1. What content should be included in a school’s website privacy statement?

Where a school/ETB has a website which collects data, the school/ETB is legally obliged to have a Website Privacy Statement in place. For example, where the website:

• Collects personal data from its visitors (such as via a “Contact Us” web form/feedback form etc.).
• Uses cookies
• Uses web-beacons
• Covertly collects personal data such as email addresses or IP addresses of visitors to the site

There is a legal requirement that the school/ETB website display a Website Privacy Statement (see S.I. 336/2011 European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. If the website doesn’t have a Website Privacy Statement, this is a breach of the law and can result in investigation and enforcement action being taken by the Data Protection Commissioner (and failure to comply could result in prosecution with a penalty of up to €100,000).

Click here for more information on Website Privacy Statements

2. Must a school authority obtain direct marketing consent from parents/guardians?

The basic rule that applies to direct marketing is that you need the consent of the individual to use their personal data for direct marketing purposes. At a minimum, an individual must be given a right to refuse such use of their personal data both at the time the data is collected (an “opt-out”) and, in the case of direct marketing by electronic means, on every subsequent marketing message. The “opt-out” right must be free of charge.

A school/ETB must obtain prior written consent to direct marketing if it wishes to issue direct marketing (whether by post, email or sms text messaging).

Click here for more information on Schools & Direct Marketing

3. For what purpose can a school use CCTV?

The use of CCTV systems involves the processing of personal data and so any system must operate in compliance with the Data Protection Acts.

In a school context, consideration of the matter involves having regard to the rights of staff and students in relation to the processing of their personal data.

The principle rationale for the installation of such systems can primarily be for security purposes. The Data Protection Commissioner recognises that CCTV recording may be justified for securing the perimeter of school property.  However, he recommends that it may not be justifiable for day-to-day monitoring of staff and students.

It is recommended that where CCTV systems are not already installed in school/ETB grounds and an actual need for CCTV monitoring has been identified,  the CCTV system should only be introduced following consultation by the board of management/ETB with staff, students and parents and following a privacy impact assessment being carried out.

Click here for more information on the use of CCTV

4. How long should a school retain personal data of students/school personnel?

Rule 7 of the Data Protection Acts requires that personal data is retained for no longer than is necessary for the purpose or purposes for which it is obtained. See Rule 7: Retain it for no longer than is necessary for the purpose.

This requirement places a responsibility on schools/ETBs as data controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained. It is a key requirement of data protection legislation that personal data collected for one purpose cannot be retained once that initial purpose has ceased. See Rule 2: Keep it only for one or more specified, explicit and lawful purposes. Equally, as long as personal data is retained, the full obligations of the Acts attach to it.

To comply with these rules, schools/ETBs should have:

  • A defined policy on retention periods for all items of personal data kept 
  • Management, clerical and computer procedures in place to implement such a policy 
  • Schools/ETBs should assign specific responsibility to someone for ensuring that files are regularly purged safely and securely and that personal information is not retained any longer than necessary. This can include appropriate anonymisation of personal data after a defined period if there is a need to retain non-personal data. Anonymisation must be irrevocable and the removing of names/addresses may not necessarily be sufficient
  • Importantly, certain legislation prescribes a statutory minimum retention period. It is important that schools/ETBs are mindful of these as minimum requirements.

Click here for more information on records retention

5. What is the appropriate use of PPS numbers?

There is a strict statutory basis providing for the use of PPS numbers allowing organisations use the PPS numbers in support of a provision of a public service to a customer. The Department of Social Protection manages the issuing and use of PPS numbers.

The PPS number is therefore a confidential and important piece of personal information and all use of it is prescribed principally by the Social Welfare Consolidation Act, 2005 or specific sectoral-focused legislation such as that relating to tax legislation. The Social Welfare Consolidation Acts prescribe that the PPS numbers may only be processed by specified and named public bodies for specified purposes. (The Department of Education and Skills, NCSE, NEWB, Education and Training Boards (ETBs), Institutes of Technology and some universities are listed and are registered with the Department of Social Protection as users of PPS numbers. Click here for further information.

The Department of Social Protection is responsible for the allocation of PPS numbers. A number of ‘Specified Bodies’ are entitled to access and use PPS numbers. These bodies are listed in Schedule 5 of the Social Welfare (Consolidation) Act 2005. A school recognised under the Education Act is recognised as a ‘specified body’ within the meaning of the 2005 Act. However, it should be noted that the Act provides that a PPS number should only be sought where it is relevant and is required. Therefore PPS numbers should only be sought at the same time they are needed and in the case of primary schools not on enrolment. In addition, if another specified body, e.g. NEWB or NCSE requests a school to provide a PPS number, this specified body must require the PPS number for the purpose of transacting its business.  If not, same should not be sought by it.

Click here for more information on the use of PPS numbers