GDPR for Schools Acting as Technical Integrators

It is quite understandable that some schools will wish to extend their MIS by extracting some data and using it within a local utility that does something critical to the school's operation.  A simple example of this might be a staff, student and parent badge print utility.

• Mr John Smith
• Parent/Carer for:  Mandy Smith
• Who is in class: 4A (Mrs Jones)

All the MIS data is in the cloud and we need to:

1. Download it
2. Save it as CSV
3. Produce the badges via mail merge

From ESS's perspective, this is school's data being used we assume for a legitimate school purpose and would comply happily with GDPR when used in the school for a parent's evening or school play for example.

The developer might be a member of school staff who would need to:

• Look at the available APIs
• Test calls to the APIs
• Post process the data to create a mail merge file.
• Save the file to disk?
• Create the mail merge template and test it out using the downloaded data.

When you take a step back, there is little or no difference between a commercial developer writing an application and a member of school staff.  You wouldn't (or must not) send your data to a software house to do the work above and hence it can't simply be given to school staff to do the same.  Why not?

• Few consent to their personal data being used for development purposes.
• I am unaware of any school that lists 'Software Development' in their permission requests to data subjects or their parent where appropriate.
• To be useful, the data would need Moreover, it would need 

Under previous data protection laws, school staff would use the school's data for a legitimate processes and the risk would be a fine typically in the order of the cost of the damage caused by the breach and it would have been most unlikely that it would be in the public interest to bring proceedings against a school unless it put