or an independent school or college.
Includes: Privacy notice for pupils; privacy notice for parents and carers; privacy notice for staff
We understand that policies are difficult to get right. An effective policy helps members of staff understand and comply with their obligations under data protection law and ultimately protects your organisation. We want our policies to offer clear guidance to staff, and focus on what really matters rather than containing lots of unnecessary detail.
This bundle contains template versions of the core policies the Information Commissioner’s Office expects organisations to have in place when they are processing personal data. It includes a data protection policy to help your staff understand your organisation’s wider obligations and what they need to do to ensure compliance, a retention and deletion policy to explain your records management and retention practices (this includes a record retention schedule specifically tailored to educational institutions), and a data security policy to help your organisation comply with its obligations under the data security principle.
Includes: Data protection policy; retention and deletion policy; data security policy
This bundle is an amalgamation of our essential privacy notices and essential policies bundles, and contains three privacy notices (for pupils, parents and carers, and staff) as well as a template data protection policy, record retention policy, and data security policy.
There are two versions available, one for state funded schools or colleges and one for independent schools or colleges.
Includes: Privacy notice for pupils; privacy notice for parents and carers; privacy notice for staff; data protection policy; retention and deletion policy; data security policy
This bundle is designed for state funded education providers that are subject to the Freedom of Information Act 2000 and the Environmental Information Regulations. We have developed a Freedom of information and environmental information policy, which clearly sets out the processes educational institutions should follow when dealing with requests made under these pieces of legislation.
The Freedom of Information Act 2000 also requires every public authority to adopt a publication scheme setting out your commitment to proactively publish information, along with details of how the public can access that information. We have developed a separate publication scheme tailored for education providers setting out all of the necessary information to achieve compliance.Includes: Freedom of information and environmental information policy; publication scheme
This bundle is designed to help organisations that are looking for additional support with enhancing their data security practices. Personal data breaches are unfortunately all too common, and often organisations struggle to manage their reporting obligations. This bundle includes a data breach protocol, which sets out processes for dealing with personal data breaches in practice, as well as a data breach log to help you to meet your legal obligations to document all personal data breaches that occur. In addition, the bundle includes a bring your own device (BYOD) policy, which is essential for any organisation that allows its staff to use personal devices for work purposes.
Includes: Data breach protocol, data breach log, bring your own device (BYOD) policy
|Essential privacy notices||£1,215 + VAT|
|Essential policies||£810 +VAT|
|Essential privacy notices and policies||£2,025 + VAT|
|Public authority pack||£405 + VAT|
|Security add on pack||£675 +VAT|