You are here:

Last updated on 24 October 2018
Ref: 30346

Under the GDPR, you must record how you process the personal data you hold. Use our template and guidance to help you comply with this requirement now and on an ongoing basis in your MAT.

Article tools

Contents

  1. Template record
  2. Important information about populating your record
  3. Maintain your record on an ongoing basis
  4. Template for data processors

Template record

You'll need to record the personal data you process at trust level separately from the personal data processed by each school within your trust. Use the template below to help you do this.

It includes entries for personal data commonly processed in schools. However, its not a complete list so you'll need to add or delete entries as necessary.

Important information about populating your record

You must record the information listed in the section 'Article 30 record of processing activities' section of the above spreadsheet to comply with the General Data Protection Regulation (GDPR).

The information listed in the rest of the columns is useful and helps support good practice, but is not necessary to comply with requirements.

Jargon buster 

Processing: anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying.  

Processing can be automated or manual.

The processing activities you must record depends on the size of your trust

If you have fewer than 250 employees, you must document processing activities that:

  • Are not occasional (i.e. occur regularly)
  • Are likely to result in a risk to the rights and freedoms of individuals
  • Involve special category data or criminal conviction and offence data

However, the Information Commissioner's Office (ICO) explains that it's good practice to record all of your processing activities.

If you have 250 or more employees, you must document all of your processing activities.

Examples

If you takes part in a one-off research trial that requires collecting or submitting pupil data such as their name and assessment information, you would only need to include this activity on your record if your school has more than 250 employees.

However, if the trial involved collecting or submitting special category data such as the pupil's racial or ethnic origin, you would have to record the activity regardless of school size.

You must record the different ways you process the same personal data

If you process the same items of personal data in multiple ways, you'll need to record each of the processing methods.

For instance, you may process the same items of personal data about a pupil through:

  • An assessment system
  • A safeguarding management system
  • A parent communication service

There's no prescribed way to do this. You may:

  • Organise your record by data type, listing each way that different types of personal data you hold can be used
  • Organise your record by process, listing each type of personal data used in that process

We've organised our template by process because we believe it'll make populating and managing the record easier. You'll also be able to easily differentiate if the type of data is the same but it's treated differently (e.g. who it is shared with or how it is stored). 

Maintain your record on an ongoing basis

Your record of processing activities should be a living document. Your staff that process personal data should have ready access to it so they can update the record quickly and easily.

Once your record is established, it will:

  • Serve as a map of your data protection processes in the event of an audit by the ICO
  • Help you identify where data is held in the event of a subject access request
  • Help you investigate breaches of data security

Your data protection officer may have a role in managing the record as part of their responsibility to monitor compliance with data protection law. 

Template for data processors

If you act as a data processor for data you do not control, you'll need to keep a separate record of those processing activities.

For example, if you're a teaching school providing school improvement services to another school, you may need to process the personal data of that school's staff and pupils. You'll need to record these processing activities separately.

The ICO has a template record for data processors you can use to do this. 

Sources

This article and our templates are based on guidance and template records from the ICO.

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides.