Brexit guidance change explorer

Summary

~~The~~Guidance ~~policies~~for ~~and~~schools, ~~processes~~academies ~~schools~~ and ~~multi-academy~~ trusts ~~need~~on todata ~~protect~~protection, protecting personal data, complying with data ~~and~~protection ~~respond~~law, ~~effectively~~and responding to adata ~~personal~~breaches and other data ~~breach.~~protection issues.

This toolkit ~~will~~explains ~~help~~how ~~school~~maintained ~~staff,~~schools, ~~governors~~academies and ~~trustees:~~trusts should:

~~understand~~protect ~~how~~personal to data

comply with data protection law
~~develop~~respond ~~their~~to data ~~policies~~protection ~~and~~ ~~processes~~issues

All staff have a responsibility to protect personal data. They should:

~~know~~understand ~~what~~the ~~staff~~basics ~~and~~of ~~pupil~~ data toprotection

handle ~~keep~~personal information appropriately
~~follow~~know ~~good~~what ~~practices~~to ~~for~~do ~~preventing~~if ~~personal~~something ~~data~~goes ~~breaches~~wrong

~~This~~Data ~~advice~~protection isofficers ~~intended~~(DPOs) and data protection leads have additional responsibility for ~~maintained~~overseeing ~~schools~~compliance and ~~academies.~~supporting ~~Independent~~good ~~schools~~practice across the school or trust.

Where staff are ~~welcome~~unsure, tothey ~~use~~should itfollow ~~where~~their ~~appropriate.~~school’s policies and procedures or seek advice from their line manager or DPO.

Have your say

If you’d like to be involved in user research to help the Department for Education improve our data protection guidance for schools, register your interest.

What data protection means for schools

Data protection legislation, and who and what it’s intended to protect.
The Data Use and Access Act 2025

Changes to the bill and support available from the Department for Education (DfE).
Data processing a school is permitted to do

The lawful grounds for accessing, collecting, storing and using personal, special category and criminal offence data.
Responsibilities

Who is responsible for making sure data is processed securely in a school.
Role of data protection officers

How data protection officers can help make sure schools are compliant with data protection laws.
Data protection policies and procedures

How to comply and document compliance with UK GDPR and the Data Protection Act 2018.
Sharing personal data

Who you can share personal data with and what consent you need to get – for example, when publishing exam results or for immunisation programmes.
Taking and using photos and videos, and using CCTV in schools

Data protection considerations when taking and using photos and videos, or when using CCTV.
Dealing with subject access requests (SARs)

A subject access request (SAR) is a type of information rights request. A SAR lets people access a copy of the personal data a school holds about them or someone they have parental responsibility for.
Handling other information rights requests

How to manage other information rights requests, including changing, deleting or restricting the processing of personal information.
Record keeping and management

How to carry out an audit to check what personal data your school holds. You can use a data retention schedule to document how long you'll keep different types of data for.
Managing breaches of data

Good practice for preventing personal data breaches in your school. It explains how to recognise and respond effectively to a personal data breach.
Generative artificial intelligence (AI) and data protection in schools

How to address the potential data protection risks of using generative AI in schools.
Resources to support data protection in schools

Download resources to help with data protection in schools, including posters, templates, and learning materials.

Summary

Have your say

Contents

Update history