You are here:
GDPR: template record of processing activities
Under the GDPR, you must record how you process the personal data you hold. Use our template and guidance to help you comply with this requirement now and on an ongoing basis in your MAT.
Contents
Template record
You'll need to record the personal data you process at trust level separately from the personal data processed by each school within your trust. Use the template below to help you do this.
It includes entries for personal data commonly processed in schools. However, its not a complete list so you'll need to add or delete entries as necessary.
Important information about populating your record
You must record the information listed in the section 'Article 30 record of processing activities' section of the above spreadsheet to comply with the General Data Protection Regulation (GDPR).
The information listed in the rest of the columns is useful and helps support good practice, but is not necessary to comply with requirements.
Jargon buster
Processing: anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying.
Processing can be automated or manual.
The processing activities you must record depends on the size of your trust
If you have fewer than 250 employees, you must document processing activities that:
- Are not occasional (i.e. occur regularly)
- Are likely to result in a risk to the rights and freedoms of individuals
- Involve special category data or criminal conviction and offence data
However, the Information Commissioner's Office (ICO) explains that it's good practice to record all of your processing activities.
If you have 250 or more employees, you must document all of your processing activities.
If you takes part in a one-off research trial that requires collecting or submitting pupil data such as their name and assessment information, you would only need to include this activity on your record if your school has more than 250 employees.
However, if the trial involved collecting or submitting special category data such as the pupil's racial or ethnic origin, you would have to record the activity regardless of school size.
You must record the different ways you process the same personal data
If you process the same items of personal data in multiple ways, you'll need to record each of the processing methods.
For instance, you may process the same items of personal data about a pupil through:
- An assessment system
- A safeguarding management system
- A parent communication service
There's no prescribed way to do this. You may:
- Organise your record by data type, listing each way that different types of personal data you hold can be used
- Organise your record by process, listing each type of personal data used in that process
We've organised our template by process because we believe it'll make populating and managing the record easier. You'll also be able to easily differentiate if the type of data is the same but it's treated differently (e.g. who it is shared with or how it is stored).
Maintain your record on an ongoing basis
Your record of processing activities should be a living document. Your staff that process personal data should have ready access to it so they can update the record quickly and easily.
Once your record is established, it will:
- Serve as a map of your data protection processes in the event of an audit by the ICO
- Help you identify where data is held in the event of a subject access request
- Help you investigate breaches of data security
Your data protection officer may have a role in managing the record as part of their responsibility to monitor compliance with data protection law.
Template for data processors
If you act as a data processor for data you do not control, you'll need to keep a separate record of those processing activities.
For example, if you're a teaching school providing school improvement services to another school, you may need to process the personal data of that school's staff and pupils. You'll need to record these processing activities separately.
The ICO has a template record for data processors you can use to do this.
Sources
This article and our templates are based on guidance and template records from the ICO.
- Coronavirus: keeping health records
- Email security: sending personal data
- GDPR: ensuring your suppliers are compliant
- GDPR for commercial activities
- GDPR jargon buster
- GDPR: managing your photo archives
- GDPR mythbuster
- GDPR: seeking consent for processing personal data
- How to choose which ‘lawful basis’ to use under the GDPR
- How to comply with the General Data Protection Regulation
- Processing data: at what age can pupils give consent?
- 'Special category' data under the GDPR
- Subject access requests: guidance and template forms
- Taking and displaying pupil photos and information
- Taking documents home: securing personal data
- The General Data Protection Regulation explained
- Using personal devices: securing personal data
The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.