Summary
Guidance for schools, academies and trusts on data protection, protecting personal data, complying with data protection law, and responding to data breaches and other data protection issues.
This guidance is for everyone who works in a maintained school or academy, including school leaders, governors, trustees, data protection officers (DPOs), and all staff who handle personal data. Independent schools may also find it useful.
It explains how maintained schools, academies and trusts should protect personal data, comply with data protection law and respond to data protection issues.
All staff have a responsibility to protect personal data. They should:
- understand the basics of data protection
- handle personal information appropriately
- know what to do if something goes wrong
DPOs and data protection leads have additional responsibility for overseeing compliance and supporting good practice across the school or trust.
Where staff are unsure, they should follow their school’s policies and procedures or seek advice from their line manager or DPO.
Have your say
If you’d like to be involved in user research to help the Department for Education improve our data protection guidance for schools, register your interest.
Contents
-
Data protection legislation, and who and what it’s intended to protect.
-
Changes to the bill and support available from the Department for Education (DfE).
-
The lawful grounds for accessing, collecting, storing and using personal, special category and criminal offence data.
-
Who is responsible for making sure data is processed securely in a school.
-
How data protection officers can help make sure schools are compliant with data protection laws.
-
How to comply and document compliance with UK GDPR and the Data Protection Act 2018.
-
Who you can share personal data with and what consent you need to get – for example, when publishing exam results or for immunisation programmes.
-
Data protection considerations when taking and using photos and videos, or when using CCTV.
-
A subject access request (SAR) is a type of information rights request. A SAR lets people access a copy of the personal data a school holds about them or someone they have parental responsibility for.
-
How to manage other information rights requests, including changing, deleting or restricting the processing of personal information.
-
How to carry out an audit to check what personal data your school holds. You can use a data retention schedule to document how long you'll keep different types of data for.
-
Good practice for preventing personal data breaches in your school. It explains how to recognise and respond effectively to a personal data breach.
-
How to address the potential data protection risks of using generative AI in schools.
-
Download resources to help with data protection in schools, including posters, templates, and learning materials.