Posts

Picture this, a student who left school years ago reaches out with a request. They’d like their personal data removed from your records. Not just from the admissions system, but everything; emails, reports, maybe even that long-forgotten incident log from Year 9. They’ve moved on and want their past to do the same.

It’s a request that might feel particularly familiar as we approach the end of the academic year. Leavers are saying their goodbyes, staff are wrapping up reports, and across schools and universities, inboxes are starting to fill with data requests of all kinds. One that stands out: the Right to Be Forgotten.

Under the UK GDPR, individuals have the “Right to Be Forgotten,” meaning they can request the deletion of their personal data when it’s no longer necessary. On the surface, it’s empowering. People should have a say in how long their data is kept, and it makes sense that someone might want to shed parts of their past as they grow older.

But in education, where records aren’t just about individuals, they’re about safeguarding, progress, accountability, and shared experiences, it’s not always a straightforward decision.

When Forgetting Isn’t That Simple

Educators are natural record-keepers. Whether it’s for safeguarding, special educational needs, or even just tracking progress over time, information often needs to be preserved for years, sometimes decades. Deleting a student’s file isn’t like clearing out an old inbox, it could mean losing context, closing the door on long-term support, or even creating gaps that matter later on.

Take safeguarding, for instance. A school may need to retain certain records well into adulthood because they could one day form part of a disclosure or investigation. It’s not about holding on to the past unnecessarily, it’s about being prepared for the future.

So when a deletion request lands, it’s not simply a matter of yes or no. It’s about finding the balance between respecting someone’s right to move on, and the very real need to preserve records for legal, ethical, or pastoral reasons.

The Growing Digital Trail

Another challenge? The sheer amount of digital space education now occupies. Emails, learning platforms, CCTV, behaviour tracking software, it all adds up. And each of those systems might hold fragments of someone’s personal story.

In practice, this means schools and universities need to have a clear idea of where data lives, how long it needs to be kept, and when it can safely be deleted. That’s easier said than done, especially when older systems weren’t designed with the right to erasure in mind.

Still, we’re seeing encouraging progress. A number of schools have created systems for reviewing and safely deleting old data, ensuring they don’t keep more than they need to. Some universities have designed workflows that let them honour deletion requests without compromising core records like transcripts or misconduct reports. What’s key is having a clear, fair process and communicating it openly.

Conversations, Not Just Policies

The most effective responses to RTBF requests tend to start with a conversation, not a policy document. The best examples we’ve seen involve staff explaining clearly why some records must be kept, while also doing everything they can to remove unnecessary data. It’s about approaching each request with care and respect, rather than defensiveness or bureaucracy.

That human touch really matters. After all, people often ask to be “forgotten” not just out of privacy concerns, but because they want to close a chapter, sometimes after difficult experiences. Even when we can’t grant a full erasure, we can usually find ways to meet the spirit of the request with kindness and clarity.

So, Where Does That Leave Us?

The Right to Be Forgotten is both powerful and complex. It asks important questions about memory, responsibility, and care. And while it might feel tricky to navigate, it’s also a chance for schools and universities to reflect on the data they hold and why they hold it.

Are we keeping things because we need to? Or because we always have? Are we making space for people to move on? Or unintentionally anchoring them to a version of themselves they’ve long outgrown?

There are no perfect answers, and each case will be a little different. But what’s clear is that thoughtful, transparent processes and a bit of empathy go a long way. Forgetting, when it’s done well, can be an act of respect. And remembering, when necessary, can be an act of care.

If nothing else, it’s a good reminder that every bit of data we collect today might become part of someone’s story tomorrow. How we hold that story, and when we let it go, matters more than ever.

In a quiet primary school on the edge of town, a well-meaning teaching assistant printed a spreadsheet containing student health details. He left it in the staffroom just for a moment while making a cup of tea. When he returned, the document had vanished. It later turned up, crumpled and smudged with jam, in the Year 2 book corner.

No hackers, no malware. Just a simple, very human mistake.

When we hear “data breach,” it’s easy to picture a dramatic cyberattack. Dark rooms filled with glowing screens, stern-faced experts speaking in code, maybe even a ransom note demanding cryptocurrency. But in schools, breaches often take a much quieter, more familiar form. They’re the result of everyday errors and oversights, the kind we don’t always see as serious, even when they are.

In educational settings, personal data flows constantly. From pupil records and safeguarding notes to staff files, medical information, and assessment data – it’s all there, quietly underpinning the day-to-day rhythm of school life. And while schools have come a long way in formalising policies and investing in secure systems, there’s one area where vulnerability lingers: the forgotten, overlooked breaches.

Sometimes, it’s about destruction rather than disclosure. Take the school secretary who accidentally deletes a folder containing behavioural reports during a routine system tidy-up. Or the teacher who loses a handwritten safeguarding log in a spring clean, thinking it was scrap paper. It’s easy to assume that if no one else accessed the data, there’s no breach. But loss and destruction, intentional or not, can have a serious impact on the individuals that data relates to.

Alteration is another blind spot. It might seem harmless when a colleague “tweaks” a student’s medical note for clarity or edits a pastoral record without documenting the change. But even small, unauthorised edits can lead to confusion or worse, misinformed decisions. One school found itself in difficulty after a student’s allergy record was edited to say, “mild intolerance” rather than “anaphylaxis.” A well-meaning change, but a deeply risky one.

And then there’s unauthorised access, often accidental but nonetheless serious. A casual conversation in the corridor mentioning a child’s social services involvement. A screen left unlocked during a lunchtime rush. A well-intentioned parent volunteer glimpsing confidential student data while helping out in the office. No malicious intent, but the boundaries blur all the same.

Loss of data is just as often physical as it is digital. Laptops go missing, USB drives slip between sofa cushions, old filing cabinets are emptied into bins without checking the contents. One secondary school discovered that its entire archive of paper attendance logs had been mistakenly shredded during a storage room clear-out. Years of data, gone in an afternoon.

These are not stories of negligence or malice. They’re stories of busy people juggling multiple responsibilities, making small decisions in a fast-paced environment. But these small moments, multiplied across a school, can create quiet cracks in data protection, cracks where trust can quietly seep away.

So, how do we raise awareness without creating fear?

First, we shift the way we talk about data breaches. Instead of painting them as rare and technical, we frame them as something all of us have a role in preventing. This isn’t about panicking over paperwork, it’s about embedding a culture of care, where data is treated with the same respect as student safety or wellbeing.

Telling real, relatable stories helps. A GDPR workshop might prompt yawns but a discussion about how a misdirected email affected a vulnerable student lands very differently. It’s not about ticking boxes; it’s about protecting relationships.

Second, we make it safe for staff to report near misses. Too often, people worry about being blamed or embarrassed. But a culture of openness turns mistakes into opportunities to learn and improve. A teacher who admits to accidentally sharing the wrong document helps the whole school get better.

And finally, we remember that leadership sets the tone. When senior staff prioritise data protection not just as compliance but as a matter of integrity, it filters down. When they model good habits such as locking screens, questioning poor practices, inviting feedback; it becomes part of the school’s DNA.

In schools, trust is everything. Families trust staff to keep their children safe, not just physically, but emotionally and digitally too. That trust isn’t only built through grand gestures; it’s upheld in the smallest details. How we store, share, and respect the information we hold.

Because in the end, a breach doesn’t have to be loud to be damaging. It can be a file lost, a conversation overheard, a folder carelessly edited. And protecting against those quiet breaches is one of the responsibilities we all share.

“Miss, what’s GDPR? Is it a new exam board?”

That question might have raised a chuckle back in 2018, when GDPR first arrived with its bundle of acronyms, policy updates, and general sense of urgency. But here we are in 2025, seven years on and the UK GDPR is no longer the new kid on the block. It’s settled in, taken its place alongside safeguarding, SEND, and all the other core responsibilities that shape everyday life in education.

The big question is: have we settled in with it?

Looking Back (and Forward)

When the GDPR first landed, there was a flurry of activity; privacy notices were redrafted, training sessions booked, and data audits launched with admirable enthusiasm. Since then, many schools, colleges and universities have found their rhythm with data protection. It’s become part of the background noise of school life: necessary, not always exciting, but undoubtedly important.

Still, while the panic may have subsided, that doesn’t mean the pressure has. In fact, the expectations have only grown. With the increasing use of digital tools in classrooms, the rise of online learning, and greater public awareness of privacy issues, it’s no longer enough to simply tick the GDPR box and carry on. The way we manage personal data has become part of how our communities judge our professionalism and trustworthiness.

And rightly so. In education, we hold some of the most sensitive information people will ever share; from learning needs and medical information, to safeguarding records and home circumstances. Protecting that data is part of the duty of care we owe to every pupil, student, parent, and colleague.

In recent years, we’ve seen both missteps and good practice across the sector. One well-known case involved a phishing email that led to a serious breach at a large multi-academy trust. Despite having the right policies on paper, the real problem turned out to be a lack of practical staff training. It was a simple mistake, but one with far-reaching consequences.

On the other hand, many institutions have shown what good looks like. Several universities, for example, now include GDPR awareness as part of induction for all staff, and make regular updates part of their professional development cycle. One even ran a student-led privacy campaign, helping young people understand their own rights while building a culture of shared responsibility. The message was clear: data protection isn’t just admin, it’s part of how we show care and respect.

What GDPR Means in 2025

We’re now working in a digital-first education landscape. Learning platforms, behaviour tracking systems, AI-driven learning tools, they all collect and process data in increasingly complex ways. GDPR hasn’t stood still either; the principles remain the same, but the questions we need to ask have evolved.

Are we being transparent with families and students about how their data is used? Are we confident the apps and platforms we rely on are genuinely secure and compliant? Are we sure that only the right people in our organisations can access sensitive information?

These aren’t questions for data managers alone. They’re questions for senior leaders, teachers, support staff – everyone who touches information in any form. Because GDPR is no longer just a legal requirement. In 2025, it’s part of how we show we’re trustworthy professionals.

Seven Years In: What’s Changed?

What’s changed, more than anything, is awareness. Students are more privacy-savvy. Parents are asking sharper questions. Staff are more alert to the risks and responsibilities of handling personal data.

And that’s a good thing.

It means we can shift the conversation from compliance to confidence. When GDPR is built into our culture, not just our policies, it becomes part of a wider approach to doing things well. Much like safeguarding, it becomes part of how we think, plan and care.

So, whether you’re updating a digital platform, emailing student records, or printing off that spreadsheet for a meeting, it’s worth pausing to reflect. Not in fear, but in thoughtfulness. Is this the safest way to handle this information? Do I need to do anything differently? Would I feel comfortable explaining this decision to a parent?

There’s no denying that GDPR doesn’t always feel urgent (until something goes wrong). But it’s one of those quiet responsibilities that says a lot about who you are as educators. It speaks to the trust placed in you, and the way you uphold it day after day.

Seven years on, we’ve come a long way. And with thoughtful leadership, practical systems, and a bit of shared awareness, we’ll keep moving in the right direction.

After all, data protection is really about people and, education has always been good at putting people first.

Imagine you’re sat in the staffroom, half-eaten biscuit in one hand, half-finished student spreadsheet on the screen. You scroll down a list of names, notes, and numbers, some of which, to your horror, date back to the year David Cameron was still Prime Minister.

You mutter to yourself, Why do we still have this data? Is this even legal?

Well, you’re in luck. Help may be on the horizon, wrapped in bureaucracy yes, but still help.

The UK’s Data (Use and Access) Bill is the government’s latest attempt to bring data protection into the 21st century without sending educators and administrators into panic-induced paper purges. So, what does it mean for you and your school? Let’s unpack it without the legalese, and with your sanity in mind.

So… What Is This Bill Actually About?

At its core, the Data (Use and Access) Bill (or DUAB, if you’re into acronyms) is about striking a balance between making better use of data and protecting people’s rights, especially children’s.

It’s part of the government’s broader post-Brexit effort to move away from some of the more rigid elements of EU GDPR, while still holding onto the values that matter; transparency, safety, and accountability. Think of it as GDPR’s sensible cousin, still serious, but a little more practical in the school setting.

Why Should Schools Care?

Here’s the thing, schools are absolute treasure troves of personal data. From safeguarding notes and behavioural logs to dinner money apps and biometric attendance systems, they gather data like Year 7s gather Pokémon cards, except there’s legal liability attached.

This Bill is nudging us gently but firmly towards smarter, clearer, and more responsible data use. For instance, it’s placing extra emphasis on how we use children’s data in digital tools and platforms. That means reviewing whether educational software is using personal information appropriately, and not quietly siphoning it off to train some mysterious AI model in the background.

Also under the spotlight? Automated decision-making. If you’ve ever wondered whether a student’s algorithmic “progress tracker” is making assumptions you wouldn’t make as a teacher… well, the DUAB has your back. It demands transparency and human oversight when important decisions are being made based on data. Because let’s face it, no algorithm knows your pupils like you do.

But Wait, There’s More…

One of the big ideas in the DUAB is around data retention. Remember that ancient spreadsheet I mentioned earlier? Under the Bill, keeping data “just in case” won’t cut it anymore. Schools will need clear justifications for how long data is kept and must be able to show they’re not hoarding it unnecessarily. It’s like a spring clean, but for your school server.

The Bill also introduces measures to simplify compliance. For schools, this could mean fewer hoops to jump through when working with third-party apps or local authorities, as long as the data use aligns with the public good and proper protections are in place.

So, What Should We Do Now?

First off, don’t panic. This Bill isn’t a ticking time bomb. It’s more of a nudge to think seriously about how we treat data in our schools and to embed that into our day-to-day decision-making.

It’s a good time to:

  • Talk to your school’s Data Protection Officer (you know, the one who pops up every year reminding everyone about GDPR).
  • Review your school’s data retention schedule – are you keeping stuff longer than necessary?
  • Ask questions about any new edtech platforms you’re trialling. Are they transparent? Safe for students? Do they actually need all the information they’re collecting?

And finally, keep the conversation going. Data protection isn’t just a compliance issue, it’s about trust. Parents trust us with their children. Students trust us with their futures. Managing their data responsibly is part of honouring that trust.

Ultimately, this isn’t just a policy update, it’s a cultural shift. The DUAB reminds us that data is more than a digital asset. It’s personal. It’s powerful. And in education, it’s deeply human.

So next time you open a spreadsheet that hasn’t been touched since the last Ofsted inspection, take a moment. Ask yourself not just “Do we need this?” but also “Is keeping this still respectful to the person behind the data?”

Because in the classroom, in the office, or even in the server room, one truth remains: good education starts with good ethics.

There’s something unmistakable in the air when an inspection is on the horizon. You can feel the hum of preparation in every corridor; policies being printed, classroom displays getting a refresh, and colleagues exchanging knowing glances over the photocopier. It’s all hands-on deck, and every detail matters.

But as walls are re-pinned and cupboards reorganised, another question often arises quietly in the background: Are we still within the bounds of data protection law?

The answer isn’t always as straightforward as we’d like. In fact, GDPR considerations often become most visible in the very things we proudly display on classroom walls, in shared corridors, or on digital screens. And during inspection season, those questions only feel more urgent.

Let’s consider a familiar example: a colourful “Star of the Week” board, complete with names, photos, and personal achievements. It’s a lovely way to celebrate success but what if one of those pupils has a parent who didn’t give consent for photos? Or a safeguarding concern that makes public identification risky? Even the most well-intentioned display can inadvertently stray into problematic territory.

The same applies to medical or allergy information. Many schools use posters or visual aids to make staff aware of pupil needs, particularly in lunch halls or near staff kitchens. But if that information includes photos, names, and medical conditions in areas accessed by other pupils or visitors, it crosses into “special category data” under UK GDPR. That kind of information requires extra care.

Digital spaces are no less important. In the rush to prepare documents, it’s easy to leave a screen open or a shared drive exposed. But if personal pupil data is left visible or accessible to those without a legitimate reason to view it, the school could find itself facing not only a privacy concern, but potentially a reportable data breach.

None of this means schools must remove every trace of student celebration or wrap the walls in plain paper. GDPR doesn’t ask us to stop recognising achievement, it asks us to think critically about how we do it.

One school I worked with ran what they called a “privacy walk” in the days leading up to an inspection. Staff took ten minutes to walk through shared spaces with fresh eyes, asking themselves: Can visitors see anything they shouldn’t? Are personal details on show unnecessarily? Are we being mindful with how we display medical or safeguarding information? It was a quick, simple exercise that made a measurable difference to their overall compliance, and their confidence, on inspection day.

Similarly, one teacher I spoke to found an elegant solution to a parent’s concern over public displays of progress. Instead of using names on her reward chart, she assigned each child an animal symbol; “Team Owl,” “Team Fox,” and so on. It respected privacy, kept parents satisfied, and the pupils embraced it wholeheartedly.

What matters most is that schools are able to demonstrate thoughtful, proportionate decision-making. Inspectors don’t expect perfection, but they do expect to see that staff understand the principles of data protection and have taken reasonable steps to comply.

If you’re unsure about a display, a chart, or a staffroom noticeboard, ask yourself: Is it necessary? Is it proportionate? And have we obtained the right consent, where needed? If you’re still unsure, speak to your data protection lead or DPO. Getting the answer right before inspection day is far easier than addressing concerns after the fact.

Ultimately, compliance isn’t about red tape, it’s about respect. Respecting pupils’ rights, respecting families’ expectations, and respecting the trust placed in schools to safeguard not only children, but their information.

So as inspection season gathers pace, take a moment to review the little things. The name tags, the photo walls, the charts with more detail than needed. Because when the inspector walks in and the questions start, you’ll be glad you did.

You’ve probably heard it by now, EdTech is booming. From lesson-planning AI to real-time behaviour tracking, schools across the UK are embracing technology faster than ever. Whether it’s a new learning app or a full-blown Management Information System (MIS), the promise is the same: smarter classrooms, less admin, and happier teachers.

But here’s the thing, every time we bring in a new tool, we also bring in new responsibilities, especially when it comes to data protection. For schools, ensuring any technology used complies with the UK General Data Protection Regulation (UK GDPR) is not just good practice; it’s a legal obligation.

EdTech solutions, especially those powered by AI, often rely on vast quantities of pupil data to function effectively. This may include:

  • Personal identifiers (e.g., name, date of birth, student ID)
  • Behavioural data (e.g., clicks, interactions)
  • Academic records and performance metrics
  • Special educational needs (SEN) information

If not properly safeguarded, the processing of such data can expose schools to legal, reputational, and ethical risks.

Let’s walk through what this means in practice, and how school leaders and Data Protection Officers (DPOs) can make sure their school stays compliant with UK GDPR.

A Quick Story: “We’re Getting a New MIS!”

Imagine this:

A secondary school in Manchester is rolling out a shiny new MIS platform. It promises everything; attendance tracking, timetabling, safeguarding notes, SEND support, and even parent communications, all under one digital roof.

Everyone’s excited. The SLT’s impressed. The IT manager loves the interface. Staff are dreaming of fewer spreadsheets. But then the DPO raises a hand:

“Have we done a data protection impact assessment yet?”

Cue the room going quiet.

This scenario plays out more often than you’d think. New tech comes in fast, but data protection often lags behind, or worse, gets missed entirely. So how do we avoid that?

Step 1: Start with the Right Questions

Before rolling out any new EdTech or AI tool, ask:

  • What kind of data will this tool collect?
  • Where will that data be stored, and for how long?
  • Has the supplier given us a clear privacy notice?
  • Do we need a Data Protection Impact Assessment (DPIA)?

(Hint: if the system processes special category data or monitors students at scale, as most MIS platforms do, the answer is almost certainly yes.)

Step 2: Pre-Vetting Checks – Your EdTech Compliance Toolkit

Whether you’re reviewing a new reading app or a full MIS, these checks will help you make sure the supplier is up to standard:

Data Processing Agreement (DPA)

Every third-party supplier must sign a DPA with your school. It should clearly lay out:

  • What data is being processed and why
  • Who is responsible for what
  • How long the data is kept
  • What happens at the end of the contract

Lawful Basis

Can the supplier justify why they’re processing pupil data? Schools usually rely on public task, but some EdTech tools, especially optional ones, may need consent. Be wary if it’s not clear.

Data Minimisation

Does the tool only collect what it needs? Or is it asking for extra fields “just in case”? Push back on anything that feels excessive.

Hosting and Security

Is the data stored in the UK or a country with an adequacy decision? Ask if they have:

  • Encryption at rest and in transit
  • Access controls
  • ISO 27001 or equivalent certifications
  • A breach response process

Transparency for Pupils and Parents

Can parents understand what data is collected and why? Suppliers should provide plain-English privacy policies, and so should your school.

Rights and Deletion

Can users (or the school) delete data easily if needed? Are retention periods clearly set out?

Step 3: Don’t Forget AI-Specific Risks

AI tools in EdTech often involve profiling or automated decision-making. Before using them:

  • Ask how the algorithms work (and whether human oversight is possible)
  • Check whether the tool could make significant decisions about students, like predicting attainment levels, or flagging safeguarding risks
  • Make sure pupils’ rights under Article 22 (automated decision-making) are respected

Step 4: Review Existing Tools Too

It’s not just about new tech. Many schools have tools they’ve used for years that may no longer meet today’s standards. Schedule regular audits to:

  • Check for feature creep (new functions = new risks)
  • Revisit supplier agreements
  • Reassess DPIAs
  • Make sure any changes to data use are reflected in your privacy notices

Let’s Get the Balance Right

We all want to give our pupils the best experience, and sometimes that means embracing innovation. But good data protection isn’t about blocking progress. It’s about asking the right questions before a breach or complaint happens.

As a DPO or senior leader, you don’t have to say no to every new tool. You just need to make sure the supplier (and the school) are doing things properly, within the law, ethically, and with children’s best interests in mind.

Remember: If in doubt, ask. Talk to your local authority, your MAT data protection lead, or a privacy professional. Protecting pupil data is everyone’s responsibility and with a little due diligence, your school can be both innovative and compliant.

Let’s face it, school leaders today wear a lot of hats.

One minute, you’re supporting staff wellbeing; the next, you’re signing off on an EdTech contract, responding to a Subject Access Request, or checking if the new Wi-Fi rollout has encryption (whatever that means, right?).

In today’s increasingly digital world, two terms often crop up: Information Management (or data protection) and Information Security.

They sound similar, and they are closely connected, but they’re not the same. Both are essential in keeping your school’s data safe, legal, and well-managed. Understanding the difference can help you ask the right questions, delegate responsibilities wisely, and build a strong culture of trust and compliance across your school.

Let’s unpack what each one means, and why both matter equally.

What’s the Difference?

Information Management (Data Protection)

This is about how personal data is collected, used, stored, shared and deleted in line with laws like the UK GDPR and the Data Protection Act 2018. It’s focused on the rights of individuals (like pupils, parents and staff) and ensuring their personal data is treated fairly and lawfully.

Think of it as the “legal and ethical brain” behind how information flows through your school.

Examples:

  • Making sure parental consent is collected for use of a pupil’s photo
  • Responding to Subject Access Requests within the required timeframe
  • Having a clear retention schedule (so you’re not holding on to pupil data for 25 years “just in case”)
  • Ensuring only authorised staff can access safeguarding notes or health records

Lead roles: Usually the Data Protection Officer (DPO) or a senior leader with compliance responsibilities.

Information Security

Information security is about the technical and organisational measures you take to protect information from loss, damage, unauthorised access, or theft, whether it’s stored on paper, a laptop, or in the cloud.

It’s the “digital and physical shield” that keeps your systems and data safe.

Examples:

  • Encrypting devices and backing up files
  • Using strong passwords and locking screens
  • Preventing ransomware attacks
  • Ensuring staff don’t email personal data to the wrong recipient

Lead roles: Typically your IT manager, network team, or a designated security officer, often working closely with the DPO.

Aren’t They Completely Separate?

Not quite.

While information management and information security are distinct disciplines with different focuses, they are both key components of compliance under the UK GDPR.

In fact, the UK GDPR specifically requires organisations (including schools) to:

  • Process personal data lawfully, fairly and transparently (that’s information management)
  • Implement appropriate technical and organisational measures to keep data secure (that’s information security)
  • Be able to demonstrate accountability across both areas

So while they each require different expertise, they’re two sides of the same coin when it comes to protecting personal data.

If you have a great privacy policy but your systems are wide open to cyber threats you’re not GDPR compliant. And vice versa: even bulletproof IT security can’t cover for poor practices around data sharing, consent, or retention.

Why You Need Both

Let’s say that your school introduces a new wellbeing platform for pupils.

  • You’ve reviewed its privacy notice
  • You’ve completed a DPIA
  • You’ve told parents how the data will be used

But…

  • Staff are accessing it using shared logins
  • The password is “admin123”
  • You haven’t enabled two-factor authentication

You’ve done your information management well but failed on information security. That could still result in a data breach.

On the flip side, imagine the platform is highly secure; encrypted, password protected, hosted in the UK, but the school didn’t check the legal basis for processing or review the contract terms.

Now you’ve got a data protection problem.

Bottom line?
You need both working together to meet your responsibilities, legally and ethically.

 

So What Does Good Practice Look Like in a School?

Here’s a blended checklist of best practices to help keep your school safe, compliant and prepared:

Do Regular Data Audits

  • Know what personal data you hold, where it’s stored, why you need it, and how long you’re keeping it.
  • Review systems, spreadsheets, email lists, and apps, not just paper records.

Train Staff in Both Areas

  • Teach all staff the basics of data protection and information security, from recognising phishing emails to understanding how to respond to a Subject Access Request.
  • Tailor training for higher-risk roles (e.g. safeguarding, admin, SEND).

Lock It Down

  • Use strong passwords, screen locks, and encrypted devices.
  • Remove access for staff who no longer need it (or have left the school).
  • Consider multi-factor authentication for sensitive systems like MIS or safeguarding platforms.

Review and Share Clear Policies

  • Acceptable use, email and internet use, breach reporting, retention and disposal policies, these shouldn’t be buried on your intranet.
  • Keep them short, practical, and jargon-free.

Don’t Keep Data “Just in Case”

  • Apply your retention schedule and securely delete or archive data once it’s no longer needed.
  • Shred paper records and securely wipe devices.

Be Breach-Aware

  • Know what a breach is (It’s not just data hacking, sending data to the wrong person counts too!)
  • Have a simple breach reporting process that all staff understand
  • Keep a breach log and review it regularly with SLT and your DPO

Shared Responsibility

Data protection isn’t just the DPO’s job. And security isn’t just for the IT team.

Every member of staff has a part to play, from the headteacher to the lunchtime supervisor. By making these two areas part of your everyday school culture, you create a safer environment for your staff, your students, and your wider community.

If you’re not sure where your school stands on data protection or security, you’re not alone. Many schools benefit from a joint review with their DPO, IT team, and SLT, looking at risks, roles, and readiness.

If you’re looking to strengthen both areas, consider:

  • Running a joint INSET session on “Data Protection + Cyber Hygiene”
  • Reviewing your breach log together with IT and DPO staff

Booking an external audit of your information governance and security setup

If you’ve ever opened your inbox and seen a message from a parent asking for “all the information you hold on my child,” your first thought was probably:

“Subject Access Request!”

But hold on — not every request for pupil information automatically falls under the UK GDPR. Sometimes, it’s actually a request under education regulations, depending on what’s being asked — and the type of school you are.

Understanding the difference is key. Not only does it help you respond lawfully and efficiently, but it also helps manage expectations and avoid unnecessary workload.

There are two main legal routes parents (or pupils themselves) might use to request access to information:

  1. Subject Access Request (SAR) – under the UK GDPR / Data Protection Act 2018

This allows an individual, including a pupil depending on their age and capacity, to request their own personal data.

  1. Request for the Educational Record – under the Education (Pupil Information) (England) Regulations 2005

This allows parents to request a copy of their child’s educational record, but only if the child attends a maintained school.

Let’s look at each in a little more detail.

Subject Access Requests (SARs) – GDPR territory

This is all about personal data.

Anyone can ask for a copy of the data you hold about them, including pupils (depending on their age and maturity), staff, or parents asking for their own data.

When it comes to parents asking for their child’s data, you’ll need to check whether the child is old enough and mature enough to understand what’s being asked. If they are, they should normally be the one making the request or at least give permission for the parent to do it on their behalf.

If they’re younger or not able to understand, the parent can usually make the request.

What does a SAR cover?

Any personal data you hold about that person. That might include:

  • Behaviour notes
  • Emails mentioning the pupil
  • Health or SEN info
  • Safeguarding logs (with care!)
  • CCTV footage (if the pupil is clearly visible)

When it comes to Subject Access Requests, any type of school may receive a request, including maintained, academies, free schools, and independents and you have 1 calendar month to respond.

Request for the Educational Record – Pupil Regulations

This one is specifically for parents of children at maintained schools (i.e. those run by local authorities). It gives them the right to see their child’s educational record, which is basically anything to do with their progress, learning, and life in school.

What counts as an educational record?

Think stuff like:

  • School reports
  • Attendance records
  • SEN plans
  • Notes from parent-teacher meetings
  • Behaviour points
  • Targets or interventions

It doesn’t include:

  • Child protection files
  • Teacher’s personal notes
  • Information that could seriously harm the child or someone else

Under these regulations, you have 15 school days to respond. You can also apply a charge to cover printing or postage, though most schools just send it electronically for free these days.

For academies and free schools, the right to the educational record doesn’t apply. But many still choose to share records in a similar way, just to be helpful and consistent. It is the same deal with Independent schools, there is no right to the educational record. Parents need to go down the SAR route if they want information about their child, and only if the child isn’t old enough to make the request themselves.

While SARs and education record requests are different, there’s a bit of crossover. Some information might be shared under both, and that’s OK. The key is understanding which law applies and making sure you’re not accidentally oversharing or withholding something you shouldn’t.

When in doubt, take a breath, talk to your DPO, and go from there.

It’s that time of year again.

The weather’s warming up (at least in theory), the final exam papers are piling up in the staffroom, and the Year 11s, full of nervous energy, optimism, and just a hint of mischief, are preparing to say their goodbyes. It’s the season of leavers’ assemblies, nostalgic slide shows, and of course, the all-important question: “Can we get hoodies with all our names on them?”

Cue the GDPR panic.

Every year, in schools up and down the country, a familiar scenario plays out. A well-meaning teacher or member of the PTA offers to organise personalised hoodies or put together a yearbook featuring class photos and messages. And then, someone asks the question that stops the printer in its tracks: “Wait… is this even allowed under GDPR?”

Let’s unravel this together, because despite what some may believe, GDPR isn’t the fun police. It doesn’t mean you have to cancel prom or produce an anonymised yearbook with stick figures instead of class photos.

The truth is, most of these cherished school traditions can go ahead, so long as they’re handled with care, clarity, and a bit of common sense.

Take the humble leavers’ hoodie. It’s one of those rites of passage that students will cling to years after they’ve grown out of it. Names printed on the back, sometimes nicknames, sometimes surnames, sometimes the dreaded full first-middle-last-name combo. From a data protection point of view, names are indeed personal data. But does that mean you can’t print them?

Absolutely not. You just need a lawful basis to do it—and in most cases, that’s as simple as getting consent.

Whether it’s for hoodies, a yearbook, or a slideshow featuring baby photos, if you’re collecting and sharing personal data outside of core educational purposes, it’s best practice to ask students (or their parents, depending on age) for permission. A simple form will do the trick. The key is to be clear about what data you’re using, where it will appear, and who will see it. No tricks, no fine print in size six font.

And yes, you can still include photos. There’s no secret clause in the UK GDPR that says a picture of Year 11 on the school field at lunchtime is forbidden. If it’s for a yearbook, prom night collage, or school website tribute, the same principle applies; be transparent, get the appropriate permissions, and store images securely. That’s it.

There’s a myth that GDPR somehow outlawed all joy in schools, but the reality is it just asked us to stop being sloppy with data. It’s about respect, not restriction.

Then there’s the classic signing shirts. The ink-stained rite of passage, where uniforms are transformed into messy tributes of inside jokes and hastily scrawled farewells. A few educators have raised their eyebrows at this tradition, worrying it could constitute “uncontrolled data sharing.”

Realistically, if a student voluntarily hands their shirt to a friend and says, “write something embarrassing on my back,” this isn’t a data protection issue, it’s a social one. GDPR doesn’t govern private, student-to-student interactions unless the school is actively collecting and publishing that content. So, you don’t need to enforce a shirt-signing ban (and if you tried, good luck…).

Now, about prom. Some schools host their own; others let parents or external companies run the show. Either way, collecting names for tickets, dietary needs, or emergency contact details is fine, just make sure you’re only collecting what you actually need, and that the data isn’t floating around on someone’s USB stick or unprotected spreadsheet. The golden rule? If you wouldn’t want your own teen’s info handled that way, don’t do it to someone else’s.

So here’s the bottom line: don’t let GDPR myths steal the spotlight from your leavers’ celebrations. Data protection doesn’t mean you can’t celebrate your students. It just asks that you do it with intention.

After all, what better way to send off the next generation than by teaching them that privacy and parties can coexist?

Let them have their yearbooks. Let them wear hoodies emblazoned with names they’ll cringe at later. Let them dance the awkward final dance at prom. And let them remember that their school cared enough to protect their memories without over-policing their goodbyes.

As public bodies, UK schools are increasingly in the spotlight when it comes to transparency. Freedom of Information (FOI) requests are a key legal mechanism for parents, campaigners, and the media to access information about how schools operate but they’re also on the rise, especially around exams, assessments, and decision-making processes.

For school administrators and data protection leads (DPLs), responding to FOI requests isn’t just a legal duty under the Freedom of Information Act 2000, it’s also an opportunity to build public trust through transparency. Therefore, it’s crucial to understand your responsibilities, and the risks, when responding to these requests, especially as scrutiny intensifies.

Why Are FOI Requests Increasing in Schools?

Since the pandemic, there’s been a noticeable uptick in FOI activity directed at schools and trusts. Some of the key drivers include:

  • Concerns about exam grading during teacher-assessed years
  • Requests for exam board correspondence and internal moderation policies
  • Transparency around assessment algorithms or standardisation approaches
  • Access to emails or records related to grade appeals
  • Inquiries about pupil exclusions during exam periods

Schools across the UK have reported a surge in FOI requests during May–July, often clustered around GCSE and A-Level periods. These are not always straightforward, and many come from organised campaigns or media investigations.

What Is Covered by FOI in Schools?

Under the Freedom of Information Act 2000, anyone can request recorded, non-personal information. This includes:

  • Curriculum and assessment policies
  • Staff guidance or marking frameworks
  • Internal minutes or email chains (if recorded)
  • Communication with exam boards or local authorities

It does not cover:

  • Personal data about students or staff (that’s handled under UK GDPR)
  • Opinions that weren’t formally recorded

The Right Way to Respond

Every request must be handled lawfully, objectively, and in good faith. The basic process:

  1. Acknowledge: Respond within 20 working days
  2. Clarify if the request is vague or excessive
  3. Assess whether you hold the data and how much effort is required
  4. Apply exemptions only where legally justified
  5. Provide the information, or explain your reasons for refusal

Maintain a full audit trail of your decisions, especially if you’re applying an exemption.

Use of Exemptions: Don’t Overreach

The FOI Act includes several exemptions but misusing them can damage your reputation and trigger ICO scrutiny. Common (and often misapplied) exemptions in schools include:

  • Section 36 (prejudice to effective conduct of public affairs): Often used to withhold internal discussions but must be supported by recorded reasoning from a qualified person (e.g. Headteacher)
  • Section 40 (personal data): Use only where releasing the info would breach data protection law
  • Section 22 (future publication): You must have a clear intention to publish the info soon

Exemptions serve a purpose, but overusing or misapplying them risks eroding public confidence and triggering ICO complaints. As stewards of public funds and student welfare, UK schools should aim to default to openness, using the FOI framework as a tool to engage, not to evade.

Real-world caution:

A secondary school used Section 36 to refuse a request for internal marking guidance during a teacher-assessed grading period. The requester complained to the ICO, who found that the school had not sufficiently evidenced how disclosure would “prejudice the conduct of public affairs.” The school had to release the material.

Best Practices for UK Schools

  • Have a written FOI policy and publish it on your website
  • Train front-office and SLT staff on identifying and escalating FOI requests
  • Work with your DPO or local authority when applying exemptions
  • Log every request, decision, and rationale
  • Avoid redacting out of caution: Redact only what is necessary under the Act
  • Be proactive: Publishing certain information online (e.g. assessment policies, appeals processes) can reduce the volume of individual FOIs

When FOI Meets Exams: Be Prepared

To reduce stress and ensure legal compliance during exam season:

  • Review your assessment policy and have a version ready to share
  • Document all grade moderation discussions formally
  • Keep communications with exam boards organised and accessible
  • Clarify what can and cannot be disclosed under FOI vs. Subject Access Rights

Final Thought: Transparency Is a Strength, Not a Risk

It’s tempting to view FOI requests as administrative burdens or reputation threats. But when handled lawfully and openly, they demonstrate professionalism, fairness, and accountability. Use exemptions sparingly and transparently, and never to avoid embarrassment or scrutiny.