“Hey Kid, Are You Even Old Enough to Be Here?” – The ICO vs. Big Social

In today’s hyperconnected world, it’s not uncommon for children to be more tech-savvy than the adults around them. But behind every cute dance video or viral meme lies a sophisticated system of data collection and recommendation algorithms, Many of which are now under scrutiny.

Recently, the UK’s Information Commissioner’s Office (ICO) launched formal investigations into three popular platforms; TikTok, Reddit, and Imgur, over concerns about how they handle the personal data of UK children aged 13 to 17. For educators and parents, this is a timely reminder: understanding the digital environments children are immersed in is no longer optional, it’s essential.

TikTok: Personalised, But At What Cost?

TikTok has become a fixture in many young people’s daily lives. Its algorithm seems almost magical in the way it recommends content. But the ICO is now investigating how that “magic” works when it comes to children’s personal information.

Is TikTok collecting too much data? Are its recommendation systems steering children toward inappropriate or harmful content? These are some of the key questions the ICO aims to answer.

This isn’t the first time TikTok has come under fire. In 2023, it was fined £12.7 million for unlawfully processing children’s data. The platform says it has since improved its safeguards, but the ICO is making sure those promises hold up under inspection.

Reddit and Imgur: How Do They Know a User’s Age?

Unlike TikTok, Reddit and Imgur aren’t in trouble for what they’re showing children, but rather how they determine whether someone is a child in the first place.

Currently, many platforms rely on self-declared age checks, systems that are easy for children to bypass. The ICO is now investigating whether Reddit and Imgur have adequate age verification in place to prevent underage users from accessing potentially inappropriate content.

Reddit has acknowledged the issue and says it plans to implement stronger age verification. Imgur has not yet commented publicly.

The Children’s Code: Why It Matters

These investigations are part of a broader regulatory effort called the Children’s Code, introduced in 2021. The Code sets out 15 standards that online services must meet to ensure children’s personal data is protected.

At its heart, the Code is built on a simple principle: what’s best for the child must come first.

That means:

  • Minimising data collection
  • Avoiding manipulative design
  • Clearly explaining how data is used
  • Ensuring privacy settings are age-appropriate by default

As adults, we play a critical role in helping children navigate digital spaces safely. The ICO’s investigations are an important step toward greater accountability, but regulation alone isn’t enough.

Here are a few ways you can help:

Start the Conversation

Ask children what apps they use and how they feel about them. Make tech a shared topic, not a private one.

Teach Critical Thinking

Encourage young people to question why they’re being shown certain content. What’s the platform hoping they’ll do next: watch more, click something, buy something?

Stay Informed

Keep up with digital safety guidance from trusted sources like the ICO, NSPCC, and Childnet.

Use Tools and Settings

Explore built-in safety and privacy controls on apps your child uses. These can often be customised to offer better protection.

The internet can be a wonderful place for learning, creativity, and connection. But it must also be a safe and respectful space for children. The ICO’s investigations send a clear message to tech companies: if you want to benefit from children’s attention, you must also earn their trust.

Let’s continue working together, as parents, teachers, and guardians, to ensure that the digital world treats our children with the care, respect, and dignity they deserve.

/by
GDPR Sentry can help you fill the knowledge gap

Cyberattacks on the Rise: What Schools Can Do to Strengthen Digital Resilience

As cyber threats escalate across all sectors, UK schools have become increasingly frequent targets. From ransomware attacks that cripple entire networks to phishing campaigns aimed at staff and suppliers, the education sector is now considered a prime target for cybercriminals. According to the UK’s National Cyber Security Centre (NCSC), the volume and sophistication of attacks on schools have been rising steadily since 2020, with 2024 seeing one of the highest annual surges yet.

For Data Protection Leads (DPLs) and school administrators, the message is clear: safeguarding your community’s data is no longer just a GDPR requirement, it’s a critical frontline defence for education continuity, reputation, and trust.

Why Are Schools in the UK Being Targeted?

Schools manage vast amounts of sensitive data, from student records and safeguarding information to financial details and health data, all governed under the UK GDPR. At the same time, many schools rely on legacy systems, under-resourced IT infrastructure, or lack full-time cybersecurity expertise.

Threat actors know this. They exploit gaps in security awareness, outdated software, and insufficient incident response planning.

In recent months, several UK schools have reported:

  • Ransomware attacks that encrypted entire networks, halting teaching and learning for days
  • Phishing scams impersonating school leadership or DfE officials
  • Data breaches that triggered investigations by the Information Commissioner’s Office (ICO)
  • DDoS attacks during exam periods, disrupting access to remote systems

These aren’t hypothetical risks, they’re happening now.

What Can UK Schools Do to Minimise Risk?

As a DPL or school leader, you’re in a unique position to lead both compliance and culture. Below are seven actionable steps to significantly strengthen your school’s cybersecurity posture:

  1. Embed Cybersecurity into Data Protection Training

Cybersecurity and data protection go hand in hand. Ensure all staff, including teaching assistants and office staff, receive regular, mandatory training on:

  • Identifying phishing emails
  • Secure handling of pupil data
  • Using strong, unique passwords
  • What to do if they click on something suspicious
  1. Implement Multi-Factor Authentication (MFA) Across Systems

If you’re still using single-sign-on credentials for MIS, payroll, or email systems, now is the time to act. MFA drastically reduces the risk of unauthorised access, especially in cloud-based systems like Google Workspace for Education or Microsoft 365.

  1. Keep Software and Devices Updated

Cybercriminals often exploit outdated software with known vulnerabilities. Set systems to automatically install updates where possible. This includes:

  • Operating systems (Windows, macOS, ChromeOS)
  • Web browsers
  • MIS and safeguarding software
  • Antivirus and firewall tools

Work with your IT provider to audit devices used by staff working remotely.

  1. Back Up Data Securely and Test Recovery

Regular, encrypted backups, stored separately from your main network can be the difference between recovery and disaster. But backups only help if they’re tested.

Schedule termly backup recovery tests with your IT team or managed service provider.

  1. Review Third-Party Data Sharing

Many schools use third-party edtech tools. Ensure that suppliers:

  • Comply with UK GDPR
  • Have robust cybersecurity practices
  • Are listed in your Record of Processing Activities (ROPA)

Review contracts and data sharing agreements annually.

  1. Create and Test an Incident Response Plan

If your school is attacked, how will you respond? Who will inform the ICO, parents, or the DfE? Your incident response plan should include:

  • Clear roles and responsibilities (including DPL, Headteacher, IT lead)
  • Communication templates
  • Steps for isolation, containment, and recovery
  • A reporting mechanism to the ICO within 72 hours (as required under UK GDPR)
  1. Promote a ‘Whole School’ Security Culture

Cybersecurity isn’t just an IT issue; it’s an organisational culture issue. Consider adding cybersecurity awareness to staff induction, governor briefings, and safeguarding policies.

Security Is a Shared Responsibility

The NCSC and DfE have made clear that schools must prioritise cyber resilience alongside safeguarding and curriculum planning. For DPLs and school administrators, this means moving beyond compliance and toward proactive, strategic risk management.

The stakes are high, but so is the opportunity to lead. By investing in prevention, awareness, and preparation, your school can protect both its people and its purpose.

/by

“Decoding the Data (Use and Access) Bill: What Educators Need to Know”

Imagine you’re sat in the staffroom, half-eaten biscuit in one hand, half-finished student spreadsheet on the screen. You scroll down a list of names, notes, and numbers, some of which, to your horror, date back to the year David Cameron was still Prime Minister.

You mutter to yourself, Why do we still have this data? Is this even legal?

Well, you’re in luck. Help may be on the horizon, wrapped in bureaucracy yes, but still help.

The UK’s Data (Use and Access) Bill is the government’s latest attempt to bring data protection into the 21st century without sending educators and administrators into panic-induced paper purges. So, what does it mean for you and your school? Let’s unpack it without the legalese, and with your sanity in mind.

So… What Is This Bill Actually About?

At its core, the Data (Use and Access) Bill (or DUAB, if you’re into acronyms) is about striking a balance between making better use of data and protecting people’s rights, especially children’s.

It’s part of the government’s broader post-Brexit effort to move away from some of the more rigid elements of EU GDPR, while still holding onto the values that matter; transparency, safety, and accountability. Think of it as GDPR’s sensible cousin, still serious, but a little more practical in the school setting.

Why Should Schools Care?

Here’s the thing, schools are absolute treasure troves of personal data. From safeguarding notes and behavioural logs to dinner money apps and biometric attendance systems, they gather data like Year 7s gather Pokémon cards, except there’s legal liability attached.

This Bill is nudging us gently but firmly towards smarter, clearer, and more responsible data use. For instance, it’s placing extra emphasis on how we use children’s data in digital tools and platforms. That means reviewing whether educational software is using personal information appropriately, and not quietly siphoning it off to train some mysterious AI model in the background.

Also under the spotlight? Automated decision-making. If you’ve ever wondered whether a student’s algorithmic “progress tracker” is making assumptions you wouldn’t make as a teacher… well, the DUAB has your back. It demands transparency and human oversight when important decisions are being made based on data. Because let’s face it, no algorithm knows your pupils like you do.

But Wait, There’s More…

One of the big ideas in the DUAB is around data retention. Remember that ancient spreadsheet I mentioned earlier? Under the Bill, keeping data “just in case” won’t cut it anymore. Schools will need clear justifications for how long data is kept and must be able to show they’re not hoarding it unnecessarily. It’s like a spring clean, but for your school server.

The Bill also introduces measures to simplify compliance. For schools, this could mean fewer hoops to jump through when working with third-party apps or local authorities, as long as the data use aligns with the public good and proper protections are in place.

So, What Should We Do Now?

First off, don’t panic. This Bill isn’t a ticking time bomb. It’s more of a nudge to think seriously about how we treat data in our schools and to embed that into our day-to-day decision-making.

It’s a good time to:

  • Talk to your school’s Data Protection Officer (you know, the one who pops up every year reminding everyone about GDPR).
  • Review your school’s data retention schedule – are you keeping stuff longer than necessary?
  • Ask questions about any new edtech platforms you’re trialling. Are they transparent? Safe for students? Do they actually need all the information they’re collecting?

And finally, keep the conversation going. Data protection isn’t just a compliance issue, it’s about trust. Parents trust us with their children. Students trust us with their futures. Managing their data responsibly is part of honouring that trust.

Ultimately, this isn’t just a policy update, it’s a cultural shift. The DUAB reminds us that data is more than a digital asset. It’s personal. It’s powerful. And in education, it’s deeply human.

So next time you open a spreadsheet that hasn’t been touched since the last Ofsted inspection, take a moment. Ask yourself not just “Do we need this?” but also “Is keeping this still respectful to the person behind the data?”

Because in the classroom, in the office, or even in the server room, one truth remains: good education starts with good ethics.

/by

Sentry System Updates 2024

12 Months, 30+ Enhancements, and One Seriously Upgraded System – Here’s Sentry’s Year in Review

Over the past year, we’ve been busy building, refining, and supercharging your system with over 30 significant improvements, each one designed to make your experience more powerful, more intuitive, and, dare we say, a little more enjoyable. Whether you’ve spotted the subtle tweaks or just logged in one day to find everything working a bit more beautifully, the last 12 months have been all about taking your feedback and transforming it into action.

Here are some of the headline acts from this year’s development setlist:

‘Key Statistics’ Feature – Consider this your new go-to dashboard. Real-time, at-a-glance insights that turn data into insightful graphs without the spreadsheet headache.

New Audit Log – Ever wondered who changed what and when? Wonder no more. Our new audit log feature provides a crystal-clear trail of new entries, so you can track activity like a pro.

Multi-Factor Authentication (MFA) – Because security shouldn’t be optional. You can now enable MFA for that extra layer of protection. Peace of mind, powered by best practice.

System User Manual Integration – The latest guidance is now right where you need it: inside the system. No more digging through emails or outdated PDFs. If it’s changed, you’ll know it.

System-Wide Refinements – We’ve fine-tuned just about everything: updated reporting options, smarter selection fields, improved user management tools, and enhancements across every corner of the system. Cleaner layouts, better flows, and more “oh-that’s-useful” moments.

These updates are more than just tweaks; they’re part of our ongoing commitment to giving you a system that grows with your needs and evolves with the times.

To those of you who’ve sent feedback, asked the tough questions, or pointed out the things that could be even better – thank you. You’ve helped shape every one of these updates, and we’re excited for what’s coming next.

So here’s to progress, partnership, and platforms that just keep getting better.

/by

Wall Displays and Data Delays: Preparing for Inspection Without Breaching GDPR

There’s something unmistakable in the air when an inspection is on the horizon. You can feel the hum of preparation in every corridor; policies being printed, classroom displays getting a refresh, and colleagues exchanging knowing glances over the photocopier. It’s all hands-on deck, and every detail matters.

But as walls are re-pinned and cupboards reorganised, another question often arises quietly in the background: Are we still within the bounds of data protection law?

The answer isn’t always as straightforward as we’d like. In fact, GDPR considerations often become most visible in the very things we proudly display on classroom walls, in shared corridors, or on digital screens. And during inspection season, those questions only feel more urgent.

Let’s consider a familiar example: a colourful “Star of the Week” board, complete with names, photos, and personal achievements. It’s a lovely way to celebrate success but what if one of those pupils has a parent who didn’t give consent for photos? Or a safeguarding concern that makes public identification risky? Even the most well-intentioned display can inadvertently stray into problematic territory.

The same applies to medical or allergy information. Many schools use posters or visual aids to make staff aware of pupil needs, particularly in lunch halls or near staff kitchens. But if that information includes photos, names, and medical conditions in areas accessed by other pupils or visitors, it crosses into “special category data” under UK GDPR. That kind of information requires extra care.

Digital spaces are no less important. In the rush to prepare documents, it’s easy to leave a screen open or a shared drive exposed. But if personal pupil data is left visible or accessible to those without a legitimate reason to view it, the school could find itself facing not only a privacy concern, but potentially a reportable data breach.

None of this means schools must remove every trace of student celebration or wrap the walls in plain paper. GDPR doesn’t ask us to stop recognising achievement, it asks us to think critically about how we do it.

One school I worked with ran what they called a “privacy walk” in the days leading up to an inspection. Staff took ten minutes to walk through shared spaces with fresh eyes, asking themselves: Can visitors see anything they shouldn’t? Are personal details on show unnecessarily? Are we being mindful with how we display medical or safeguarding information? It was a quick, simple exercise that made a measurable difference to their overall compliance, and their confidence, on inspection day.

Similarly, one teacher I spoke to found an elegant solution to a parent’s concern over public displays of progress. Instead of using names on her reward chart, she assigned each child an animal symbol; “Team Owl,” “Team Fox,” and so on. It respected privacy, kept parents satisfied, and the pupils embraced it wholeheartedly.

What matters most is that schools are able to demonstrate thoughtful, proportionate decision-making. Inspectors don’t expect perfection, but they do expect to see that staff understand the principles of data protection and have taken reasonable steps to comply.

If you’re unsure about a display, a chart, or a staffroom noticeboard, ask yourself: Is it necessary? Is it proportionate? And have we obtained the right consent, where needed? If you’re still unsure, speak to your data protection lead or DPO. Getting the answer right before inspection day is far easier than addressing concerns after the fact.

Ultimately, compliance isn’t about red tape, it’s about respect. Respecting pupils’ rights, respecting families’ expectations, and respecting the trust placed in schools to safeguard not only children, but their information.

So as inspection season gathers pace, take a moment to review the little things. The name tags, the photo walls, the charts with more detail than needed. Because when the inspector walks in and the questions start, you’ll be glad you did.

/by

Privacy Goes Global: Why the ICO Has Joined the Global CAPE and, Why Educators Should Take Note

It’s not every day you hear about global privacy treaties in the staffroom. Between lesson plans, playground duties, and wondering why the photocopier only jams when you’re in a hurry, international data agreements don’t always make it onto the radar.

But every now and then, something big happens that’s worth pausing for and, Global CAPE is one of those somethings.

So let’s break it down. No jargon, no legal waffle, just a clear, narrative explanation of what’s going on and why it matters to schools.

First Things First: What on Earth is Global CAPE?

Global CAPE stands for the Global Cooperation Arrangement for Privacy Enforcement. Think of it like an international support group but for data protection authorities. It’s a framework that allows privacy regulators from different countries to work together more easily, especially when investigating cross-border data misuse.

Why is this needed? Because in 2024, data doesn’t stay local. A student might use an education app built in California, hosted in Ireland, with customer support in Singapore. If something goes wrong with how that app handles personal information, who’s in charge?

That’s where Global CAPE comes in. It makes it easier for regulators to:

  • Share information securely,
  • Cooperate on investigations, and
  • Support each other when tackling global privacy issues.

In short, it gives watchdogs more teeth and a few more colleagues to back them up.

So, Why Has the ICO Joined?

Earlier this year, the UK’s Information Commissioner’s Office (ICO) officially joined Global CAPE. It’s part of a growing list of data protection authorities who recognise that privacy is no longer a purely domestic issue.

For the ICO, this move means:

  • More muscle in investigating international companies that may misuse UK citizens’ data.
  • A seat at the table when setting expectations for global data handling, especially for emerging tech.
  • Better collaboration with other countries to address risks affecting UK children and families.

As the ICO put it, this step helps ensure that UK citizens remain protected, even when their data travels the world. And let’s be honest, when it comes to edtech and online tools in schools, data is travelling the world.

Who Else Is in This Data Protection Dream Team?

The list of members includes privacy authorities from:

  • The United States (particularly the Department of Commerce)
  • Australia
  • Canada
  • Japan
  • South Korea
  • Mexico
  • The Philippines
  • Singapore
  • And now, the United Kingdom

It’s a truly international group and one that continues to grow.

Why Should Educators Care?

At this point, you might be thinking: Okay, but how does this affect me, the classroom teacher or school leader?

Here’s the link.

As more schools adopt cloud-based learning platforms, communication apps, and AI-powered tools, the question of where data goes and who is accountable when things go wrong is more important than ever.

When you use an app to track student behaviour, does the data stay in the UK? What happens if that company is based abroad and suffers a breach?

Global CAPE means the ICO can now collaborate more effectively with overseas regulators. That adds a layer of reassurance for schools, especially those using international tools and platforms.

And for school leaders, it sends a gentle but important signal that data protection isn’t just a tick-box, it’s a global issue. The choices you make around platforms, permissions, and parental consent really do matter.

In the grand scheme of education, Global CAPE might not change your day-to-day immediately. But it’s part of a wider story: one where governments are finally realising that digital rights, especially for children, need international protection.

And while your focus may rightly stay on helping students grow, learn, and thrive, you can also be confident that the data trail they leave behind is being watched over by more than just your school server.

Because privacy doesn’t stop at the school gate anymore and now, neither does enforcement.

/by

New Tech, Same Responsibilities: Data Protection in the Age of AI and EdTech

You’ve probably heard it by now, EdTech is booming. From lesson-planning AI to real-time behaviour tracking, schools across the UK are embracing technology faster than ever. Whether it’s a new learning app or a full-blown Management Information System (MIS), the promise is the same: smarter classrooms, less admin, and happier teachers.

But here’s the thing, every time we bring in a new tool, we also bring in new responsibilities, especially when it comes to data protection. For schools, ensuring any technology used complies with the UK General Data Protection Regulation (UK GDPR) is not just good practice; it’s a legal obligation.

EdTech solutions, especially those powered by AI, often rely on vast quantities of pupil data to function effectively. This may include:

  • Personal identifiers (e.g., name, date of birth, student ID)
  • Behavioural data (e.g., clicks, interactions)
  • Academic records and performance metrics
  • Special educational needs (SEN) information

If not properly safeguarded, the processing of such data can expose schools to legal, reputational, and ethical risks.

Let’s walk through what this means in practice, and how school leaders and Data Protection Officers (DPOs) can make sure their school stays compliant with UK GDPR.

A Quick Story: “We’re Getting a New MIS!”

Imagine this:

A secondary school in Manchester is rolling out a shiny new MIS platform. It promises everything; attendance tracking, timetabling, safeguarding notes, SEND support, and even parent communications, all under one digital roof.

Everyone’s excited. The SLT’s impressed. The IT manager loves the interface. Staff are dreaming of fewer spreadsheets. But then the DPO raises a hand:

“Have we done a data protection impact assessment yet?”

Cue the room going quiet.

This scenario plays out more often than you’d think. New tech comes in fast, but data protection often lags behind, or worse, gets missed entirely. So how do we avoid that?

Step 1: Start with the Right Questions

Before rolling out any new EdTech or AI tool, ask:

  • What kind of data will this tool collect?
  • Where will that data be stored, and for how long?
  • Has the supplier given us a clear privacy notice?
  • Do we need a Data Protection Impact Assessment (DPIA)?

(Hint: if the system processes special category data or monitors students at scale, as most MIS platforms do, the answer is almost certainly yes.)

Step 2: Pre-Vetting Checks – Your EdTech Compliance Toolkit

Whether you’re reviewing a new reading app or a full MIS, these checks will help you make sure the supplier is up to standard:

Data Processing Agreement (DPA)

Every third-party supplier must sign a DPA with your school. It should clearly lay out:

  • What data is being processed and why
  • Who is responsible for what
  • How long the data is kept
  • What happens at the end of the contract

Lawful Basis

Can the supplier justify why they’re processing pupil data? Schools usually rely on public task, but some EdTech tools, especially optional ones, may need consent. Be wary if it’s not clear.

Data Minimisation

Does the tool only collect what it needs? Or is it asking for extra fields “just in case”? Push back on anything that feels excessive.

Hosting and Security

Is the data stored in the UK or a country with an adequacy decision? Ask if they have:

  • Encryption at rest and in transit
  • Access controls
  • ISO 27001 or equivalent certifications
  • A breach response process

Transparency for Pupils and Parents

Can parents understand what data is collected and why? Suppliers should provide plain-English privacy policies, and so should your school.

Rights and Deletion

Can users (or the school) delete data easily if needed? Are retention periods clearly set out?

Step 3: Don’t Forget AI-Specific Risks

AI tools in EdTech often involve profiling or automated decision-making. Before using them:

  • Ask how the algorithms work (and whether human oversight is possible)
  • Check whether the tool could make significant decisions about students, like predicting attainment levels, or flagging safeguarding risks
  • Make sure pupils’ rights under Article 22 (automated decision-making) are respected

Step 4: Review Existing Tools Too

It’s not just about new tech. Many schools have tools they’ve used for years that may no longer meet today’s standards. Schedule regular audits to:

  • Check for feature creep (new functions = new risks)
  • Revisit supplier agreements
  • Reassess DPIAs
  • Make sure any changes to data use are reflected in your privacy notices

Let’s Get the Balance Right

We all want to give our pupils the best experience, and sometimes that means embracing innovation. But good data protection isn’t about blocking progress. It’s about asking the right questions before a breach or complaint happens.

As a DPO or senior leader, you don’t have to say no to every new tool. You just need to make sure the supplier (and the school) are doing things properly, within the law, ethically, and with children’s best interests in mind.

Remember: If in doubt, ask. Talk to your local authority, your MAT data protection lead, or a privacy professional. Protecting pupil data is everyone’s responsibility and with a little due diligence, your school can be both innovative and compliant.

/by

Data Protection vs. Information Security in Schools — Why Both Matter, and How to Get Them Right

Let’s face it, school leaders today wear a lot of hats.

One minute, you’re supporting staff wellbeing; the next, you’re signing off on an EdTech contract, responding to a Subject Access Request, or checking if the new Wi-Fi rollout has encryption (whatever that means, right?).

In today’s increasingly digital world, two terms often crop up: Information Management (or data protection) and Information Security.

They sound similar, and they are closely connected, but they’re not the same. Both are essential in keeping your school’s data safe, legal, and well-managed. Understanding the difference can help you ask the right questions, delegate responsibilities wisely, and build a strong culture of trust and compliance across your school.

Let’s unpack what each one means, and why both matter equally.

What’s the Difference?

Information Management (Data Protection)

This is about how personal data is collected, used, stored, shared and deleted in line with laws like the UK GDPR and the Data Protection Act 2018. It’s focused on the rights of individuals (like pupils, parents and staff) and ensuring their personal data is treated fairly and lawfully.

Think of it as the “legal and ethical brain” behind how information flows through your school.

Examples:

  • Making sure parental consent is collected for use of a pupil’s photo
  • Responding to Subject Access Requests within the required timeframe
  • Having a clear retention schedule (so you’re not holding on to pupil data for 25 years “just in case”)
  • Ensuring only authorised staff can access safeguarding notes or health records

Lead roles: Usually the Data Protection Officer (DPO) or a senior leader with compliance responsibilities.

Information Security

Information security is about the technical and organisational measures you take to protect information from loss, damage, unauthorised access, or theft, whether it’s stored on paper, a laptop, or in the cloud.

It’s the “digital and physical shield” that keeps your systems and data safe.

Examples:

  • Encrypting devices and backing up files
  • Using strong passwords and locking screens
  • Preventing ransomware attacks
  • Ensuring staff don’t email personal data to the wrong recipient

Lead roles: Typically your IT manager, network team, or a designated security officer, often working closely with the DPO.

Aren’t They Completely Separate?

Not quite.

While information management and information security are distinct disciplines with different focuses, they are both key components of compliance under the UK GDPR.

In fact, the UK GDPR specifically requires organisations (including schools) to:

  • Process personal data lawfully, fairly and transparently (that’s information management)
  • Implement appropriate technical and organisational measures to keep data secure (that’s information security)
  • Be able to demonstrate accountability across both areas

So while they each require different expertise, they’re two sides of the same coin when it comes to protecting personal data.

If you have a great privacy policy but your systems are wide open to cyber threats you’re not GDPR compliant. And vice versa: even bulletproof IT security can’t cover for poor practices around data sharing, consent, or retention.

Why You Need Both

Let’s say that your school introduces a new wellbeing platform for pupils.

  • You’ve reviewed its privacy notice
  • You’ve completed a DPIA
  • You’ve told parents how the data will be used

But…

  • Staff are accessing it using shared logins
  • The password is “admin123”
  • You haven’t enabled two-factor authentication

You’ve done your information management well but failed on information security. That could still result in a data breach.

On the flip side, imagine the platform is highly secure; encrypted, password protected, hosted in the UK, but the school didn’t check the legal basis for processing or review the contract terms.

Now you’ve got a data protection problem.

Bottom line?
You need both working together to meet your responsibilities, legally and ethically.

 

So What Does Good Practice Look Like in a School?

Here’s a blended checklist of best practices to help keep your school safe, compliant and prepared:

Do Regular Data Audits

  • Know what personal data you hold, where it’s stored, why you need it, and how long you’re keeping it.
  • Review systems, spreadsheets, email lists, and apps, not just paper records.

Train Staff in Both Areas

  • Teach all staff the basics of data protection and information security, from recognising phishing emails to understanding how to respond to a Subject Access Request.
  • Tailor training for higher-risk roles (e.g. safeguarding, admin, SEND).

Lock It Down

  • Use strong passwords, screen locks, and encrypted devices.
  • Remove access for staff who no longer need it (or have left the school).
  • Consider multi-factor authentication for sensitive systems like MIS or safeguarding platforms.

Review and Share Clear Policies

  • Acceptable use, email and internet use, breach reporting, retention and disposal policies, these shouldn’t be buried on your intranet.
  • Keep them short, practical, and jargon-free.

Don’t Keep Data “Just in Case”

  • Apply your retention schedule and securely delete or archive data once it’s no longer needed.
  • Shred paper records and securely wipe devices.

Be Breach-Aware

  • Know what a breach is (It’s not just data hacking, sending data to the wrong person counts too!)
  • Have a simple breach reporting process that all staff understand
  • Keep a breach log and review it regularly with SLT and your DPO

Shared Responsibility

Data protection isn’t just the DPO’s job. And security isn’t just for the IT team.

Every member of staff has a part to play, from the headteacher to the lunchtime supervisor. By making these two areas part of your everyday school culture, you create a safer environment for your staff, your students, and your wider community.

If you’re not sure where your school stands on data protection or security, you’re not alone. Many schools benefit from a joint review with their DPO, IT team, and SLT, looking at risks, roles, and readiness.

If you’re looking to strengthen both areas, consider:

  • Running a joint INSET session on “Data Protection + Cyber Hygiene”
  • Reviewing your breach log together with IT and DPO staff

Booking an external audit of your information governance and security setup

/by

SARs vs School Records: Subject Access or Education Regulations?

If you’ve ever opened your inbox and seen a message from a parent asking for “all the information you hold on my child,” your first thought was probably:

“Subject Access Request!”

But hold on — not every request for pupil information automatically falls under the UK GDPR. Sometimes, it’s actually a request under education regulations, depending on what’s being asked — and the type of school you are.

Understanding the difference is key. Not only does it help you respond lawfully and efficiently, but it also helps manage expectations and avoid unnecessary workload.

There are two main legal routes parents (or pupils themselves) might use to request access to information:

  1. Subject Access Request (SAR) – under the UK GDPR / Data Protection Act 2018

This allows an individual, including a pupil depending on their age and capacity, to request their own personal data.

  1. Request for the Educational Record – under the Education (Pupil Information) (England) Regulations 2005

This allows parents to request a copy of their child’s educational record, but only if the child attends a maintained school.

Let’s look at each in a little more detail.

Subject Access Requests (SARs) – GDPR territory

This is all about personal data.

Anyone can ask for a copy of the data you hold about them, including pupils (depending on their age and maturity), staff, or parents asking for their own data.

When it comes to parents asking for their child’s data, you’ll need to check whether the child is old enough and mature enough to understand what’s being asked. If they are, they should normally be the one making the request or at least give permission for the parent to do it on their behalf.

If they’re younger or not able to understand, the parent can usually make the request.

What does a SAR cover?

Any personal data you hold about that person. That might include:

  • Behaviour notes
  • Emails mentioning the pupil
  • Health or SEN info
  • Safeguarding logs (with care!)
  • CCTV footage (if the pupil is clearly visible)

When it comes to Subject Access Requests, any type of school may receive a request, including maintained, academies, free schools, and independents and you have 1 calendar month to respond.

Request for the Educational Record – Pupil Regulations

This one is specifically for parents of children at maintained schools (i.e. those run by local authorities). It gives them the right to see their child’s educational record, which is basically anything to do with their progress, learning, and life in school.

What counts as an educational record?

Think stuff like:

  • School reports
  • Attendance records
  • SEN plans
  • Notes from parent-teacher meetings
  • Behaviour points
  • Targets or interventions

It doesn’t include:

  • Child protection files
  • Teacher’s personal notes
  • Information that could seriously harm the child or someone else

Under these regulations, you have 15 school days to respond. You can also apply a charge to cover printing or postage, though most schools just send it electronically for free these days.

For academies and free schools, the right to the educational record doesn’t apply. But many still choose to share records in a similar way, just to be helpful and consistent. It is the same deal with Independent schools, there is no right to the educational record. Parents need to go down the SAR route if they want information about their child, and only if the child isn’t old enough to make the request themselves.

While SARs and education record requests are different, there’s a bit of crossover. Some information might be shared under both, and that’s OK. The key is understanding which law applies and making sure you’re not accidentally oversharing or withholding something you shouldn’t.

When in doubt, take a breath, talk to your DPO, and go from there.

/by

Sentry System Updates 2023

Over the past 12 months, we’ve been busy behind the scenes, rolling out exciting new features, fine-tuning your favourite tools, and delivering enhancements that make your day-to-day work a little bit smoother (and a lot more efficient). Whether it’s a shiny new module or subtle improvements to existing systems, we’ve been listening to your feedback and turning it into action.

So, what’s new in our tech treasure trove?

A brand-new User Manual to guide you through every step, An incredible, new, Complaints module to streamline your processes, New data fields in the reporting of SARs, Breaches, and FOIs to give you even more control and clarity. Oh, and if you’ve ever wished for a cleaner, more intuitive layout you’ll love the updated Group Summary section.

Plus, for those “I need help right now” moments, we’ve made sure you’re covered with fully comprehensive help sections that are always just a click away.

Intrigued? Want to know more?

Existing customers can contact their dedicated Customer Success Manager for more information on all of the latest updates, or even a “show and tell”.

If you’re new to Sentry, why not book a Demo of our system. Its quick and simple, just click on “book a demo” on the homepage and choose a date and time that suits you.

/by