HomeData Protection GuidelinesData Protection and SchoolsWho is the data controller in schools/ETBs?

Who is the Data Controller in Schools/ETBs?

For primary, voluntary secondary or community and comprehensive (C&C) schools, the board of management will normally be the data controller for the purposes of the Acts. 

For schools established and maintained by an Education and Training Board (ETB), the ETB is the data controller for the purposes of the Acts.

Operationally, where data protection issues arise with the Office of the Data Protection Commissioner

  • In the case of a primary school, it is the chairperson of the board who acts as correspondent for the board
  • In the case of voluntary secondary schools, the principal acts as correspondent for the board
  • In the case of C&C schools, the school principal or chairperson of the board of management acts as correspondent
  • In the case of ETB schools, the Chief Executive Officer of the ETB acts as correspondent for matters concerned to the Office of the Data Protection Commissioner. [Note: For operational matters concerning ETB schools, where files are retained in schools (rather than in ETB head offices), the school Principal will be the correspondent].

Responsibilities on Schools/ETBs as Data Controllers

In addition to legal responsibilities under the broad remit of education legislation, equality legislation, employment laws etc., schools/ETBs have a legal responsibility to comply with the Data Protection Acts 1988 and 2003.  Schools/ETBs should ensure:

  • That by way of a starting point, a data protection audit is conducted using the compliance checklist provided. Click here to download the Compliance Checklist.
  • That an internal data protection policy is developed, relevant to the personal data held by the school/ETB. This should be regularly reviewed, and updated as appropriate.  This policy should reflect the eight data protection rules and demonstrate how the school/ETB collects, retains, updates, stores, facilitates access to and reviews the manner in which personal data is retained.
  • That the school/ETB data protection policy is supported by robust procedures/protocols.
  • That careful attention is paid to the manner in which sensitive personal data is sought, processed, disclosed, retained etc Sensitive Personal Data
  • That the policy and supporting protocols/procedures are widely publicised and easily accessible (e.g. staff handbooks, induction packs, school/ETB websites etc.).
  • That staff, board of management &/or ETB committee members etc. are made aware of their responsibilities (both generally and particular to their role/s) through appropriate induction training, with refresher training as necessary
  • That the school/ETB seeks to maintain standards set through supervision and regular review, so as to ensure compliance with their requirements as data controllers under the Data Protection Acts.
  • That only those who need to know the information have access to the personal data