This article from the DfE explains the steps education providers must take to remain compliant with data protection laws when the UK leaves the EU.
Read this guidance if you:
are an education provider who is a data controller or data processor
transfer personal data between the UK and the EEA
transfer personal data within the EEA
This guidance is:
not designed to cover every incidence of where you process personal data
not designed to replace your own risk review
not a substitute for legal advice
Steps you must take
These steps will help you plan how you can continue to share and receive personal data lawfully.
continue to carry out your own risk review
get legal advice if you are not sure
Sharing data with the EEA
Contact anyone you share personal data with within the EEA.
You should explain you can still share personal data lawfully with them once the UK leaves the EU.
Receiving data from the EEA
Identify where you receive data from the EEA and determine:
who the data controllers and processors are
where the data is stored
Example: data controllers based in the EEA
If you’re running a school exchange with a data controller based in the EEA, you may want to consider whether standard contractual clauses (SCC) are suitable.
Use the Information Commissioner’s (ICO) free interactive tool to help you decide whether this is the case.
Example: when standard contractual clauses (SCC) are not appropriate
If standard contractual clauses (SCC) are not appropriate, the General Data Protection Regulation (GDPR) has other articles in it which will provide you with additional safeguarding measures.
You can find these in Article 46 and Article 49 of GDPR. More information can be found on the ICO website.
General Data Protection Regulation (GDPR)
GDPR will be incorporated into UK law if there’s a no-deal Brexit.
This and the Data Protection Act 2018 will continue to apply to data transferred within or from the UK.
Contracts: new and existing
Ensure that contracts, which include the processing of personal data in the EU, provide the additional safeguards required.
This applies to:
new contracts you put in place after Brexit
Data Protection Impact Assessments (DPIA) and privacy notices
Review and update your:
Data Protection Impact Assessments (DPIA)
Make sure they:
reflect any changes you are making to your ways of working
Stay up to date
The UK will leave the EU on 31 October. This page tells you how to prepare for Brexit. It will be updated if anything changes, including if a deal is agreed.
Sign up for email alerts to get the latest information about Brexit.
Read the guidance on the Information Commissioner’s Office website for further information on data protection.
Personal data includes, but is not limited to:
contact information about pupils, students, learners, staff and carers
details about recipients of pupil premium
safeguarding information about an individual
passport information, if planning trips to the EU
exam pupil references and results
Data controller means a person, company or other body that determines the purpose and means by which personal data is processed.
Educational establishments, such as schools, colleges and universities, are often data controllers in their own right.
Data processor means anyone who handles personal data on the instructions of a controller, for example, storing, collecting or analysing data as part of a service provided to the controller.