Let us help you out of the maze

“Lawful Basis for Processing in Schools & Universities: Which One Should I Use?”

Let’s be honest: when most of you became educators, you dreamed of inspiring minds, not mastering the fine print of data protection law. But here you are, in a post-GDPR, post-DUAA world, where understanding the “lawful basis for processing” is as crucial as remembering to take the register.

The good news? While the Data (Use and Access) Act 2025 (DUAA) has introduced a few tweaks, the core principles remain intact (just sharpened), especially for education settings. Once you get past the legalese, the lawful bases for processing personal data are more intuitive than they seem and, dare I say, even a little philosophical.

Let’s take a look.

 

The “Why” Before the “How”

Before you collect, use, or store any personal data, from student attendance to parent emails, even the staff lunch allergy list, you must know why you’re doing it. And that “why” must align with one of six lawful bases set out by the UK GDPR (still applicable under DUAA 2025).

Think of it like this: every piece of personal data is a guest at a party. You need a legitimate reason for inviting them in, or you risk violating privacy laws (and no one wants to be that school on the front page for a data breach).

Now let’s meet our six lawful gatecrashers, refreshed for 2025.

 

  1. Public Task: The Educator’s Bread and Butter

If your school or university is a public authority, public task remains your primary basis. You’re carrying out functions in the public interest; teaching, safeguarding, administering exams. The new DUAA reinforces this by clarifying that digital education tools and platforms used to fulfil statutory functions also fall under this basis.

Example: Recording attendance or using a digital behaviour management system. You’re not doing it for fun (although some platforms are slick), but because it’s integral to your duties.

Bonus: You still don’t need consent. In fact, the DUAA discourages unnecessary consent requests where a clearer basis applies, to avoid undermining trust or creating confusion.

 

  1. Consent: Still Not Always the Golden Ticket

Everyone loves a good consent form. Until they realise it’s not always the right tool. Under GDPR, consent must be freely given, informed, and withdrawable. Adding to that, under the DUAA, there’s increased emphasis on ensuring consent is genuinely voluntary, particularly when dealing with minors or those in a dependency relationship. That can be tricky in a school setting where there’s a clear power imbalance.

When it works: Using student photos on your school website or social media. This is optional, celebratory, and low risk. The classic consent use case.

When it doesn’t: Collecting data for the school lunch system or learning platforms required by the curriculum. The DUAA 2025 warns against “coerced consent” in core service delivery, especially in education.

 

  1. Legal Obligation: Because the Law Says So

This one’s straightforward. If another law requires you to process data, GDPR says “go ahead.” However, there is now more focus on clarity and specificity.

Example: Disclosing safeguarding concerns to the local authority or providing payroll data to HMRC. No need to ask nicely; the law’s already spoken.

But be careful. Vague references to “policy” aren’t enough. Be ready to cite specific laws (e.g. Education Act 1996, Children Act 1989, Safeguarding Vulnerable Groups Act 2006). The DUAA encourages clearer audit trails for these decisions.

 

  1. Contract: Mind the Fine Print

More relevant to universities and colleges, this applies when data processing is necessary for a contract (e.g., enrolment, accommodation).

Example: : A university processing student accommodation requests or managing course enrolment. The student signed up for a degree; you need to process data to deliver on your end of the bargain.

It can also apply to employment contracts.

DUAA update: The Act highlights the growing use of AI and third-party tools in education, requiring contracts with digital vendors to include clear data use terms. Processing data under contract must be strictly necessary, not just convenient.

 

  1. Legitimate Interests: The Wild Card, with Stricter Controls

This basis has always been the most flexible and misunderstood. The DUAA has added extra scrutiny for public authorities like schools when using it.

Example: Using CCTV at an independent school for safety. Your interest (keeping people safe) outweighs the slight intrusion on privacy, as long as it’s well-signposted and proportionate.

But if you’re a public authority, use this one sparingly. The ICO tends to raise an eyebrow when schools over-rely on it.

New under DUAA: Public bodies must not use this basis for tasks where another basis (e.g., public task) is more appropriate. The DUAA also introduces a “Legitimate Interests Assessment (LIA) log” for higher risk uses. A lightweight but structured way to show you’ve considered the risks and mitigations.

 

  1. Vital Interests: Still for Emergencies Only

This is your break-glass-in-case-of-emergency option. Life-and-death situations only. It’s rarely used, but crucial when needed.

Example: A student collapses, and you need to share medical information with paramedics. GDPR isn’t going to stand in your way.

If you’re using this basis often, your emergency planning may be lacking. The DUAA nudges organisations toward more proactive safeguarding policies rather than relying on this exception.

 

So… How Do You Choose the Right One?

Here’s the secret: don’t overthink it. Start by asking yourself:

  • Why are we collecting this data?
  • Is it part of our statutory duties?
  • Is there a specific law that applies?
  • Would the individual expect this use?
  • Can we achieve the goal without processing personal data?

Once you’ve chosen your lawful basis, stick to it. You can’t switch to “consent” just because someone complains. And yes, you must inform individuals which basis you’re using in your privacy notice and be prepared to justify it. Trust me, having this straight makes life easier when the ICO, or a curious parent, comes knocking,  especially when using automated systems or AI-assisted platforms.

Lawful basis isn’t just a box-ticking exercise. It’s a lens through which we examine how and why we handle people’s information. The DUAA may have added a few sharper edges and new expectations, but the heart of data protection remains the same: respect. Whether you’re an early years teacher or a university data officer, understanding this stuff isn’t just compliance.

It’s care.

/by

FOIs: A Quick Guide to Processing in Education

September marks the start of a new school year and with it, we often see an influx of FOI requests.

It usually starts with an email. The subject line is polite, official (possibly even a little dry): “Request under the Freedom of Information Act 2000.”

You open it, wondering if it’s a mistake. It’s not. Someone; a journalist, a parent, a campaigner, or simply a curious member of the public, wants to know something. And they’ve used the law to ask for it.

If you work in a publicly funded school, college or university, this moment will happen eventually.

What is a Freedom of Information Request?

A Freedom of Information (FOI) request is a formal right, enshrined in law, that allows anyone to request access to recorded information held by public authorities.

In practice, it means that people can ask your institution for all sorts of information: how much you spend on IT software, your attendance policies, the number of staff disciplinaries in the last academic year, or how many trees are on campus. Some questions are serious and data-heavy; others can feel oddly niche. All deserve to be handled with care.

The Freedom of Information Act 2000 is the legal framework that governs this process, and if you’re funded by the state (whether you’re a maintained school, academy, sixth form college, or university) you’re covered by the Act.

What Happens When You Receive One?

The moment a request is received in writing (email is fine), the clock starts ticking. You have 20 working days to respond. Not 20 calendar days. Twenty working days from receipt.

The request doesn’t need to say “Freedom of Information” to be valid, it just needs to ask clearly for information. You’re only required to provide what you already hold in recorded form. That means documents, emails, spreadsheets, and data. Not opinions, hypotheticals or creating new analysis from scratch.

Where Do You Start?

Start by reading the request carefully. Does it make sense? Is it clear what’s being asked? If not, there’s room to seek clarification, but don’t delay unnecessarily.

Then comes the search. This often involves a bit of internal digging: a polite email to a department, a rummage through shared drives, a search of archived documents. Sometimes the answer is easy to find; sometimes it’s buried beneath years of naming conventions like “final_final_USETHIS_one.docx.”

Once the information is located, it needs to be reviewed. Are there personal details? Is there commercially sensitive data? Would disclosure cause harm? The Freedom of Information Act contains a number of exemptions for situations like these, but they must be applied with precision and fairness.

Redaction may be necessary. Context may be helpful. But transparency is the goal, unless there’s a compelling reason to withhold.

What If It’s… Difficult?

Some requests are tricky. Some are frustrating. Some seem designed to test the limits of patience.

The Act allows for requests to be refused if they are vexatious, repetitive, or too costly to fulfil. But this isn’t a get-out clause. It must be justified. There’s a balance to be struck between protecting resources and respecting the public’s right to know.

And while the content of a request might raise eyebrows (how many pigeons have entered the school library this term?), it doesn’t mean it lacks legitimacy.

Why It Matters

Freedom of Information isn’t about catching schools or colleges out. At its heart, it’s about accountability. Education institutions are entrusted with public money and play vital roles in their communities. FOI ensures that trust can be tested and reinforced.

Handled well, FOI requests can be an opportunity to show good governance, sound decision-making, and openness.

Handled badly (ignored, delayed, or dismissed), they can lead to complaints, investigations by the Information Commissioner’s Office, and damage to reputation.

FOI requests are not everyday occurrences for most education staff, but they’re not rare either. They arrive, sometimes quietly, and ask institutions to do what they already strive for: to be transparent, responsible and fair.

A clear internal process helps. So does a calm approach. Most of all, it helps to see these requests not as burdens, but as part of the wider responsibility that comes with public trust.

Because when someone asks, “Can I see that information?”, the best answer is not just “Yes,” but “Here it is, clearly, correctly, and on time.”

/by

“RoPA’s: Why Every School Needs to Get Their Data House in Order”

When I first mention a RoPA to staff in schools or multi-academy trusts, I usually get one of three responses:
A) a knowing sigh,
B) a panicked blink, or
C) a hopeful, “Is that the thing we can outsource?”

The truth is, a Record of Processing Activities (RoPA) sounds more bureaucratic than it actually is. But in an educational setting, where data is flying around faster than paper aeroplanes in Year 5, it’s one of the most valuable tools you can have to make sense of your obligations under UK GDPR.

And with the Data Use and Access Act (DUAA) bringing further changes to the regulatory landscape, it’s never been more important.

 

What is a RoPA, and Why Should You Care?

A RoPA is essentially your school’s data processing map. It lists what personal data you collect, why you collect it, who you share it with, how long you keep it, and how you protect it. Think of it as your school’s data inventory; a living, breathing document that should reflect the reality of what’s going on across classrooms, admin offices, safeguarding teams, and yes, even the school newsletter.

Under Article 30 of the UK GDPR, most schools are already required to maintain a RoPA. The myth that only large organisations need one doesn’t fly. If you’re processing data regularly, and especially if it involves sensitive or special category data (SEN records, health information, safeguarding logs), you’re on the hook.

What’s changed with the addition of the DUAA?
The DUAA introduces a stronger emphasis on accountability and proactive data management, giving regulators more clarity on expectations and giving schools less room to rely on static, tick-box compliance.

For example:

  • Schools may now be expected to demonstrate how they are managing data risks, including algorithmic decision-making tools (e.g., AI marking or behaviour monitoring).
  • There is a growing expectation to include data sharing justifications in your RoPA, especially where you share data with third-party edtech providers.
  • The RoPA may serve as a key piece of evidence in demonstrating ‘appropriate data governance’ during any investigation or audit.

 

So Where Do You Start?

I often tell schools to treat RoPA creation like a school play. Everyone has a role, even if they’re only on stage for a scene or two, and someone (preferably your Data Protection Lead or DPO) needs to be directing the whole thing.

Start with what you know best: daily operations. What personal data do you collect on students, parents, staff, and governors? Where is it stored? Who has access?

Don’t worry about getting it perfect from the outset. This is more of a marathon than a sprint. What matters is building a truthful picture of how data flows through your school. And like a great Ofsted inspection, preparation is everything.

 

Who Needs to Be Involved?

One of the biggest mistakes schools make is assuming this is an IT or data manager’s problem. In reality, every department has a slice of the RoPA pie. The SENCO knows more about special category data than anyone. HR understands the nuances of staff records. Admin staff are often the unsung heroes of data entry and consent management.

This isn’t about adding to their workload, it’s about tapping into what they already know. The DPL or DPO should facilitate the process by asking the right questions, guiding decisions, and ensuring everything is documented with clarity and consistency.

With the DUAA in effect, demonstrating a joined-up approach to data governance isn’t just good practice, it’s also evidence of compliance. Cross-departmental input will help schools fulfil the ‘appropriate organisational measures’ requirement more robustly.

 

Keeping It Alive (and Not Just a GDPR Box-Tick)

Creating a RoPA and letting it gather digital dust in your SharePoint is the data equivalent of laminating a safeguarding policy and never looking at it again.

A good RoPA is maintained. It evolves. When you roll out a new parent communication app, switch MIS providers, or start using AI-assisted marking tools, your RoPA needs an update. I advise reviewing it termly, or whenever there’s a significant change in how data is processed.

And here’s where the DUAA raises the stakes again:
With a more outcomes-based focus, the new regime doesn’t just look at whether you have documentation, it looks at whether it reflects reality. Expect regulators to ask: Is your RoPA accurate, current, and genuinely used in decision-making?

Pro tip: link your RoPA maintenance with regular data protection training or staff updates. It keeps things fresh and signals that data protection is woven into the fabric of how your school operates, and not just a once-a-year compliance headache.

 

Why It Matters

Aside from the obvious regulatory compliance (and let’s be honest, the ICO can and does ask to see your RoPA), having a strong, accurate Record of Processing Activities:

  • Enhances transparency with staff, parents, and pupils.
  • Makes responding to Subject Access Requests significantly easier.
  • Helps assess the impact of new technologies and tools on data protection.
  • Supports compliance with new DUAA principles around risk management and accountability.
  • Builds a culture of responsibility and digital maturity in your organisation.

But more than that, it reflects the kind of trust and integrity every educational setting should strive for. Because in schools, we’re not just handling data. We’re handling lives, stories, and futures.

So, if your RoPA’s still in the ‘to-do’ pile, consider this your gentle nudge. And if you’re already on the road? Keep walking, keep refining, and keep your DPO on speed dial.

Data protection isn’t just about compliance anymore. It’s about confidence, care, and doing the right thing by your community.

/by

Data Use Complaint: A Story from the School Office

It begins with a simple email.

“Dear Office, I’m concerned about the data collected by the new homework app. Could you let me know what’s being stored about my daughter, and whether we can opt out?”

At first glance, your school administrator treats it as a routine enquiry. A parent, understandably cautious. The message gets forwarded to your IT team and is quickly forgotten.

But a few days later, a second email appears:

“I haven’t received a response. Under UK GDPR, I believe I’m entitled to this information.”

At this point, you pause. Is this just a question, or something more? Could this be considered a data protection complaint? Should there be a formal process in place? And if so, who is responsible?

Suddenly, you’re faced with a requirement that, until now, may not have felt urgent – but is now absolutely necessary.

 

A New Legal Expectation for Schools

Before 2025, data protection concerns in schools were relatively informal. A quick reply often sufficed.

But under the Data Use and Access Act 2025, that’s no longer enough.

The legislation introduces clearer expectations for how educational institutions handle complaints related to data protection. The emphasis is now on being structured, transparent, and responsive, especially when the complaint involves the data of a child.

 

What the Law Now Requires from You

The Data Use and Access Act 2025 introduces several concrete requirements for complaints handling:

  1. A Formal Complaints Process

You must have a clear and specific procedure for handling complaints relating to personal data. This should be separate from your general complaints policy and easy to understand.

  1. An Online Complaint Form

It is now a legal requirement to provide a dedicated, electronic form on your website for individuals to lodge a data protection complaint.

  1. Acknowledgment Within 30 Days

You are required to formally acknowledge all data protection complaints within 30 calendar days of receiving them.

  1. A Prompt, Reasonable Response

There’s no strict statutory timeframe for resolution, but the law requires that you respond, “without undue delay.” The ICO will expect to see evidence of timely, proportionate action.

 

Practical Steps You Should Take

If you haven’t already, now is the time to act.

  • Create an accessible digital complaints form

Ensure it’s linked from your privacy notice and easy for parents, pupils, and staff to find.

  • Develop a clear internal process

Define who receives the complaint, who investigates, and who signs off the response. Consider how you will track and document each step.

  • Train staff across departments

Your admin team, teachers, and support staff should know how to recognise a data complaint, and when to escalate it.

  • Involve your DPO early

Your Data Protection Officer or Data Protection Lead should be actively involved in setting up the complaints process and reviewing each case.

 

A Likely Scenario

Imagine this:

A parent asks why a learning platform seems to be recommending content to their child based on interaction history. They ask what’s being tracked, and who can see it. At first, it feels like a casual question, but it meets the definition of a data protection concern.

If you don’t have a formal process in place, there’s a risk of delay or miscommunication, and that’s now a compliance issue.

But with the right system, the response is simple:

“Thank you for raising this. We’ve received your complaint and are reviewing it. You’ll receive a further response shortly.”

That one sentence does more than meet a legal obligation; it demonstrates trust, care, and professionalism.

 

Why This Matters

As a school, you manage sensitive data every day, academic records, safeguarding notes, medical needs, behavioural reports, and increasingly, digital interactions.

The expectations from parents, pupils, and regulators have never been higher.

By developing a clear complaints procedure, you’re not just reducing risk, you’re showing your school community that you take their rights seriously.

A single email could spark a chain of events. But with the right policies and mindset, it doesn’t need to become a crisis.

You have the opportunity to respond confidently, clearly, and in full compliance with the law.

Because when someone raises a concern about how you use their data, or their child’s, it’s not just a legal issue, it’s a matter of trust.

/by

“You’ve Got (Subject Access) Mail!” – Navigating SARs in Schools Without Losing Your Sanity

Imagine it’s a rainy Thursday afternoon. You’ve just finished playground duty and you’re halfway through a lukewarm coffee when the email pings into your inbox. It’s a Subject Access Request (SAR), and not just any SAR, it’s one of those SARs: someone wants “all the information you hold about them.”

Cue internal screaming.

But don’t panic. Whether the request comes from a parent, a staff member, or even a student themselves, SARs are a regular part of school life under data protection law. They might not arrive every day, but when they do, they tend to bring a flurry of questions, and a fair bit of admin.

And thanks to the Data Use and Access Act (DUAA), the rules have been sharpened, the expectations clearer, and some of the grey areas just got a little less grey.

Let’s take a breath and walk through what this actually means for you, the person who now has one calendar month (no, that hasn’t changed) to find and deliver everything that qualifies as “personal data.”

 

So what does “all the information” actually mean?

Here’s where things get interesting. When someone submits a SAR asking for “everything you hold about them,” they’re invoking their rights under the UK GDPR and now the Data Use and Access Act (DUAA), which has reaffirmed and clarified how those rights apply in public bodies like schools.

They’re not just asking for what’s in their file folder; they want everything (digital, physical, historical) that says something about them and is stored by the school.

This could be emails that mention them (yes, even those ones you wish you’d written more diplomatically), reports, assessments, meeting notes, disciplinary hearings, communications between staff about that person, and more.

But it’s not everything, everything.

That private WhatsApp message you sent to a colleague about your frustrating morning? Still probably out of scope, unless you’ve somehow used it to make a formal decision or documented it in school systems.

The DUAA now gives clearer boundaries here: personal communications not forming part of a school’s official processing activities are generally not in scope. But always assess context and purpose.

And here’s a welcome relief:
The DUAA also gives you the right to seek clarification when a request is unclear or too broad. If someone asks for “everything,” but you reasonably believe they’re looking for something specific (say, safeguarding records or a particular incident), you can pause the clock while you ask them to narrow it down. Just make sure you document the clarification request and don’t delay unnecessarily.

This can save hours of time and reduce the risk of over-disclosure or missed data.

 

What should you be including?

If the data says something about the person and you’re holding it in your professional capacity, odds are it’s in.

Think emails, student records, safeguarding files (yes, even the tricky ones), disciplinary records, performance reviews, and any formal or informal notes that contribute to school decisions or knowledge.

Even if the person wasn’t the author of the document, if it’s about them, they get to see it.

And don’t forget metadata, timestamps, usernames, and version history. Under the DUAA, the definition of “personal data” remains broad, and these still count if they can identify the individual.

 

What can you leave out?

Thankfully, not everything needs to be handed over. The DUAA clarifies exemptions around safeguarding, exam scripts, and third-party data, but it also tightens how schools must apply them.

Here’s what remains true (with some added clarity):

  • Truly personal notes not part of the school’s records or decision-making process? Still probably exempt.
  • Informal, handwritten notes not used to inform decisions? Possibly out of scope but under the DUAA, if they’re later referenced in emails or meetings, they become part of the record.
  • Other people’s data? Now more explicitly protected. The DUAA reinforces that schools must redact or anonymise third parties, especially in safeguarding reports or behavioural logs.

Also, the DUAA introduced a more formal “harm-based test” for withholding certain disclosures, especially when releasing data could put someone at risk (e.g. in child protection cases). So while the exemptions are narrow, they are now better defined.

 

Where do you even look?

Data hides in more places than you think. The usual suspects: your MIS, email servers, safeguarding platforms, and cloud learning tools.

But the DUAA now places a firmer expectation on schools to have documented data maps or records of processing, so you can actually find what you need without resorting to digital archaeology.

That means staff shared drives, laptop folders, Teams logs, and even archived paper files may still hold data that must be reviewed.

You don’t need to become Sherlock Holmes, but you are expected to conduct a “reasonable and proportionate search” and the DUAA now helps define what that looks like. It’s less about exhausting every dusty archive and more about having a clear search strategy and audit trail of your efforts.

 

A final word to the wise

A SAR is not just a bureaucratic hoop to jump through. It’s a window into how much we record, how we talk about people, and what assumptions sit in our systems.

The Data Use and Access Act reinforces that access is a right, but also that handling these requests should be structured, documented, and mindful of harm. It’s not just about handing over a stack of papers; it’s about transparency done properly.

So yes, receiving a SAR might still feel like being put under a microscope but, it’s also an opportunity. A moment to tidy up your data habits, update your record-keeping, and reflect on how information flows through your school.

And next time someone asks for “everything you’ve got,” you’ll know where to start, what to include, what to redact and, most importantly, how to stay sane while doing it.

/by

The DUAB is Now Law: What This Means for Education

On the 19th of June 2025, the Data Use and Access Act (commonly known as the DUAB or DUA Bill) officially received Royal Assent, marking a significant update to the UK’s data protection framework. While it doesn’t entirely rewrite GDPR, it does bring a number of key changes that educational institutions need to be aware of.

Let’s break it down and explore what this means for colleges, schools, and educational staff in a practical, easy-to-digest way.

Subject Access Requests: The Clock Pauses for Clarification

We know that managing Subject Access Requests (SARs) can be time-consuming, especially when students or staff request a mountain of data.

Here’s what’s changed:

  • If someone submits a SAR and you need clarification, the response deadline is paused until they respond.
  • You can reasonably ask for clarification if you hold a large amount of data about the person.
  • Once clarification is received, you must still perform a reasonable and proportionate search for the requested data.

Takeaway for educators: If a student or staff member submits a vague or broad SAR, you now have the legal room to ask for specifics before the 30-day countdown begins. This helps you stay compliant and focused on what’s actually needed.

Complaints Must Be Handled Internally First

The new law gives organisations a chance to fix things before complaints go to the ICO (Information Commissioner’s Office).

Now, if someone raises a data protection issue:

  • You must acknowledge their complaint within 30 days
  • Take appropriate steps to investigate and address it
  • And inform them of the outcome

What this means: Colleges should ensure there’s a clear internal complaint process. This is a great time to check that your staff know how to escalate issues internally, before they become a bigger (and more public) problem.

Automated Decision-Making & AI in Education

With AI becoming a growing tool in education, think automated exam marking or application screening, DUAB clarifies how these systems should be handled:

Automated decisions that have legal or significant effects (e.g. admissions, grading) are permitted, as long as:

  • The individual is told their data will be used this way,
  • They are given the option to contest the decision, and
  • Human intervention is available.

Heads up: If your college uses AI to grade tests (like automated multiple-choice scoring), or any automated student decision-making systems, let your data protection lead know. You’ll need to be clear with students about their rights and the role AI plays.

Cookies: A Bit More Flexibility

Let’s talk cookies. No, not the chocolate chip kind.

DUAB introduces exemptions to the consent requirement for certain non-essential cookies. That includes cookies used for:

  • Statistical analysis
  • Website performance
  • User preferences
  • Service improvements

Good news for IT teams: If your college’s website uses cookies only for these purposes, you no longer need to obtain user consent.

Legitimate Interests: A Clearer Path Forward

There’s now a recognised list of “legitimate interests”, making life a bit easier for data protection leads. These include:

  • Safeguarding students and staff
  • Fraud prevention
  • Network and system security
  • Intra-group data sharing (for multi-site colleges)
  • Direct marketing

If your college is processing data for any of the above reasons, you no longer need to complete a Legitimate Interests Assessment (LIA).

Bottom line: This streamlines processes and reduces paperwork when handling security or safeguarding-related data.

What’s Next?

While these updates are now law, the government hasn’t yet published education-specific guidance. In the meantime:

  • Review your current policies, especially around SARs, complaints, and automated decision-making
  • Update your internal processes and staff training to reflect the new rights and obligations
  • Monitor for upcoming sector-specific guidance

If you’d like to explore more detailed legal interpretations or dive deeper into how DUAB changes things across different industries, click here for further information.

Let’s continue to champion responsible data use in our schools and colleges. These changes aim to strike a better balance between protecting individuals’ rights and reducing unnecessary red tape – and that’s something we can all get behind.

/by

The Right to Be Forgotten: Powerful or Problematic?

Picture this, a student who left school years ago reaches out with a request. They’d like their personal data removed from your records. Not just from the admissions system, but everything; emails, reports, maybe even that long-forgotten incident log from Year 9. They’ve moved on and want their past to do the same.

It’s a request that might feel particularly familiar as we approach the end of the academic year. Leavers are saying their goodbyes, staff are wrapping up reports, and across schools and universities, inboxes are starting to fill with data requests of all kinds. One that stands out: the Right to Be Forgotten.

Under the UK GDPR, individuals have the “Right to Be Forgotten,” meaning they can request the deletion of their personal data when it’s no longer necessary. On the surface, it’s empowering. People should have a say in how long their data is kept, and it makes sense that someone might want to shed parts of their past as they grow older.

But in education, where records aren’t just about individuals, they’re about safeguarding, progress, accountability, and shared experiences, it’s not always a straightforward decision.

When Forgetting Isn’t That Simple

Educators are natural record-keepers. Whether it’s for safeguarding, special educational needs, or even just tracking progress over time, information often needs to be preserved for years, sometimes decades. Deleting a student’s file isn’t like clearing out an old inbox, it could mean losing context, closing the door on long-term support, or even creating gaps that matter later on.

Take safeguarding, for instance. A school may need to retain certain records well into adulthood because they could one day form part of a disclosure or investigation. It’s not about holding on to the past unnecessarily, it’s about being prepared for the future.

So when a deletion request lands, it’s not simply a matter of yes or no. It’s about finding the balance between respecting someone’s right to move on, and the very real need to preserve records for legal, ethical, or pastoral reasons.

The Growing Digital Trail

Another challenge? The sheer amount of digital space education now occupies. Emails, learning platforms, CCTV, behaviour tracking software, it all adds up. And each of those systems might hold fragments of someone’s personal story.

In practice, this means schools and universities need to have a clear idea of where data lives, how long it needs to be kept, and when it can safely be deleted. That’s easier said than done, especially when older systems weren’t designed with the right to erasure in mind.

Still, we’re seeing encouraging progress. A number of schools have created systems for reviewing and safely deleting old data, ensuring they don’t keep more than they need to. Some universities have designed workflows that let them honour deletion requests without compromising core records like transcripts or misconduct reports. What’s key is having a clear, fair process and communicating it openly.

Conversations, Not Just Policies

The most effective responses to RTBF requests tend to start with a conversation, not a policy document. The best examples we’ve seen involve staff explaining clearly why some records must be kept, while also doing everything they can to remove unnecessary data. It’s about approaching each request with care and respect, rather than defensiveness or bureaucracy.

That human touch really matters. After all, people often ask to be “forgotten” not just out of privacy concerns, but because they want to close a chapter, sometimes after difficult experiences. Even when we can’t grant a full erasure, we can usually find ways to meet the spirit of the request with kindness and clarity.

So, Where Does That Leave Us?

The Right to Be Forgotten is both powerful and complex. It asks important questions about memory, responsibility, and care. And while it might feel tricky to navigate, it’s also a chance for schools and universities to reflect on the data they hold and why they hold it.

Are we keeping things because we need to? Or because we always have? Are we making space for people to move on? Or unintentionally anchoring them to a version of themselves they’ve long outgrown?

There are no perfect answers, and each case will be a little different. But what’s clear is that thoughtful, transparent processes and a bit of empathy go a long way. Forgetting, when it’s done well, can be an act of respect. And remembering, when necessary, can be an act of care.

If nothing else, it’s a good reminder that every bit of data we collect today might become part of someone’s story tomorrow. How we hold that story, and when we let it go, matters more than ever.

/by

“The Breaches We Don’t See: Hidden Risks in School Data Handling”

In a quiet primary school on the edge of town, a well-meaning teaching assistant printed a spreadsheet containing student health details. He left it in the staffroom just for a moment while making a cup of tea. When he returned, the document had vanished. It later turned up, crumpled and smudged with jam, in the Year 2 book corner.

No hackers, no malware. Just a simple, very human mistake.

When we hear “data breach,” it’s easy to picture a dramatic cyberattack. Dark rooms filled with glowing screens, stern-faced experts speaking in code, maybe even a ransom note demanding cryptocurrency. But in schools, breaches often take a much quieter, more familiar form. They’re the result of everyday errors and oversights, the kind we don’t always see as serious, even when they are.

In educational settings, personal data flows constantly. From pupil records and safeguarding notes to staff files, medical information, and assessment data – it’s all there, quietly underpinning the day-to-day rhythm of school life. And while schools have come a long way in formalising policies and investing in secure systems, there’s one area where vulnerability lingers: the forgotten, overlooked breaches.

Sometimes, it’s about destruction rather than disclosure. Take the school secretary who accidentally deletes a folder containing behavioural reports during a routine system tidy-up. Or the teacher who loses a handwritten safeguarding log in a spring clean, thinking it was scrap paper. It’s easy to assume that if no one else accessed the data, there’s no breach. But loss and destruction, intentional or not, can have a serious impact on the individuals that data relates to.

Alteration is another blind spot. It might seem harmless when a colleague “tweaks” a student’s medical note for clarity or edits a pastoral record without documenting the change. But even small, unauthorised edits can lead to confusion or worse, misinformed decisions. One school found itself in difficulty after a student’s allergy record was edited to say, “mild intolerance” rather than “anaphylaxis.” A well-meaning change, but a deeply risky one.

And then there’s unauthorised access, often accidental but nonetheless serious. A casual conversation in the corridor mentioning a child’s social services involvement. A screen left unlocked during a lunchtime rush. A well-intentioned parent volunteer glimpsing confidential student data while helping out in the office. No malicious intent, but the boundaries blur all the same.

Loss of data is just as often physical as it is digital. Laptops go missing, USB drives slip between sofa cushions, old filing cabinets are emptied into bins without checking the contents. One secondary school discovered that its entire archive of paper attendance logs had been mistakenly shredded during a storage room clear-out. Years of data, gone in an afternoon.

These are not stories of negligence or malice. They’re stories of busy people juggling multiple responsibilities, making small decisions in a fast-paced environment. But these small moments, multiplied across a school, can create quiet cracks in data protection, cracks where trust can quietly seep away.

So, how do we raise awareness without creating fear?

First, we shift the way we talk about data breaches. Instead of painting them as rare and technical, we frame them as something all of us have a role in preventing. This isn’t about panicking over paperwork, it’s about embedding a culture of care, where data is treated with the same respect as student safety or wellbeing.

Telling real, relatable stories helps. A GDPR workshop might prompt yawns but a discussion about how a misdirected email affected a vulnerable student lands very differently. It’s not about ticking boxes; it’s about protecting relationships.

Second, we make it safe for staff to report near misses. Too often, people worry about being blamed or embarrassed. But a culture of openness turns mistakes into opportunities to learn and improve. A teacher who admits to accidentally sharing the wrong document helps the whole school get better.

And finally, we remember that leadership sets the tone. When senior staff prioritise data protection not just as compliance but as a matter of integrity, it filters down. When they model good habits such as locking screens, questioning poor practices, inviting feedback; it becomes part of the school’s DNA.

In schools, trust is everything. Families trust staff to keep their children safe, not just physically, but emotionally and digitally too. That trust isn’t only built through grand gestures; it’s upheld in the smallest details. How we store, share, and respect the information we hold.

Because in the end, a breach doesn’t have to be loud to be damaging. It can be a file lost, a conversation overheard, a folder carelessly edited. And protecting against those quiet breaches is one of the responsibilities we all share.

/by

Education and UK GDPR in 2025: Seven Years On, Are We Getting It Right?

“Miss, what’s GDPR? Is it a new exam board?”

That question might have raised a chuckle back in 2018, when GDPR first arrived with its bundle of acronyms, policy updates, and general sense of urgency. But here we are in 2025, seven years on and the UK GDPR is no longer the new kid on the block. It’s settled in, taken its place alongside safeguarding, SEND, and all the other core responsibilities that shape everyday life in education.

The big question is: have we settled in with it?

Looking Back (and Forward)

When the GDPR first landed, there was a flurry of activity; privacy notices were redrafted, training sessions booked, and data audits launched with admirable enthusiasm. Since then, many schools, colleges and universities have found their rhythm with data protection. It’s become part of the background noise of school life: necessary, not always exciting, but undoubtedly important.

Still, while the panic may have subsided, that doesn’t mean the pressure has. In fact, the expectations have only grown. With the increasing use of digital tools in classrooms, the rise of online learning, and greater public awareness of privacy issues, it’s no longer enough to simply tick the GDPR box and carry on. The way we manage personal data has become part of how our communities judge our professionalism and trustworthiness.

And rightly so. In education, we hold some of the most sensitive information people will ever share; from learning needs and medical information, to safeguarding records and home circumstances. Protecting that data is part of the duty of care we owe to every pupil, student, parent, and colleague.

In recent years, we’ve seen both missteps and good practice across the sector. One well-known case involved a phishing email that led to a serious breach at a large multi-academy trust. Despite having the right policies on paper, the real problem turned out to be a lack of practical staff training. It was a simple mistake, but one with far-reaching consequences.

On the other hand, many institutions have shown what good looks like. Several universities, for example, now include GDPR awareness as part of induction for all staff, and make regular updates part of their professional development cycle. One even ran a student-led privacy campaign, helping young people understand their own rights while building a culture of shared responsibility. The message was clear: data protection isn’t just admin, it’s part of how we show care and respect.

What GDPR Means in 2025

We’re now working in a digital-first education landscape. Learning platforms, behaviour tracking systems, AI-driven learning tools, they all collect and process data in increasingly complex ways. GDPR hasn’t stood still either; the principles remain the same, but the questions we need to ask have evolved.

Are we being transparent with families and students about how their data is used? Are we confident the apps and platforms we rely on are genuinely secure and compliant? Are we sure that only the right people in our organisations can access sensitive information?

These aren’t questions for data managers alone. They’re questions for senior leaders, teachers, support staff – everyone who touches information in any form. Because GDPR is no longer just a legal requirement. In 2025, it’s part of how we show we’re trustworthy professionals.

Seven Years In: What’s Changed?

What’s changed, more than anything, is awareness. Students are more privacy-savvy. Parents are asking sharper questions. Staff are more alert to the risks and responsibilities of handling personal data.

And that’s a good thing.

It means we can shift the conversation from compliance to confidence. When GDPR is built into our culture, not just our policies, it becomes part of a wider approach to doing things well. Much like safeguarding, it becomes part of how we think, plan and care.

So, whether you’re updating a digital platform, emailing student records, or printing off that spreadsheet for a meeting, it’s worth pausing to reflect. Not in fear, but in thoughtfulness. Is this the safest way to handle this information? Do I need to do anything differently? Would I feel comfortable explaining this decision to a parent?

There’s no denying that GDPR doesn’t always feel urgent (until something goes wrong). But it’s one of those quiet responsibilities that says a lot about who you are as educators. It speaks to the trust placed in you, and the way you uphold it day after day.

Seven years on, we’ve come a long way. And with thoughtful leadership, practical systems, and a bit of shared awareness, we’ll keep moving in the right direction.

After all, data protection is really about people and, education has always been good at putting people first.

/by

“It’s Just Exams” – Until It Isn’t: Mental Health, Exam Stress and What GDPR Really Says About Sharing Student Data

It’s that time of year again.

The corridors are quieter. The library’s full. Revision guides multiply like gremlins. Students are hunched over past papers, and you’ve lost count of how many times you’ve said, “Just do your best.” Exam season: the annual rite of stress, snacks, and sharp-tipped pencils.

We know the drill. We also know that for some students, it’s more than just pressure. It’s panic. Fear. Sleepless nights. And in some cases, a quiet, growing despair that’s not always easy to spot.

So what happens when one of your students hits a breaking point?

Let’s say you’re a form tutor. One morning, during a routine check-in, a Year 11 student makes an offhand comment that stops you cold: “I’m not sure there’s any point in trying anymore. None of this matters anyway.” They brush it off with a shrug, but something in their tone makes your gut twist.

You’ve got safeguarding training. You know the signs. But now you’re also thinking about what you can and can’t say. What happens if you need to tell someone else? What if they’ve asked you not to? How does GDPR come into play?

Let’s be absolutely clear here: UK GDPR does not prevent you from protecting a student’s wellbeing. The law might sound like it’s all about red tape and locked filing cabinets, but when it comes to emergencies, particularly involving someone’s health or life, it’s surprisingly human.

The key phrase in the legislation is “vital interests.” If a person’s life, health, or safety is at serious risk, you can share their personal information without consent. In fact, in those moments, you’re not just allowed to, you’re expected to act.

So in our example, yes, you absolutely can and should inform your Designated Safeguarding Lead. You might also need to involve mental health services, the student’s parents or carers, or in rare cases, emergency services. You don’t need the student’s permission if you’re worried about their immediate safety. You just need to make a professional, proportionate judgment and record your decision clearly.

That might feel uncomfortable. Students often confide in us because they trust us. It’s natural to want to protect that trust. But safeguarding isn’t about keeping secrets, it’s about keeping people safe. And there’s a way to do both. You can tell the student, calmly and compassionately, that you’re concerned and that you’ll be speaking to someone who can help. It’s not a betrayal. It’s part of the responsibility they trust you to carry.

Let’s take another scenario. An exam invigilator notices a student sobbing quietly during a paper. After the exam, the student says they haven’t eaten in two days because of anxiety. They also beg you not to tell anyone, claiming they’ll be fine. Do you stay silent?

Again, the answer is no. Even if the student appears to be “functioning,” extreme stress, particularly if it’s affecting basic wellbeing like eating and sleeping, can quickly spiral into something more serious. Sharing this concern with your safeguarding lead or school counsellor is entirely appropriate under data protection law. The student’s welfare outweighs their request for secrecy when real harm is at stake.

Of course, not every case is black and white. There will be moments of hesitation. But that’s why having a clear understanding of your school’s safeguarding policy and how it works alongside GDPR is crucial. It helps you act with confidence and compassion.

And let’s not forget the pressure educators are under too. These conversations are emotionally exhausting. You’re juggling exam timetables, parents chasing grades, and students in various states of meltdown. But knowing that the law supports you in putting a student’s mental health first can take one worry off your shoulders.

It’s worth remembering that the Information Commissioner’s Office (ICO) has been vocal on this: data protection is not a barrier to sharing information where someone’s safety is at risk. The myth that “GDPR says no” in these scenarios is not just unhelpful, it’s dangerous.

At the heart of all this is a simple principle: if you’re genuinely worried about a student’s wellbeing, you must act, and the law supports you in doing so. Share what’s necessary, with those who need to know, and keep a clear, factual record of what you’ve done and why.

So as exam season stretches on and stress levels rise, keep your eyes open, your ears tuned, and your instincts sharp. You might be the person a student trusts most. And in a moment of crisis, that trust can be life-changing so long as you’re willing to act on it.

Because sometimes, “just exams” are anything but.

/by