GDPR in schools: a checklist for admissions teams - iSAMS
7:57

The new General Data Protection Regulation (GDPR) was released on 25th May 2018, introducing new rules which directly impact how your school manages the data of each European Union (EU) citizen. Namely, that you must now have consent to store and process all personal data to comply with GDPR in schools.

Despite being released in May 2018, the Data Protection Authorities gave us all some time to adjust to the new legislation. However, an interview with European Data Protection Supervisor Giovanni Buttarelli revealed that this acclimatisation period has concluded. This means that if you don’t comply with GDPR requirements, fines of up to €20,000,000 will be enforced.

School admissions teams collect vast amounts of sensitive data on a regular basis and storing this online, or even in a paper-based system, presents many issues when it comes to data security and compliance.

So, we have put together a 5-point checklist for your admissions team to follow to ensure they are complying with the GDPR law of seeking consent.

  1. Handling Admissions Enquiries
  2. Using Photos of Students
  3. Consent to Communicate with Parents
  4. Consent to Communicate with Students
  5. Recording Personal Data

Handling admissions enquiries

Right from the start of the admissions process, it is imperative that schools capture consent at the time of enquiry for applicants and associated contacts. This applies to both online and paper-based applications. This has the added benefit of reducing the administrative tasks involved when parents and their children then join the school.

iSAMS’ Admissions Portal is an online alternative to managing the Admissions process from start to finish. A simple enquiry form collects the contact details of all applicants and parents, with a consent capturing feature that retrieves the necessary permissions from prospective parents at the time of enquiry.

Beyond offering a simpler way to comply with GDPR regulations, a further advantage of a paperless approach such as this is that, with all data securely stored in one place, data retrieval also becomes a simpler task when required.

Back to top


Using photos of students

If you would like to use a student’s photo within your school magazine or online, you now have a legal obligation to get permission from the child’s guardian and/or parent prior to printing and distributing. This includes sharing images of students online on your school website, social media channels, and/or other digital platforms.

Using our Data Protection module, you can create multiple consent registers and add these to the Admissions Portal to display in an online admissions form. You can obtain consent from the parent, guardian or caregiver at the beginning of the admissions process, and this will then be registered alongside the student’s record.

Back to top


Consent to communicate with parents

The new GDPR regulations require schools to collect consent from parents prior to any email, newsletter or direct mail being sent.

Using our Admissions Manager you can adapt enquiry forms to include consent for each application; the record for each applicant will then log this amongst all their other key information. There is also a document repository where you can upload and tag documents and files, in addition to logging all communication with that applicant, whether it’s by letter, email, text or phone.

There are also options for you to create groups, manage events, export data, and create badges, labels, marketing tools for campaigns and admissions literature.

Consent collected during the admissions process can also be accessed by parents via the online Parent Portal, which updates parents and guardians with important information. There is also a consent feature here, so parents can manage their own permission settings and opt-in or opt-out of receiving communication from you.

You also have the option to configure the iSAMS Parent Portal by adding different types of consent a parent can register for, such as: consent to use a student photo, consent for a student to attend a field trip, or consent to receive marketing emails.

When asking for consent for marketing purposes, you need to ensure the following:

  • The content is freely given, specific, informed and unambiguous. You cannot offer something as ‘free’ if consent must be given to obtain it.
  • Options must be clearly distinguished, in an intelligible and accessible format, using clear and plain language.
  • Boxes should not be pre-ticked, the individual must do this themselves, and all wording must be clear with no double negatives.
  • Consent must be gathered discreetly for each ‘channel’ of communication. For example, consent is needed for contact by email, phone or fax – each are different ‘channels’.
  • Consent must be just as easy to withdraw as it is to give.

However, it’s important to note that when a parent has purchased a service, you do not need consent to provide updates or further communicate with them providing it is in direct relation to their purchase or if you are responding to a request from them.

Back to top


Consent to communicate with students

Because children merit specific protection, any communication where processing consent is addressed to the student should be in a clear and plain language that is easily understood.

It is also important to note that if the student is under 16 years of age, you must get consent from the child’s parent or legal guardian to collect and process their data.

By obtaining consent from the parent or guardian via the Admissions Portal, all data is seamlessly pulled into the iSAMS system. This means every applicant’s records are always up-to-date and you are guaranteed complete visibility of your school’s applications.

To further support this the Student Portal, which helps schools to communicate easily with students, includes a consent management feature. This allows each student to log-in and manage their individual permissions settings.

Back to top


Recording personal data

Whenever you ask for consent, regardless of in what format, it is important that it’s explicit and that you record it, so that you can prove you obtained it. You also have an obligation to check that consent is still valid after a period that doesn’t exceed 2 years from when you originally obtained it.

Under GDPR regulations an individual is entitled to a copy of all the personal data you hold on them. This is called Data Subject Access Request (DSAR). All DSARs that your school receives must be reported.

The iSAMS Admissions Manager offers simple enquiry forms for all applicants and contains details of enquiries, registrations, offers, withdrawals and refusals. It includes weekly and monthly breakdowns, as well as key admissions filters, so you have total control over the information.

Additionally, the iSAMS Data Protection module supports the right for individuals to see their educational records. There is an area to record all the details of each DSAR request made by an applicant, including its status, the date, and other key information needed to action a DSAR.

This information, and much more, is also accessible via a suite of dedicated reports available within iSAMS. These detail significant student, contact and staff information, in an easily obtainable format whenever it’s needed.

Back to top


In summary,

There is a lot to remember when it comes to the new data protection legislation, but we want to make it as hassle-free as possible. This is why we’ve developed the iSAMS Admissions systems (Admissions Manager and Admissions Portal) to comply with these GDPR requirements for all school admission criteria, with easy-to-implement features that help reduce the administrative tasks involved following the admissions process.