1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Hi Guest, welcome to the TES Community!

    Connect with like-minded education professionals and have your say on the issues that matter to you.

    Don't forget to look at the how to guide.

    Dismiss Notice

Data Protection Question : ICO Registration & Transfer Overseas

Discussion in 'Governors' started by geekydad0, Feb 2, 2016.

  1. geekydad0

    geekydad0 New commenter

    I have recently been looking into how schools manage data, and specifically how pupil data is shared outside the school.

    My first question relates to the wording schools use to register with the ICO, which they are obliged to do.

    It seems that schools are using a standard registration with the ICO that allows personal information to be transferred overseas.

    The Eton College entry at https://ico.org.uk/ESDWebPages/DoSearch?reg=150337 is typical.

    It contains the following:

    "It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world."

    Can anyone shed light on why this might be required?
  2. Rott Weiler

    Rott Weiler Star commenter Forum guide

    You've answered your own question really ...
    No idea why it's in the standard template. As there is a standard template that DfE, LAs and ICO all recommend schools use I doubt many governors have even seen their school's entry in the Register of Data Controllers, let alone read it.

    Why? It's an unusual topic for anyone to get interested in. Is it connected to some specific concern or dispute you have with a school?
  3. Skeoch

    Skeoch Star commenter

    Schools like Eton have an international reach. Many of the pupils will be overseas, either as expat British or as foreign nationals. Of course it's necessary to transmit data overseas - reports to parents, exam results at the very least; there's likely also to be transmission of some data to overseas university application systems, to employers of pupils' parents where the employer is paying fees, to the IBO....how's that for a few ideas?
  4. Rott Weiler

    Rott Weiler Star commenter Forum guide

    I take your point about schools like Eton @Skeoch , but when I searched on the Register of Data Controllers for LA schools where I'm a governor or that I know they all use the identical template registration form. Even the Infant school in the small Norfolk village where a friend of mine teaches. None of them have any possible overseas connections I can think of but all of them contain the standard form of words that OP mentions:


    It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the data protection act.

  5. Skeoch

    Skeoch Star commenter

    Fair comment too.
    But if Little Puddlington Primary happens to have a family who move to Spain having won the lottery, some information may need to be sent there. Worse, if Mr Parent abducts his child from his estranged ex, information will need to be sent to the authorities in Whereverland. Now if the DP policy doesn't have a get-out clause.....
    The other thought is that cloud storage of data - not necessarily deeply personal stuff, but Office 365 stuff, or Google Docs, or whatever, is not always in the UK; indeed the design of these systems is to have several data centres in different places round the world. There are complications on the law in the EU and beyond - the details of which I can't remember.
  6. geekydad0

    geekydad0 New commenter

    Hi all, thanks for the responses.

    #2 - as suspected, the right to transfer personal information overseas seems to be in the standard ICO registration template, and schools probably don't review it before they blindly use the same wording whether or not it is fit for purpose.

    My investigations were mainly triggered by my son's homework assignment and the fact that I know a lot about data protection through my day job.

    #3 - the point about some schools having an international reach is a fair one, but it won't apply in almost all cases. Pick any school you like - they all seem to use the same ICO registration template.

    For schools that do have valid reasons to send data abroad there is a requirement to adhere to principle 8 of the Data Protection Act (DPA) which covers sending data outside the EEA:


    "Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

    It would be quite a challenge for a school to ensure this principle is not violated.

    #4 - which supports the point that few schools know what wording their own ICO registration contains.

    #5 - I plan to post about issues covering cloud storage etc in a separate thread. Data protection in schools is a *big* can of worms. ICO registration wording is only the first point I plan to cover.

Share This Page