Advice on the General Data Protection Regulation and primary school health data collections
This letter provides advice on the lawful basis under the General Data Protection Regulation (GDPR) for children’s personal information to be used for height and weight measurements, dental surveys and vaccinations in primary schools.
The key message is that no change is needed to the current ways in which childrens’ personal information is used and shared for these school health data collections to be lawful under the GDPR.
GDPR and the lawful basis for the school health data collections
The GDPR became UK law on 25 May 2018. It updates and strengthens the ways in which personal data is protected1. The GDPR is an evolution in data protection legislation rather than a revolution.
All processing of personal data – meaning all aspects of the collection, use and sharing of personal data about identifiable individuals – must have a lawful basis under the GDPR.
Article 6 of the GDPR sets out the range of purposes for which personal data can be lawfully processed. Article 9 sets out the associated conditions for the lawful processing of ‘special categories’ of personal data, including data about health.
Consent is one of the lawful bases for processing personal data under the GDPR but is not the lawful basis for the school health data collections. Instead, this is provided by varying combinations of the GDPR Articles that cover:
- compliance with a legal obligation
- the exercise of official authority
- medical diagnosis or the provision of health care or treatment
- public interest in the area of public health
For further information on the GDPR can be found on the Information Commissioner’s Office website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
- GDPR and vaccinations
The Secretary of State for Health & Social Care is required to take steps to protect the public from disease, such as by providing vaccination services. This specific responsibility is fulfilled by NHS England, which works with Local Authorities to vaccinate children in schools.
The official authority for the vaccination for school children is provided by the Health & Social Care Act 2012. This official authority means that the lawful basis for processing children’s personal data for this purpose is considered to be provided by:
- GDPR Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
- GDPR Article 9(2)(h) - processing is necessary for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems
- GDPR Article 9(2)(i) - processing is necessary for reasons of public interest in the area of public health
Guidance on the administration of vaccinations is published by Public Health England
This guidance states that the agreement of parents or persons with parental responsibility must be obtained before a vaccine is administered to children in primary schools.
No change is required to the way in which this agreement is obtained. Schools should continue to work with the healthcare teams providing vaccinations in schools, and use the template information letter and parental agreement form provided by Public Health England.
No change is needed to the current ways in which children’s personal information is used and shared for the school health data collections to be lawful under the GDPR.
The lawful basis under the GDPR for the vaccination of children in schools is not provided by consent – it is provided by varying combinations of ‘compliance with a legal obligation’, ‘exercise of official authority’, ‘medical diagnosis or the provision of health care or treatment’, and ‘public interest in the area of public health’.