GDPR for Schools: What Data Can We Share and With Whom?
Data sharing questions are among the most common GDPR queries from UK schools. Can we share pupil data with parents? What about with the local authority? Can we share safeguarding information with social services without consent? What data can go to exam boards? When does sharing pupil data with an EdTech vendor require a Data Processing Agreement? This FAQ answers the most common data sharing questions we receive from school staff, DPOs, and governors — using plain language that does not require a legal background to understand.
ICO investigations of UK schools frequently involve unlawful data sharing — sharing pupil data without a legal basis, missing DPAs with vendors, and failure to respond to data subject rights requests.
The Legal Bases for Sharing Pupil Data
Under UK GDPR, any sharing of personal data requires a legal basis. For schools, the most relevant legal bases for data sharing are: - **Legal obligation**: sharing required by law — census data to the DfE, safeguarding information to social services in a child protection situation - **Legitimate interests**: sharing where the school has a legitimate purpose that is proportionate and would not unreasonably override individual rights - **Public task**: sharing in the exercise of official authority or in the public interest - **Consent**: explicit agreement from the individual (or parent, for young children) — required for sharing that does not fit other bases For special category data (health, SEN, safeguarding), additional conditions beyond the standard legal bases apply.
What Schools Can Share With Parents
Parents have a legitimate interest in data about their own children — and schools have obligations to share information with parents who have parental responsibility. Schools can generally share: - Their own child's academic progress, attendance, and behaviour records - Information about their child's needs and any support being provided - Safeguarding concerns about their own child (unless disclosure would put the child at risk — e.g. in domestic abuse situations) Schools should not share: data about other pupils; confidential safeguarding information where the source must be protected; or information in formats that could inadvertently reveal sensitive details about other families.
Sharing With Local Authorities, NHS, and Emergency Services
Sharing personal data with local authorities, NHS, and emergency services is often lawful under legal obligation or vital interests: - **Local authority safeguarding**: referrals to children's services are legally required in child protection situations. Consent is not needed — and should not be sought if doing so would put a child at risk. - **NHS health data**: sharing pupil medical information with the school nurse, GP, or hospital where relevant to the pupil's welfare — usually covered by legitimate interests or vital interests - **Police**: sharing data in response to a lawful police request — schools should ask for the legal basis for any data request and document the response - **DfE and ESFA**: various statutory returns (census, exclusions, SEN data) are required by legal obligation
Sharing With EdTech Vendors and Third Parties
When a school uses an EdTech vendor that accesses or processes pupil data, this is data sharing that requires: 1. A Data Processing Agreement (DPA) with the vendor before any data is shared 2. A legitimate purpose for the sharing (education, assessment, administration) 3. Minimisation — only share what the vendor actually needs 4. Evidence that the vendor has appropriate security measures Free tools are not exempt. If a teacher uses a free app that uploads pupil names or photos, UK GDPR applies. The school must have a DPA and verify that the app's data practices are compatible with its obligations.
Frequently Asked Questions
Can we share pupil data without parental consent in a safeguarding situation?
Yes. The legal basis for sharing safeguarding information is not consent — it is legal obligation (for mandatory referrals) or vital interests (where sharing is necessary to protect someone's life). Seeking parental consent before making a safeguarding referral is not required and may be inappropriate where seeking consent would put a child at greater risk. Schools should follow their safeguarding policy and seek advice from their designated safeguarding lead and local authority in any case where the legal basis is unclear.
Do we need consent to share pupil photos with parents?
Not necessarily. Sharing a pupil's photo with their own parents can usually rely on legitimate interests as the legal basis, rather than consent. For sharing pupil images more broadly — on the school website, in newsletters, on social media — the appropriate legal basis depends on the context. Sharing identifiable images of children on public social media accounts typically requires consent. Schools should have a clear photography and image use policy that explains their legal basis for each type of use.
Can we share pupil medical information with supply teachers?
Yes, where this is necessary for the supply teacher to care for the pupil safely. A supply teacher who is managing a class needs to know if a pupil has a life-threatening allergy or requires emergency medication. This sharing is justified by the school's duty of care and vital interests. The sharing should be limited to what the teacher needs to know, and medical information should not be shared in whole pupil files without specific justification.
What happens if we share pupil data unlawfully?
Unlawful data sharing is a potential UK GDPR breach. If the sharing is likely to result in risk to individuals, the school must report it to the ICO within 72 hours. The ICO can investigate and, in serious cases, issue fines or enforcement notices. More commonly, the ICO issues reprimands — formal findings of non-compliance that are published on the ICO website. Schools should ensure all data sharing decisions are documented so that, in any investigation, they can demonstrate a lawful basis was identified before sharing occurred.
Get a GDPR data sharing review for your school
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.