The Data Protection Acts and GDPR
The GDPR complemented by the Data Protection Act, 2018 is designed to protect the rights of individuals with regard to personal data. Under the GDPR, personal data is data that relates to or can identify a living person, either by itself or together with other available information and a data subject is the individual to whom the personal data relates.
The GDPR and the Data Protection Acts give a right to every individual to establish the existence of personal data, to have access to any such data relating to him or her and to have inaccurate data rectified or erased. It requires data controllers to make sure that the data they keep is collected fairly, is accurate and up-to-date, is kept for lawful purposes, and is not used or disclosed in any manner incompatible with those purposes. It also requires both data controllers and data processors to protect the data they keep, and imposes on them a special duty of care in relation to the individuals about whom they keep such data.
Schools are data controllers where they process the personal data of students, parents and staff. All Board minutes and other school records and data must be maintained in compliance with the GDPR and Data Protection Acts. The responsibility for compliance with the Acts rests with each school. The school must therefore be cognisant of its obligations in relation to the confidentiality, accuracy and security of all records and data held by the school. This includes records/data relating to staff and pupils and records/data relating to the business of the Board.
CPSMA has a very informative webinar on the issue of Data Protection for schools on its website for members.