The General Data Protection Regulation (GDPR) condenses the Data Protection Principles into six areas, which are referred to as the Privacy Principles. They are:
The school must have a lawful reason for collecting personal data and must do it in a fair and transparent way.
The school must only use the data for the reason it is initially obtained.
The school must not collect any more data than is necessary.
It has to be accurate and there must be mechanisms in place to keep it up to date.
The school cannot keep it any longer than needed.
The school must protect the personal data.
These privacy principles are supported by a further principle – accountability.
This means that your setting must not only do the right thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved.
There is also an expectation that staff will be trained on data protection. Documentation on policies, procedures and training is going to be a key part of any effective compliance programme.