You are here:
UK GDPR: template record of processing activities
Under the UK GDPR, you must record how you process the personal data you hold. Use our template and guidance to help you comply with this requirement now and on an ongoing basis in your MAT.
Download our template record
You'll need to record the personal data you process at trust level separately from the personal data processed by each school within your trust. Use the template below to help you do this.
It includes entries for personal data commonly processed in schools.
Processing here means anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying. It can be manual or automated.
However, the template doesn't contain a complete list, so you'll need to add and/or delete entries as necessary.
Read on to find out how to populate and maintain your record.
How you must populate your record
You must record the information listed in the section 'Article 30 record of processing activities' section of the above spreadsheet to comply with the UK General Data Protection Regulation (UK GDPR).
The information listed in the rest of the columns is useful and helps support good practice, but is not necessary to comply with requirements.
The processing activities you must record depends on the size of your trust
If you have fewer than 250 employees, you must document processing activities that:
- Are not occasional (i.e. occur regularly)
- Are likely to result in a risk to the rights and freedoms of individuals
- Involve 'special category' data or criminal conviction and offence data
However, it's good practice to record all of your processing activities.
If you have 250 or more employees, you must document all of your processing activities.
If you take part in a one-off research trial that requires collecting or submitting pupil data such as their name and assessment information, you would only need to include this activity on your record if your trust has more than 250 employees.
However, if the trial involved collecting or submitting special category data such as the pupil's racial or ethnic origin, you would have to record the activity regardless of trust size.
You must record the different ways you process the same personal data
If you process the same items of personal data in multiple ways, you'll need to record each of the processing methods.
For instance, you may process the same items of personal data about a pupil through:
- An assessment system
- A safeguarding management system
- A parent communication service
There's no prescribed way to do this. You may:
- Organise your record by data type, listing each way that different types of personal data you hold can be used
- Organise your record by process, listing each type of personal data used in that process
We've organised our template by process because we believe it'll make populating and managing the record easier. You'll also easily be able to differentiate if the type of data is the same but it's treated differently (e.g. in terms of who it is shared with or how it is stored).
Maintain your record on an ongoing basis
Your record of processing activities should be a living document. Your staff who process personal data should have ready access to it so they can update the record quickly and easily.
Once your record is established, it will:
- Serve as a map of your data protection processes in the event of an audit by the Information Commissioner's Office (ICO)
- Help you identify where data is held in the event of a subject access request
- Help you investigate breaches of data security
Your data protection officer may have a role in managing the record as part of their responsibility to monitor compliance with data protection law.
Template for data processors
If you act as a data processor for data you do not control, you'll need to keep a separate record of those processing activities.
For example, if one of your schools is a teaching school providing school improvement services to another school, it may need to process the personal data of that school's staff and pupils. It will need to record these processing activities separately.
The ICO has a template record for data processors you can use to do this.
This article and our templates are based on guidance and template records from the ICO.
The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.