Visitor Management: A Guide for Schools
Navigating the entry requirements for educational settings can sometimes be confusing for both the school and the visitor. To ensure a smooth, secure, and legally compliant process, it is essential to balance safeguarding requirements with data protection principles and DfE guidance.
When performing our 'Making the Rounds' visits, we see visitor books and entry systems used in different ways. This guide provides regulatory clarification and practical ideas to help you balance safeguarding, DfE requirements with data protection principles.
The Visitor as a Data Subject
A visitor is a data subject. Collecting their information is essential for safeguarding and fire safety, but it must be done without compromising their privacy. The core GDPR principles apply:
-
Lawfulness, fairness, and transparency
-
Data minimisation (Only ask for what is strictly necessary)
-
Accuracy and Storage limitation
-
Integrity, confidentiality, and accountability
Data Minimisation and Visitor Records
Schools must keep a record of visitors for safeguarding and security purposes. When information is gathered, the minimisation principle is best used, for example, the key details typically recorded might include:
- Full Name
- Organisation (if applicable)
- Date and time of arrival and departure
- Photo taken (electronic system)
- Purpose of the visit
- Who they are visiting
- Photo ID check (if required)
- DBS status (if applicable)
- Visitor badge (issued and returned)
- Vehicle registration (if required when parked onsite)
Digital Visitor Systems Systems
Temporary Physical Badges: Should be deleted/destroyed immediately as soon as the visitor leaves.
Digital Records: is part of the visitor record and should match the retention period of 6 years for visitors. The retention schedule of the organisation should specify the retention period, and ensure it aligns with data protection guidelines. Customers can review our Records Management Best Practice Area and our Retention Schedule for further guidance.
System Settings: Organisations are encourage to check their system's default settings to ensure they align with the retention policy. The configuration settings should also ensure that visitors cannot see other visitors when signing out. Records should be kept up to date if they are configured so a visitor can select the member of staff they are visiting. Ensure that pupil names are not visible to visitors.
Backup/Encryption: Verify that the data is securely stored, backup up and encrypted. DPE Customers should contact us for further due diligence support and advice.
Note: you may need to change the default configuration of your visitor system to apply this retention period - we advise checking with your provider.
Paper-Based Visitor Books
Confidentiality: Ensure the book does not allow visitors to see the details of those who signed before them. Keeping the desk behind the reception window/desk also keeps it safe.
Separation: Keep visitor books separate from staff and student sign-in logs.
Security: Consider where the book is stored overnight.
Retention: Keep visitor books inline with your retention schedule which is normally 6 years from the last data of entry in the book.
The Single Central Record
Keeping Children Safe in Education guidance states that all schools must produce and maintain a Single Central Record of recruitment and vetting checks; it is a statutory requirement.
Keeping Children Safe in Education states:
For visitors who are there in a professional capacity schools and colleges should check ID and be assured that the visitor has had the appropriate DBS check (or the visitor’s employers have confirmed that their staff have appropriate checks. Schools and colleges should not ask to see the certificate in these circumstances)
Not all visitors need to be recorded on the SCR. The SCR is a safeguarding document that records key details about staff, regular volunteers and contractors who have unsupervised access to children.
Using External Expertise to Enhance Online Safety Education
This document is referred to in the Keeping Children Safe in Education guidance in reference to visitors. It specifies that consideration should be given to:
- Ensuring legal compliance when requesting data from an external visitor.
- The policy on collection and retention of a visitor's data and how this procedure is communicated to a visitor.
- Which background checks are appropriate.
- Briefing the visitor prior to the visitor on any requirements to show recognised proof of of identity on the day of the visitor.
Document Checks
While schools must verify who is entering the building, there are strict limits on what should be recorded.
Sighting vs Storing: Staff may check photo ID to verify identity, but there is no legal requirement to photocopy these documents or record sensitive certificate numbers for standard visitors.
Recording Verification: It is sufficient to record that the ID and DBS status were verified, by whom and on what date.
Exceptions: Photocopies of ID or DBS certificates should generally only be retained for directly employment purposes or governor appointments.
Best Practices for External Guests
When inviting external expertise into your organisation, consider the following:
Communication: Brief the visitor in advance regarding which ID they need to bring.
Transparency: Clearly communicate how their data will be collected, used and stored. If you have an electronic visitor system you may wish to add this or information about your privacy notice.
Confidential Waste: Any temporary records or accidental copies containing personal data must be disposed of via secure confidential waste protocols. We would ask you to review our guidance about Managing Confidential Waste alongside this guidance when destroying copies of ID and other documents containing personal data.
CCTV: If you are recording your visitors make sure they are aware with appropriate signage and information in your privacy notice.