Processing Personal Data During “Pre-Enrolment” - What Schools Need to Know

When it comes to personal data, children merit extra protection under the General Data Protection Regulation (GDPR). Schools, as data controllers, must comply with their obligations under the GDPR around how they collect and use personal data.

In some cases, schools may process what is known as special category data - for example information about a child’s health, religious beliefs, or ethnic background. This type of information is particularly sensitive and should only be collected in very limited circumstances.

Through its engagement with the education sector, the DPC has found that some schools request too much personal data at the pre-enrolment stage-that is, before a place in the school has been offered to or accepted by the parent/legal guardian. This raises concerns under the GDPR, especially in relation to data minimisation (only collecting the minimum amount of information that is necessary) and purpose limitation (only collecting the information for a clearly defined and specific reason).

If a school has a pre-enrolment process, it should only collect the minimum amount of personal data needed to determine its specific purpose at that stage. The school must also be clear and transparent with parents or legal guardians about why the information is being requested and how it will be used.

In this blog post, we aim to clarify what information is appropriate for schools to request during the pre-enrolment stage, and to support schools in taking a proportionate and compliant approach to personal data processing from the outset.

What is school pre-enrolment?

Pre-enrolment is the initial stage of the schools’ admissions process where parents or legal guardians express interest in enrolling their child in a school, usually by completing an application form. At this point, no place has been offered to or accepted by the parent/legal guardian. Therefore, the amount and type of personal data requested at this initial stage should be limited to what is necessary to achieve the intended purpose at this stage.

What is the intended purpose of pre-enrolment?

It is important for schools to consider and determine its intended purpose of this pre-enrolment stage. Why is it required? How does this assist the school? What is the objective? Once a school is clear on its intended purpose, it can then determine what personal data it needs to collect and process to meet those objectives at the pre-enrolment stage. This is a matter for each school to determine.

GDPR principles relevant to pre-enrolment

While the GDPR contains several principles, this blog focuses on the most relevant to processing personal data during pre-enrolment.

Data Minimisation

Data minimisation is one of the key data protection principles for schools to consider at the pre-enrolment stage. Schools should only process personal data that is adequate, relevant, and limited to what is necessary for the purposes of meeting their objective at this pre-enrolment stage.  It should never collect personal data which is not required for the purposes of that objective.

So, at the pre-enrolment stage, it would be expected that the information requested by a school from a parent/legal guardian would be quite limited. Once a place in the school has been formally offered to a parent/legal guardian for their child, it is expected that more information would be required.

For example, at pre-enrolment, it would be expected that schools would request basic information like a child’s name and date of birth, the parent or legal guardian’s contact details, their address, and whether the child has any siblings already attending the school. However, asking for more sensitive details, such as health information, special educational needs, religious beliefs, ethnic background  or religious beliefs (subject to compliance with the Equal Status Act 2000 as amended by the Education (Admission to Schools) Act 2018) is generally considered excessive at this stage and should not be requested unless there is a lawful basis for doing so. This information should generally only be requested after a place in the school has been offered to or confirmed by the parent/legal guardian, and even then, only if it is necessary.

Purpose Limitation

Schools must also comply with the principle of purpose limitation, which requires that personal data is only processed for the specific, explicit and legitimate purpose for which it is obtained. This means that it should be clear to the parent/guardian why their child’s personal data is being requested and it should only be used for that purpose. Personal data should not be collected or stored by schools on a ‘just in case’ basis or for some undefined or undeclared future purpose.

Lawfulness, Fairness and Transparency

When requesting personal data during the pre-enrolment stage, schools must ensure the processing is lawful, fair and transparent. This means having a lawful basis for collecting the data and explaining to parents/legal guardians in plain, accessible language what data is being collected, why it is being collected and how it will be used.

What schools should do

Before collecting personal data at the pre-enrolment stage, schools should assess whether the information being requested is necessary and appropriate. Asking the following questions can help ensure compliance with data protection requirements:

• Why does the school have a pre-enrolment stage?
• What is the school’s intended purpose and what are we seeking to achieve?
• What is the least amount of information the school requires to achieve that purpose?
• Is there a lawful basis for the collection of every item of personal data which is being requested at this point in the process?
• Is it reasonable and fair to collect this personal data now and is it clear to parents/legal guardians why we are collecting this information.
• Is the school only asking for the minimum amount of information needed at this stage?
• How long will the personal data be kept for and why?
• How will the personal data be stored securely and handled confidentially?

Schools wishing to understand more about their data protection obligations when processing the personal data of children can consult our detailed guidance document ‘Data Protection Toolkit for Schools