1. What content should be included in a school’s website privacy statement?

Where a school/ETB has a website which collects data, the school/ETB is legally obliged to have a Website Privacy Statement in place. For example, where the website:

• Collects personal data from its visitors (such as via a “Contact Us” web form/feedback form etc.).
• Uses cookies
• Uses web-beacons
• Covertly collects personal data such as email addresses or IP addresses of visitors to the site

There is a legal requirement that the school/ETB website display a Website Privacy Statement (see S.I. 336/2011 European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. If the website doesn’t have a Website Privacy Statement, this is a breach of the law and can result in investigation and enforcement action being taken by the Data Protection Commissioner (and failure to comply could result in prosecution with a penalty of up to €100,000).

Click here for more information on Website Privacy Statements

2. Must a school authority obtain direct marketing consent from parents/guardians?

The basic rule that applies to direct marketing is that you need the consent of the individual to use their personal data for direct marketing purposes. At a minimum, an individual must be given a right to refuse such use of their personal data both at the time the data is collected (an “opt-out”) and, in the case of direct marketing by electronic means, on every subsequent marketing message. The “opt-out” right must be free of charge.

A school/ETB must obtain prior written consent to direct marketing if it wishes to issue direct marketing (whether by post, email or sms text messaging).

Click here for more information on Schools & Direct Marketing

3. For what purpose can a school use CCTV?

The use of CCTV systems involves the processing of personal data and so any system must operate in compliance with the Data Protection Acts.

In a school context, consideration of the matter involves having regard to the rights of staff and students in relation to the processing of their personal data.

The principle rationale for the installation of such systems can primarily be for security purposes. The Data Protection Commissioner recognises that CCTV recording may be justified for securing the perimeter of school property.  However, he recommends that it may not be justifiable for day-to-day monitoring of staff and students.

It is recommended that where CCTV systems are not already installed in school/ETB grounds and an actual need for CCTV monitoring has been identified,  the CCTV system should only be introduced following consultation by the board of management/ETB with staff, students and parents and following a privacy impact assessment being carried out.

Click here for more information on the use of CCTV

4. How long should a school retain personal data of students/school personnel?

Rule 7 of the Data Protection Acts requires that personal data is retained for no longer than is necessary for the purpose or purposes for which it is obtained. See Rule 7: Retain it for no longer than is necessary for the purpose.

This requirement places a responsibility on schools/ETBs as data controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained. It is a key requirement of data protection legislation that personal data collected for one purpose cannot be retained once that initial purpose has ceased. See Rule 2: Keep it only for one or more specified, explicit and lawful purposes. Equally, as long as personal data is retained, the full obligations of the Acts attach to it.

To comply with these rules, schools/ETBs should have:

  • A defined policy on retention periods for all items of personal data kept 
  • Management, clerical and computer procedures in place to implement such a policy 
  • Schools/ETBs should assign specific responsibility to someone for ensuring that files are regularly purged safely and securely and that personal information is not retained any longer than necessary. This can include appropriate anonymisation of personal data after a defined period if there is a need to retain non-personal data. Anonymisation must be irrevocable and the removing of names/addresses may not necessarily be sufficient
  • Importantly, certain legislation prescribes a statutory minimum retention period. It is important that schools/ETBs are mindful of these as minimum requirements.

Click here for more information on records retention