Summary
The policies and processes schools and multi-academy trusts need to protect personal data and respond effectively to a personal data breach.
This toolkit will help school staff, governors and trustees:
- understand how to comply with data protection law
- develop their data policies and processes
- know what staff and pupil data to keep
- follow good practices for preventing personal data breaches
This advice is intended for maintained schools and academies. Independent schools are welcome to use it where appropriate.
Contents
-
Data protection legislation, and who and what it’s intended to protect.
-
Changes to the bill and support available from the Department for Education (DfE).
-
The lawful grounds for accessing, collecting, storing and using personal, special category and criminal offence data.
-
Who is responsible for making sure data is processed securely in a school.
-
How data protection officers can help make sure schools are compliant with data protection laws.
-
How to comply and document compliance with UK GDPR and the Data Protection Act 2018.
-
Who you can share personal data with and what consent you need to get – for example, when publishing exam results and taking photos in school.
-
A subject access request (SAR) is a type of information rights request. A SAR lets people access a copy of the personal data a school holds about them or someone they have parental responsibility for.
-
How to manage other information rights requests, including changing, deleting or restricting the processing of personal information.
-
ExplainsHowhow -
Good practice for preventing personal data breaches in your school. It explains how to recognise and respond effectively to a personal data breach.
-
TheHowbenefitstoandaddress potential data protection risks of using generative AI ineducationalschools. -
Download resources to help with data protection in schools, including posters, templates, and learning materials.
Update history
2025-06-25 12:54
The Data Use and Access Act 2025 – Updated with information about the Data Use and Access Act 2025.
2025-03-20 14:50
Record keeping and management – Guidance has been added to help create a data retention schedule.
2024-12-18 16:21
Sharing personal data – Information has been added on sharing data with school immunisation programmes.
2024-12-10 12:00
Resources to support data protection in schools – New section added.
2024-08-28 12:08
Data protection policies and procedures – Guidance has been updated on privacy notices.
2024-04-03 14:18
Handling other information rights requests – Section updated. Information on subject access requests (SARs) has been expanded and included in a new section of this guidance.