UK GDPR: template record of processing activities

Download our template record 

You'll need to record the personal data you process at trust level separately from the personal data processed by each school within your trust. Use the template below to help you do this.

It includes entries for personal data commonly processed in schools.

Processing here means anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying. It can be manual or automated. 

However, the template doesn't contain a complete list, so you'll need to add and/or delete entries as necessary.

Read on to find out how to populate and maintain your record. 

Template record of processing activities XLS, 83.0 KB Download

How you must populate your record

You must record the information listed in the section 'Article 30 record of processing activities' section of the above spreadsheet to comply with the UK General Data Protection Regulation (UK GDPR).

The information listed in the rest of the columns is useful and helps support good practice, but is not necessary to comply with requirements.

The processing activities you must record depends on the size of your trust

If you have fewer than 250 employees, you must document processing activities that:

• Are not occasional (i.e. occur regularly)
• Are likely to result in a risk to the rights and freedoms of individuals
• Involve 'special category' data or criminal conviction and offence data

However, it's good practice to record all of your processing activities.

If you have 250 or more employees, you must document all of your processing activities.

You must record the different ways you process the same personal data

If you process the same items of personal data in multiple ways, you'll need to record each of the processing methods.

For instance, you may process the same items of personal data about a pupil through:

• An assessment system
• A safeguarding management system
• A parent communication service

There's no prescribed way to do this. You may:

• Organise your record by data type, listing each way that different types of personal data you hold can be used
• Organise your record by process, listing each type of personal data used in that process

We've organised our template by process because we believe it'll make populating and managing the record easier. You'll also easily be able to differentiate if the type of data is the same but it's treated differently (e.g. in terms of who it is shared with or how it is stored). 

Maintain your record on an ongoing basis

Your record of processing activities should be a living document. Your staff who process personal data should have ready access to it so they can update the record quickly and easily.

Once your record is established, it will:

• Serve as a map of your data protection processes in the event of an audit by the Information Commissioner's Office (ICO)
• Help you identify where data is held in the event of a subject access request
• Help you investigate breaches of data security

Your data protection officer may have a role in managing the record as part of their responsibility to monitor compliance with data protection law. 

Template for data processors

If you act as a data processor for data you do not control, you'll need to keep a separate record of those processing activities.

For example, if one of your schools is a teaching school providing school improvement services to another school, it may need to process the personal data of that school's staff and pupils. It will need to record these processing activities separately.

The ICO has a template record for data processors you can use to do this.