Let’s face it, school leaders today wear a lot of hats.
One minute, you’re supporting staff wellbeing; the next, you’re signing off on an EdTech contract, responding to a Subject Access Request, or checking if the new Wi-Fi rollout has encryption (whatever that means, right?).
In today’s increasingly digital world, two terms often crop up: Information Management (or data protection) and Information Security.
They sound similar, and they are closely connected, but they’re not the same. Both are essential in keeping your school’s data safe, legal, and well-managed. Understanding the difference can help you ask the right questions, delegate responsibilities wisely, and build a strong culture of trust and compliance across your school.
Let’s unpack what each one means, and why both matter equally.
What’s the Difference?
Information Management (Data Protection)
This is about how personal data is collected, used, stored, shared and deleted in line with laws like the UK GDPR and the Data Protection Act 2018. It’s focused on the rights of individuals (like pupils, parents and staff) and ensuring their personal data is treated fairly and lawfully.
Think of it as the “legal and ethical brain” behind how information flows through your school.
Examples:
- Making sure parental consent is collected for use of a pupil’s photo
- Responding to Subject Access Requests within the required timeframe
- Having a clear retention schedule (so you’re not holding on to pupil data for 25 years “just in case”)
- Ensuring only authorised staff can access safeguarding notes or health records
Lead roles: Usually the Data Protection Officer (DPO) or a senior leader with compliance responsibilities.
Information Security
Information security is about the technical and organisational measures you take to protect information from loss, damage, unauthorised access, or theft, whether it’s stored on paper, a laptop, or in the cloud.
It’s the “digital and physical shield” that keeps your systems and data safe.
Examples:
- Encrypting devices and backing up files
- Using strong passwords and locking screens
- Preventing ransomware attacks
- Ensuring staff don’t email personal data to the wrong recipient
Lead roles: Typically your IT manager, network team, or a designated security officer, often working closely with the DPO.
Aren’t They Completely Separate?
Not quite.
While information management and information security are distinct disciplines with different focuses, they are both key components of compliance under the UK GDPR.
In fact, the UK GDPR specifically requires organisations (including schools) to:
- Process personal data lawfully, fairly and transparently (that’s information management)
- Implement appropriate technical and organisational measures to keep data secure (that’s information security)
- Be able to demonstrate accountability across both areas
So while they each require different expertise, they’re two sides of the same coin when it comes to protecting personal data.
If you have a great privacy policy but your systems are wide open to cyber threats you’re not GDPR compliant. And vice versa: even bulletproof IT security can’t cover for poor practices around data sharing, consent, or retention.
Why You Need Both
Let’s say that your school introduces a new wellbeing platform for pupils.
- You’ve reviewed its privacy notice
- You’ve completed a DPIA
- You’ve told parents how the data will be used
But…
- Staff are accessing it using shared logins
- The password is “admin123”
- You haven’t enabled two-factor authentication
You’ve done your information management well but failed on information security. That could still result in a data breach.
On the flip side, imagine the platform is highly secure; encrypted, password protected, hosted in the UK, but the school didn’t check the legal basis for processing or review the contract terms.
Now you’ve got a data protection problem.
Bottom line?
You need both working together to meet your responsibilities, legally and ethically.
So What Does Good Practice Look Like in a School?
Here’s a blended checklist of best practices to help keep your school safe, compliant and prepared:
Do Regular Data Audits
- Know what personal data you hold, where it’s stored, why you need it, and how long you’re keeping it.
- Review systems, spreadsheets, email lists, and apps, not just paper records.
Train Staff in Both Areas
- Teach all staff the basics of data protection and information security, from recognising phishing emails to understanding how to respond to a Subject Access Request.
- Tailor training for higher-risk roles (e.g. safeguarding, admin, SEND).
Lock It Down
- Use strong passwords, screen locks, and encrypted devices.
- Remove access for staff who no longer need it (or have left the school).
- Consider multi-factor authentication for sensitive systems like MIS or safeguarding platforms.
Review and Share Clear Policies
- Acceptable use, email and internet use, breach reporting, retention and disposal policies, these shouldn’t be buried on your intranet.
- Keep them short, practical, and jargon-free.
Don’t Keep Data “Just in Case”
- Apply your retention schedule and securely delete or archive data once it’s no longer needed.
- Shred paper records and securely wipe devices.
Be Breach-Aware
- Know what a breach is (It’s not just data hacking, sending data to the wrong person counts too!)
- Have a simple breach reporting process that all staff understand
- Keep a breach log and review it regularly with SLT and your DPO
Shared Responsibility
Data protection isn’t just the DPO’s job. And security isn’t just for the IT team.
Every member of staff has a part to play, from the headteacher to the lunchtime supervisor. By making these two areas part of your everyday school culture, you create a safer environment for your staff, your students, and your wider community.
If you’re not sure where your school stands on data protection or security, you’re not alone. Many schools benefit from a joint review with their DPO, IT team, and SLT, looking at risks, roles, and readiness.
If you’re looking to strengthen both areas, consider:
- Running a joint INSET session on “Data Protection + Cyber Hygiene”
- Reviewing your breach log together with IT and DPO staff
Booking an external audit of your information governance and security setup
