2.1 Summarise the main points of legislation and procedures covering confidentiality, data protection and the disclosure of information

This guide will help you answer 2.1 Summarise the main points of legislation and procedures covering confidentiality, data protection and the disclosure of information.

Working in a school setting means you will often handle personal information about pupils, parents, and colleagues. Laws in the UK set clear rules about how to keep this information safe and who can see it. These laws protect individual privacy and promote trust between families and the school.

The main pieces of legislation are:

• Data Protection Act 2018 – This is the UK’s main data protection law. It works alongside the UK General Data Protection Regulation (UK GDPR).
• Human Rights Act 1998 – Article 8 protects the right to respect for private and family life.
• Children Act 1989 and 2004 – Includes guidance on keeping children safe and protecting their personal information.
• Freedom of Information Act 2000 – Governs requests for information held by public authorities, including schools.

These laws set the standards for handling personal data and deciding when information can be shared.

Data Protection Act 2018 and UK GDPR

The Data Protection Act 2018 sets out how organisations must collect, store, and use personal data. It applies to all data that can identify an individual. This includes names, addresses, dates of birth, school reports, medical details, and exam results.

Under UK GDPR, there are key principles:

• Data must be used fairly and lawfully.
• Data must be collected for clear purposes.
• Use of data must be limited to those purposes.
• Data must be accurate and kept up to date.
• Data must be stored securely.
• Data must not be kept longer than needed.

In practice, this means you:

• Do not share personal details without reason.
• Keep records safe from unauthorised access.
• Follow your organisation’s policy on storage and disposal.
• Check accuracy before using or passing on any information.

Breaching data protection law can lead to disciplinary action and fines.

Confidentiality in Schools

Confidentiality means keeping private information secure and only sharing it with those who have a legitimate need to know. In a school, this protects pupils and their families, and it shows respect for their rights.

Confidential information can include:

• Pupil academic records
• Health information
• Family circumstances
• Contact details

Staff in schools should:

• Avoid talking about pupils in public areas.
• Keep paper records in locked cabinets.
• Protect electronic files with passwords.
• Share sensitive details only with authorised staff.

Breaking confidentiality can harm relationships and cause distress for pupils and parents. In some cases, it can put children at risk.

Disclosure of Information

Disclosure means giving information to someone else. There are times when disclosure is lawful and necessary. The Children Act and safeguarding guidance make it clear that protecting a child’s welfare comes before keeping information private.

You may need to share information if:

• There is a safeguarding concern.
• A pupil is at risk of harm.
• A pupil has committed or is likely to commit a serious offence.

Disclosure should be:

• Limited to relevant information only.
• Made to the correct authority, such as social services or the police.
• Recorded fully, with details of what was shared and why.

Always follow your school’s safeguarding procedures before disclosing information.

Safeguarding and Information Sharing

Safeguarding law recognises that sometimes you must disclose personal information to protect children. The guidance in Working Together to Safeguard Children explains when and how to do this.

When sharing information for safeguarding:

• Be clear about the reasons.
• Share only relevant facts.
• Record the discussion and decision.
• Use secure methods to send information.

This may involve speaking to your designated safeguarding lead (DSL) before taking action. Your DSL knows the correct processes for contacting outside agencies.

Freedom of Information Act 2000

The Freedom of Information Act gives the public the right to access certain information held by public bodies, including schools. This is about openness rather than personal privacy.

Requests under this Act must be handled carefully:

• Personal data about pupils or staff is exempt from release.
• Only non-personal records can be disclosed under this law.
• Requests should be sent to the headteacher or a nominated officer.

Your role as a teaching assistant or learning supporter may include helping locate information, but you must never release it without approval.

Organisational Procedures

Every school has policies that explain how to handle personal data and when information can be shared. Knowing these procedures is part of professional practice.

These policies often cover:

• How to store paper and electronic records
• Steps for disposing of old files
• Password protocols
• Who has authority to access different types of records
• How to respond to data requests

Regular training updates help staff recognise current requirements. Always follow the written policy rather than relying on informal advice.

Secure Handling of Information

To protect confidentiality and follow data protection rules, secure handling is key.

Secure handling means:

• Keeping documents in locked cupboards or filing cabinets.
• Using password-protected devices and systems.
• Logging out of shared computers.
• Not leaving papers unattended on desks.
• Double-checking email addresses before sending sensitive information.

If you are working outside school, such as on home visits, take extra care to keep documents and devices secure.

Situations Where Confidentiality May Be Broken

While confidentiality is a legal and professional expectation, there are times when you must share information without consent. Safeguarding is one example, but there are others.

Reasons for breaking confidentiality can include:

• Risk of significant harm
• Prevention of serious crime
• Court orders requiring evidence

These situations are explained in your safeguarding policy. In all cases, disclosure should be lawful, proportionate, and documented.

Responsibilities of School Staff

All staff have a role in protecting confidentiality and handling data correctly. You are personally responsible for following these rules in your daily work.

Staff responsibilities:

• Know the school’s confidentiality and data protection policy.
• Keep passwords safe and secure.
• Avoid unnecessary use of personal data.
• Report any data breaches to the appointed officer immediately.
• Take advice from senior staff if unsure about sharing information.

You must not remove pupil data from the site unless authorised to do so. This includes taking home files or unencrypted devices.

Consent for Sharing Information

Sometimes, sharing information is allowed if you have the person’s consent. In schools, this might be a parent’s consent to pass contact details to a sports club or medical service.

Consent must be:

• Informed – the person understands what is being shared and why.
• Freely given – no pressure or coercion.
• Specific – only the details agreed can be shared.

Written consent is best for keeping records and avoiding misunderstandings.

Handling Sensitive Conversations

You may discuss confidential matters with pupils, parents, or colleagues. In these moments, privacy is important.

Good practice includes:

• Choosing a quiet, private location.
• Speaking respectfully and calmly.
• Not discussing cases where others can overhear.
• Making notes and storing them securely after the conversation.

These habits protect privacy and show professionalism.

Preventing Unauthorised Access

Preventing unauthorised access is part of data protection and confidentiality. This includes both physical and digital security.

Measures to prevent unauthorised access:

• Lock classrooms and offices when not in use.
• Keep laptops and tablets secured.
• Use strong passwords and do not share them.
• Avoid using personal devices for school data.
• Shred confidential waste.

Regular checks and audits can help spot potential risks before they cause problems.

Data Breaches

A data breach is when personal information is lost, stolen, or shared without authorisation. This can happen through carelessness or malicious action.

Examples:

• Sending a report to the wrong address.
• Losing a USB drive with pupil data.
• Talking about a pupil in a public place.

If a breach occurs:

• Report it immediately to your line manager.
• Follow the school’s incident procedure.
• Record what happened and what action was taken.

Serious breaches may have to be reported to the Information Commissioner’s Office (ICO).

Record Keeping and Disposal

Paper and electronic records must be kept only as long as needed. Some information has legal time limits for retention.

Safe disposal methods:

• Shred paper files containing personal data.
• Use secure deletion for electronic files.
• Wipe devices before reissue or disposal.

This prevents forgotten records from leaving the organisation in an unsafe state.

Final Thoughts

Keeping information confidential, handling data properly, and making lawful disclosures are key parts of working in a school. The law is clear about your duty to respect privacy and protect pupils from harm.

Following legal requirements and organisational procedures supports the safety, trust, and rights of those you work with. By being careful every time you access or share information, you help create a secure environment where pupils and families feel respected. Mistakes in this area can lead to serious consequences, so it is always best to work within the clear boundaries set by policy and law.