Posts

“RoPA’s: Why Every School Needs to Get Their Data House in Order”

When I first mention a RoPA to staff in schools or multi-academy trusts, I usually get one of three responses:
A) a knowing sigh,
B) a panicked blink, or
C) a hopeful, “Is that the thing we can outsource?”

The truth is, a Record of Processing Activities (RoPA) sounds more bureaucratic than it actually is. But in an educational setting, where data is flying around faster than paper aeroplanes in Year 5, it’s one of the most valuable tools you can have to make sense of your obligations under UK GDPR.

And with the Data Use and Access Act (DUAA) bringing further changes to the regulatory landscape, it’s never been more important.

 

What is a RoPA, and Why Should You Care?

A RoPA is essentially your school’s data processing map. It lists what personal data you collect, why you collect it, who you share it with, how long you keep it, and how you protect it. Think of it as your school’s data inventory; a living, breathing document that should reflect the reality of what’s going on across classrooms, admin offices, safeguarding teams, and yes, even the school newsletter.

Under Article 30 of the UK GDPR, most schools are already required to maintain a RoPA. The myth that only large organisations need one doesn’t fly. If you’re processing data regularly, and especially if it involves sensitive or special category data (SEN records, health information, safeguarding logs), you’re on the hook.

What’s changed with the addition of the DUAA?
The DUAA introduces a stronger emphasis on accountability and proactive data management, giving regulators more clarity on expectations and giving schools less room to rely on static, tick-box compliance.

For example:

  • Schools may now be expected to demonstrate how they are managing data risks, including algorithmic decision-making tools (e.g., AI marking or behaviour monitoring).
  • There is a growing expectation to include data sharing justifications in your RoPA, especially where you share data with third-party edtech providers.
  • The RoPA may serve as a key piece of evidence in demonstrating ‘appropriate data governance’ during any investigation or audit.

 

So Where Do You Start?

I often tell schools to treat RoPA creation like a school play. Everyone has a role, even if they’re only on stage for a scene or two, and someone (preferably your Data Protection Lead or DPO) needs to be directing the whole thing.

Start with what you know best: daily operations. What personal data do you collect on students, parents, staff, and governors? Where is it stored? Who has access?

Don’t worry about getting it perfect from the outset. This is more of a marathon than a sprint. What matters is building a truthful picture of how data flows through your school. And like a great Ofsted inspection, preparation is everything.

 

Who Needs to Be Involved?

One of the biggest mistakes schools make is assuming this is an IT or data manager’s problem. In reality, every department has a slice of the RoPA pie. The SENCO knows more about special category data than anyone. HR understands the nuances of staff records. Admin staff are often the unsung heroes of data entry and consent management.

This isn’t about adding to their workload, it’s about tapping into what they already know. The DPL or DPO should facilitate the process by asking the right questions, guiding decisions, and ensuring everything is documented with clarity and consistency.

With the DUAA in effect, demonstrating a joined-up approach to data governance isn’t just good practice, it’s also evidence of compliance. Cross-departmental input will help schools fulfil the ‘appropriate organisational measures’ requirement more robustly.

 

Keeping It Alive (and Not Just a GDPR Box-Tick)

Creating a RoPA and letting it gather digital dust in your SharePoint is the data equivalent of laminating a safeguarding policy and never looking at it again.

A good RoPA is maintained. It evolves. When you roll out a new parent communication app, switch MIS providers, or start using AI-assisted marking tools, your RoPA needs an update. I advise reviewing it termly, or whenever there’s a significant change in how data is processed.

And here’s where the DUAA raises the stakes again:
With a more outcomes-based focus, the new regime doesn’t just look at whether you have documentation, it looks at whether it reflects reality. Expect regulators to ask: Is your RoPA accurate, current, and genuinely used in decision-making?

Pro tip: link your RoPA maintenance with regular data protection training or staff updates. It keeps things fresh and signals that data protection is woven into the fabric of how your school operates, and not just a once-a-year compliance headache.

 

Why It Matters

Aside from the obvious regulatory compliance (and let’s be honest, the ICO can and does ask to see your RoPA), having a strong, accurate Record of Processing Activities:

  • Enhances transparency with staff, parents, and pupils.
  • Makes responding to Subject Access Requests significantly easier.
  • Helps assess the impact of new technologies and tools on data protection.
  • Supports compliance with new DUAA principles around risk management and accountability.
  • Builds a culture of responsibility and digital maturity in your organisation.

But more than that, it reflects the kind of trust and integrity every educational setting should strive for. Because in schools, we’re not just handling data. We’re handling lives, stories, and futures.

So, if your RoPA’s still in the ‘to-do’ pile, consider this your gentle nudge. And if you’re already on the road? Keep walking, keep refining, and keep your DPO on speed dial.

Data protection isn’t just about compliance anymore. It’s about confidence, care, and doing the right thing by your community.

/by

Data Use Complaint: A Story from the School Office

It begins with a simple email.

“Dear Office, I’m concerned about the data collected by the new homework app. Could you let me know what’s being stored about my daughter, and whether we can opt out?”

At first glance, your school administrator treats it as a routine enquiry. A parent, understandably cautious. The message gets forwarded to your IT team and is quickly forgotten.

But a few days later, a second email appears:

“I haven’t received a response. Under UK GDPR, I believe I’m entitled to this information.”

At this point, you pause. Is this just a question, or something more? Could this be considered a data protection complaint? Should there be a formal process in place? And if so, who is responsible?

Suddenly, you’re faced with a requirement that, until now, may not have felt urgent – but is now absolutely necessary.

 

A New Legal Expectation for Schools

Before 2025, data protection concerns in schools were relatively informal. A quick reply often sufficed.

But under the Data Use and Access Act 2025, that’s no longer enough.

The legislation introduces clearer expectations for how educational institutions handle complaints related to data protection. The emphasis is now on being structured, transparent, and responsive, especially when the complaint involves the data of a child.

 

What the Law Now Requires from You

The Data Use and Access Act 2025 introduces several concrete requirements for complaints handling:

  1. A Formal Complaints Process

You must have a clear and specific procedure for handling complaints relating to personal data. This should be separate from your general complaints policy and easy to understand.

  1. An Online Complaint Form

It is now a legal requirement to provide a dedicated, electronic form on your website for individuals to lodge a data protection complaint.

  1. Acknowledgment Within 30 Days

You are required to formally acknowledge all data protection complaints within 30 calendar days of receiving them.

  1. A Prompt, Reasonable Response

There’s no strict statutory timeframe for resolution, but the law requires that you respond, “without undue delay.” The ICO will expect to see evidence of timely, proportionate action.

 

Practical Steps You Should Take

If you haven’t already, now is the time to act.

  • Create an accessible digital complaints form

Ensure it’s linked from your privacy notice and easy for parents, pupils, and staff to find.

  • Develop a clear internal process

Define who receives the complaint, who investigates, and who signs off the response. Consider how you will track and document each step.

  • Train staff across departments

Your admin team, teachers, and support staff should know how to recognise a data complaint, and when to escalate it.

  • Involve your DPO early

Your Data Protection Officer or Data Protection Lead should be actively involved in setting up the complaints process and reviewing each case.

 

A Likely Scenario

Imagine this:

A parent asks why a learning platform seems to be recommending content to their child based on interaction history. They ask what’s being tracked, and who can see it. At first, it feels like a casual question, but it meets the definition of a data protection concern.

If you don’t have a formal process in place, there’s a risk of delay or miscommunication, and that’s now a compliance issue.

But with the right system, the response is simple:

“Thank you for raising this. We’ve received your complaint and are reviewing it. You’ll receive a further response shortly.”

That one sentence does more than meet a legal obligation; it demonstrates trust, care, and professionalism.

 

Why This Matters

As a school, you manage sensitive data every day, academic records, safeguarding notes, medical needs, behavioural reports, and increasingly, digital interactions.

The expectations from parents, pupils, and regulators have never been higher.

By developing a clear complaints procedure, you’re not just reducing risk, you’re showing your school community that you take their rights seriously.

A single email could spark a chain of events. But with the right policies and mindset, it doesn’t need to become a crisis.

You have the opportunity to respond confidently, clearly, and in full compliance with the law.

Because when someone raises a concern about how you use their data, or their child’s, it’s not just a legal issue, it’s a matter of trust.

/by

“You’ve Got (Subject Access) Mail!” – Navigating SARs in Schools Without Losing Your Sanity

Imagine it’s a rainy Thursday afternoon. You’ve just finished playground duty and you’re halfway through a lukewarm coffee when the email pings into your inbox. It’s a Subject Access Request (SAR), and not just any SAR, it’s one of those SARs: someone wants “all the information you hold about them.”

Cue internal screaming.

But don’t panic. Whether the request comes from a parent, a staff member, or even a student themselves, SARs are a regular part of school life under data protection law. They might not arrive every day, but when they do, they tend to bring a flurry of questions, and a fair bit of admin.

And thanks to the Data Use and Access Act (DUAA), the rules have been sharpened, the expectations clearer, and some of the grey areas just got a little less grey.

Let’s take a breath and walk through what this actually means for you, the person who now has one calendar month (no, that hasn’t changed) to find and deliver everything that qualifies as “personal data.”

 

So what does “all the information” actually mean?

Here’s where things get interesting. When someone submits a SAR asking for “everything you hold about them,” they’re invoking their rights under the UK GDPR and now the Data Use and Access Act (DUAA), which has reaffirmed and clarified how those rights apply in public bodies like schools.

They’re not just asking for what’s in their file folder; they want everything (digital, physical, historical) that says something about them and is stored by the school.

This could be emails that mention them (yes, even those ones you wish you’d written more diplomatically), reports, assessments, meeting notes, disciplinary hearings, communications between staff about that person, and more.

But it’s not everything, everything.

That private WhatsApp message you sent to a colleague about your frustrating morning? Still probably out of scope, unless you’ve somehow used it to make a formal decision or documented it in school systems.

The DUAA now gives clearer boundaries here: personal communications not forming part of a school’s official processing activities are generally not in scope. But always assess context and purpose.

And here’s a welcome relief:
The DUAA also gives you the right to seek clarification when a request is unclear or too broad. If someone asks for “everything,” but you reasonably believe they’re looking for something specific (say, safeguarding records or a particular incident), you can pause the clock while you ask them to narrow it down. Just make sure you document the clarification request and don’t delay unnecessarily.

This can save hours of time and reduce the risk of over-disclosure or missed data.

 

What should you be including?

If the data says something about the person and you’re holding it in your professional capacity, odds are it’s in.

Think emails, student records, safeguarding files (yes, even the tricky ones), disciplinary records, performance reviews, and any formal or informal notes that contribute to school decisions or knowledge.

Even if the person wasn’t the author of the document, if it’s about them, they get to see it.

And don’t forget metadata, timestamps, usernames, and version history. Under the DUAA, the definition of “personal data” remains broad, and these still count if they can identify the individual.

 

What can you leave out?

Thankfully, not everything needs to be handed over. The DUAA clarifies exemptions around safeguarding, exam scripts, and third-party data, but it also tightens how schools must apply them.

Here’s what remains true (with some added clarity):

  • Truly personal notes not part of the school’s records or decision-making process? Still probably exempt.
  • Informal, handwritten notes not used to inform decisions? Possibly out of scope but under the DUAA, if they’re later referenced in emails or meetings, they become part of the record.
  • Other people’s data? Now more explicitly protected. The DUAA reinforces that schools must redact or anonymise third parties, especially in safeguarding reports or behavioural logs.

Also, the DUAA introduced a more formal “harm-based test” for withholding certain disclosures, especially when releasing data could put someone at risk (e.g. in child protection cases). So while the exemptions are narrow, they are now better defined.

 

Where do you even look?

Data hides in more places than you think. The usual suspects: your MIS, email servers, safeguarding platforms, and cloud learning tools.

But the DUAA now places a firmer expectation on schools to have documented data maps or records of processing, so you can actually find what you need without resorting to digital archaeology.

That means staff shared drives, laptop folders, Teams logs, and even archived paper files may still hold data that must be reviewed.

You don’t need to become Sherlock Holmes, but you are expected to conduct a “reasonable and proportionate search” and the DUAA now helps define what that looks like. It’s less about exhausting every dusty archive and more about having a clear search strategy and audit trail of your efforts.

 

A final word to the wise

A SAR is not just a bureaucratic hoop to jump through. It’s a window into how much we record, how we talk about people, and what assumptions sit in our systems.

The Data Use and Access Act reinforces that access is a right, but also that handling these requests should be structured, documented, and mindful of harm. It’s not just about handing over a stack of papers; it’s about transparency done properly.

So yes, receiving a SAR might still feel like being put under a microscope but, it’s also an opportunity. A moment to tidy up your data habits, update your record-keeping, and reflect on how information flows through your school.

And next time someone asks for “everything you’ve got,” you’ll know where to start, what to include, what to redact and, most importantly, how to stay sane while doing it.

/by

The DUAB is Now Law: What This Means for Education

On the 19th of June 2025, the Data Use and Access Act (commonly known as the DUAB or DUA Bill) officially received Royal Assent, marking a significant update to the UK’s data protection framework. While it doesn’t entirely rewrite GDPR, it does bring a number of key changes that educational institutions need to be aware of.

Let’s break it down and explore what this means for colleges, schools, and educational staff in a practical, easy-to-digest way.

Subject Access Requests: The Clock Pauses for Clarification

We know that managing Subject Access Requests (SARs) can be time-consuming, especially when students or staff request a mountain of data.

Here’s what’s changed:

  • If someone submits a SAR and you need clarification, the response deadline is paused until they respond.
  • You can reasonably ask for clarification if you hold a large amount of data about the person.
  • Once clarification is received, you must still perform a reasonable and proportionate search for the requested data.

Takeaway for educators: If a student or staff member submits a vague or broad SAR, you now have the legal room to ask for specifics before the 30-day countdown begins. This helps you stay compliant and focused on what’s actually needed.

Complaints Must Be Handled Internally First

The new law gives organisations a chance to fix things before complaints go to the ICO (Information Commissioner’s Office).

Now, if someone raises a data protection issue:

  • You must acknowledge their complaint within 30 days
  • Take appropriate steps to investigate and address it
  • And inform them of the outcome

What this means: Colleges should ensure there’s a clear internal complaint process. This is a great time to check that your staff know how to escalate issues internally, before they become a bigger (and more public) problem.

Automated Decision-Making & AI in Education

With AI becoming a growing tool in education, think automated exam marking or application screening, DUAB clarifies how these systems should be handled:

Automated decisions that have legal or significant effects (e.g. admissions, grading) are permitted, as long as:

  • The individual is told their data will be used this way,
  • They are given the option to contest the decision, and
  • Human intervention is available.

Heads up: If your college uses AI to grade tests (like automated multiple-choice scoring), or any automated student decision-making systems, let your data protection lead know. You’ll need to be clear with students about their rights and the role AI plays.

Cookies: A Bit More Flexibility

Let’s talk cookies. No, not the chocolate chip kind.

DUAB introduces exemptions to the consent requirement for certain non-essential cookies. That includes cookies used for:

  • Statistical analysis
  • Website performance
  • User preferences
  • Service improvements

Good news for IT teams: If your college’s website uses cookies only for these purposes, you no longer need to obtain user consent.

Legitimate Interests: A Clearer Path Forward

There’s now a recognised list of “legitimate interests”, making life a bit easier for data protection leads. These include:

  • Safeguarding students and staff
  • Fraud prevention
  • Network and system security
  • Intra-group data sharing (for multi-site colleges)
  • Direct marketing

If your college is processing data for any of the above reasons, you no longer need to complete a Legitimate Interests Assessment (LIA).

Bottom line: This streamlines processes and reduces paperwork when handling security or safeguarding-related data.

What’s Next?

While these updates are now law, the government hasn’t yet published education-specific guidance. In the meantime:

  • Review your current policies, especially around SARs, complaints, and automated decision-making
  • Update your internal processes and staff training to reflect the new rights and obligations
  • Monitor for upcoming sector-specific guidance

If you’d like to explore more detailed legal interpretations or dive deeper into how DUAB changes things across different industries, click here for further information.

Let’s continue to champion responsible data use in our schools and colleges. These changes aim to strike a better balance between protecting individuals’ rights and reducing unnecessary red tape – and that’s something we can all get behind.

/by

“Decoding the Data (Use and Access) Bill: What Educators Need to Know”

Imagine you’re sat in the staffroom, half-eaten biscuit in one hand, half-finished student spreadsheet on the screen. You scroll down a list of names, notes, and numbers, some of which, to your horror, date back to the year David Cameron was still Prime Minister.

You mutter to yourself, Why do we still have this data? Is this even legal?

Well, you’re in luck. Help may be on the horizon, wrapped in bureaucracy yes, but still help.

The UK’s Data (Use and Access) Bill is the government’s latest attempt to bring data protection into the 21st century without sending educators and administrators into panic-induced paper purges. So, what does it mean for you and your school? Let’s unpack it without the legalese, and with your sanity in mind.

So… What Is This Bill Actually About?

At its core, the Data (Use and Access) Bill (or DUAB, if you’re into acronyms) is about striking a balance between making better use of data and protecting people’s rights, especially children’s.

It’s part of the government’s broader post-Brexit effort to move away from some of the more rigid elements of EU GDPR, while still holding onto the values that matter; transparency, safety, and accountability. Think of it as GDPR’s sensible cousin, still serious, but a little more practical in the school setting.

Why Should Schools Care?

Here’s the thing, schools are absolute treasure troves of personal data. From safeguarding notes and behavioural logs to dinner money apps and biometric attendance systems, they gather data like Year 7s gather Pokémon cards, except there’s legal liability attached.

This Bill is nudging us gently but firmly towards smarter, clearer, and more responsible data use. For instance, it’s placing extra emphasis on how we use children’s data in digital tools and platforms. That means reviewing whether educational software is using personal information appropriately, and not quietly siphoning it off to train some mysterious AI model in the background.

Also under the spotlight? Automated decision-making. If you’ve ever wondered whether a student’s algorithmic “progress tracker” is making assumptions you wouldn’t make as a teacher… well, the DUAB has your back. It demands transparency and human oversight when important decisions are being made based on data. Because let’s face it, no algorithm knows your pupils like you do.

But Wait, There’s More…

One of the big ideas in the DUAB is around data retention. Remember that ancient spreadsheet I mentioned earlier? Under the Bill, keeping data “just in case” won’t cut it anymore. Schools will need clear justifications for how long data is kept and must be able to show they’re not hoarding it unnecessarily. It’s like a spring clean, but for your school server.

The Bill also introduces measures to simplify compliance. For schools, this could mean fewer hoops to jump through when working with third-party apps or local authorities, as long as the data use aligns with the public good and proper protections are in place.

So, What Should We Do Now?

First off, don’t panic. This Bill isn’t a ticking time bomb. It’s more of a nudge to think seriously about how we treat data in our schools and to embed that into our day-to-day decision-making.

It’s a good time to:

  • Talk to your school’s Data Protection Officer (you know, the one who pops up every year reminding everyone about GDPR).
  • Review your school’s data retention schedule – are you keeping stuff longer than necessary?
  • Ask questions about any new edtech platforms you’re trialling. Are they transparent? Safe for students? Do they actually need all the information they’re collecting?

And finally, keep the conversation going. Data protection isn’t just a compliance issue, it’s about trust. Parents trust us with their children. Students trust us with their futures. Managing their data responsibly is part of honouring that trust.

Ultimately, this isn’t just a policy update, it’s a cultural shift. The DUAB reminds us that data is more than a digital asset. It’s personal. It’s powerful. And in education, it’s deeply human.

So next time you open a spreadsheet that hasn’t been touched since the last Ofsted inspection, take a moment. Ask yourself not just “Do we need this?” but also “Is keeping this still respectful to the person behind the data?”

Because in the classroom, in the office, or even in the server room, one truth remains: good education starts with good ethics.

/by