Data protection after Brexit: what schools need to know

Both the Data Protection Act 2018 and GDPR (General Data Protection Regulation) will continue to apply after Brexit.

However, the UK will be a ‘third country’ (a country which is not a member of the European Union) from the date on which the UK leaves the EU, in so far as GDPR is concerned.  After that date, any controller that receives personal data from an entity in the European Economic Area (EEA), or sends personal data to an entity in the EU, needs to be aware of the implications.

Schools should work out whether they receive or send any personal data to entities (rather than individuals) in the EEA.

Examples of when schools may receive personal data include:

• Annual exchange visits with a Spanish school and receiving a list of visiting pupils who will be coming, their ages, sexes, and allergy and other relevant health information;
• An independent school recruiting students from Germany every year and using an agent to coordinate the applications and admissions.

An example of a school sending personal data includes:

• A school contracting with an adventure holiday provider in France and sending pupils’ information so it is ready to receive them upon arrival.

To make sure that the personal data continues to flow uninhibited and does not hinder the reason for the data being sent, e.g. the exchange visits, then specific contractual provisions should be put in place before you send/receive the data.

To support you with this, the ICO has developed an interactive tool to guide you towards the correct template to use.  

Finally, it is worth noting that entering into a contract with the sender of the personal data will not fulfil or displace your continuing obligations to comply with the Data Protection Act.