Data Protection in Schools

Compliance Knowledge Base | Data Protection Training

Posted by: Lauren Hockley Published: Wed, 15 Aug 2018 Last Reviewed: Wed, 15 Aug 2018
Data Protection in Schools

Schools hold an extensive range of personal data on their students and staff alike; things such as medical information, grades, behavioural reports, and images. Schools act as data controllers by determining what this data will be used for and how it will be stored. The abundance of data raises a considerable protection concern and highlights the need for comprehensive data protection training as well as reliable data policies.

Whose Responsibility is Data Protection?

As data controllers, schools are legally obliged to adhere to the data protection requirements stipulated in GDPR. Whilst data protection is the responsibility of all staff members, a specific Data Protection Officer (DPO) must be appointed to develop and maintain data policies. Ultimate responsibility for data protection lies with the school governors and trustees, who the DPO will work in association with.

Legal Requirements

Since the Data Protection Act 2018 came into force, schools have been required to actively demonstrate compliance through documentation of their personal data processes and conduction of data audits. In order to comply with the data protection principles, schools must document an explicit reason for possessing personal data and document how long it needs to be retained for. Data controllers are also required to communicate and be transparent with data subjects i.e. those your school holds personal data about (or their guardians). Creation of a high level data map, outlining the collection, storage and transfer of personal data is necessary. The map should be used to produce a data asset register. These resources can be used to identify data protection risks which should be addressed accordingly.

Data Protection in Schools

Special Category Data Restrictions

Personal data is any data relating to a living identifiable person. Special category data is a subset of personal data that is seen to be more sensitive and is consequently subject to greater restrictions. It includes the following: race, ethnicity, political opinions, religion, trade union membership, health information and sex life. Data relating to criminal offences does not fall into the special data category but is subject to many of the same restrictions.

Contact with Data Processors

As data controllers, schools may have contact with data processors (individuals/companies that process data on behalf of the data controller e.g. IT services). Your school is responsible for ensuring that any data processor it uses co-operates with school data policies. A written agreement must be signed between data controller and data processor.


The use of photographs within schools is common, however the data protection regulations surrounding use can be confusing. Some common examples of how photographs are used in schools are outlined in the table below.



Terms of use



Can be considered essential but must be deleted once the child leaves your school

Display within school

School trip photos

Permission should be sought to retain the image after the child leaves your school


School prospectus

Specific informed consent must be sought

Data Breaches

A data protection breach within your school could generate catastrophic effects for both your school and your students. Individuals whose data is breached may have their rights and freedoms compromised, whilst your school could suffer an immense knock to its reputation.

In February 2018, it was discovered that four UK schools had fallen victim to cyber-crime. Hackers had infiltrated the schools' CCTV system and started to stream it live on US websites. From this event we can appreciate that poorly secured CCTV cameras compromised the privacy of thousands of school children. It highlights the need for well secured surveillance systems and strong password protection.

Meanwhile, in May 2018 Stowupland High School in Suffolk suffered a serious data protection breach. Sensitive student data, including information within the special data category, was mistakenly sent to the parent mailing list instead of staff. Alongside the student information was logins and passwords to numerous teacher platforms, therefore additionally compromising any data contained on these platforms. The school was proactive and complied with regulations by reporting the breach to the Information Commissioner's Office within 72 hours of discovery. Parents reacted to the breach with disgust and stated a subsequent lack of trust in the school. The school's reputation has suffered as a consequence, understandably.

Data protection is one way in which schools are responsible for ensuring child protection. With increasing levels of accountability and widespread repercussions for data breaches, adequate training of all your staff members is a necessity. Data protection training can ensure your school adheres to data protection legislation whilst preserving simpler privacy.

Get in Touch

When you send us a message one of our friendly, knowledgeable eLearning experts will contact you as quickly as possible

* Required Field

Get in Touch

Get in Touch

+44 (0)1509 611 019

We'd love to talk to you about how we can help. Please leave your details below and a member of our team will get back to you.

* Required Field