Music teachers - whether peripatetic, studio-based, or working within a music school - handle a surprising volume of personal data. From pupil contact sheets and parental consent forms to DBS certificate records and ABRSM exam registrations, the data you collect is subject to GDPR. This guide covers the key compliance obligations for independent music teachers, peripatetic teachers, and music schools operating in the UK and EU.
Collecting Pupil Personal Data
Every time you take on a new pupil, you collect personal data. At a minimum, this typically includes the pupil's full name, age or date of birth, contact details for the pupil or their parents, the instrument being taught, and current grade level. For child pupils, you will also collect parental or guardian names and contact details.
This data is processed under a contract lawful basis - you need it to deliver the lessons the pupil or their parent has engaged you for. Your registration form and privacy notice must make clear what data you collect, why you collect it, who you share it with, how long you retain it, and how data subjects can exercise their rights.
For child pupils under 13 (under 16 in some EU member states), parental consent is required for any data processing that goes beyond what is strictly necessary to deliver the lessons. Keep a record of who provided consent and when.
Parental Data and Consent Obligations
When teaching children, you are processing data about two categories of data subjects: the child pupil and the parent or guardian. Under PECR (the Privacy and Electronic Communications Regulations), sending unsolicited marketing emails to parents requires their prior consent. Obtain marketing consent at registration and keep records of it.
DBS Checks: What You Can and Cannot Store
The ICO is clear: you cannot retain a copy of a DBS certificate. What you can record is the date the check was obtained, the level of check, the unique reference number, and whether the disclosure was satisfactory. You must not photocopy or scan the certificate.
Lesson Recording for Practice Purposes
Recording lessons for the pupil's own practice purposes requires explicit written consent from the pupil (if aged 16 or over) or from the parent before any recording is made. Make clear how the recording will be used, who can access it, and how long it will be retained.
ABRSM and Trinity Exam Registration Data
Registering pupils for ABRSM, Trinity, or other graded examinations involves sharing pupil personal data with the examination board. The exam board becomes a separate data controller. Your privacy notice should inform pupils and parents that their data will be shared with examination boards for exam registration purposes.
Referring Pupil Data to Music Schools or Ensembles
Passing on a pupil's contact details to a third party - even with good intentions - constitutes a data transfer and requires a lawful basis. Always obtain the pupil's or parent's consent before making any referral.
Music School Management Software as Data Processors
When you store pupil personal data in management platforms like MyMusicStaff or TutorBird, the software provider acts as a data processor and you remain the data controller. Ensure a Data Processing Agreement (DPA) is in place.
Marketing to Parents Under PECR
PECR applies to all electronic marketing. For current pupils' parents, you can use the soft opt-in basis. However, once a pupil leaves, the soft opt-in basis lapses and you need explicit consent to continue marketing.
Data Retention After a Pupil Leaves
- Financial records: 6-7 years (HMRC requirements)
- Lesson notes: 1-3 years after the pupil leaves
- Consent forms: Duration of teaching relationship plus a reasonable evidencing period
- DBS check records: Record only that a check was conducted - not the certificate
Peripatetic Teachers Working Across Multiple Schools
Each school is a separate data controller. Do not retain pupil data from one school in a format accessible by another school, and do not use pupil data provided by one school for any other purpose.
Social Media Posts Featuring Pupils Performing
Sharing photos or videos of pupils on social media constitutes publication of personal data. For child pupils, clear written parental consent is required - specify exactly what may be shared and on which platforms.
Data Breach When Pupil Records Are Compromised
If pupil records are compromised, you must report to the ICO within 72 hours if the breach is likely to result in risk to the affected individuals, and notify affected pupils and parents if the risk is high.
Ready to check your music teaching website for compliance issues? Run a free scan at Custodia - no signup required, results in 60 seconds.
Originally published at app.custodia-privacy.com
Top comments (0)