Posts

DPIAs: The Devil is in the Details

Let me start with a little story.

Picture this: a well-meaning school rolls out a shiny new classroom app. It promises real-time behaviour tracking, AI-generated performance reports, and parental push notifications.

Everything’s going swimmingly until a parent complains. Loudly. They’re uncomfortable with how much data the app’s collecting on their child. A few emails later, and suddenly the Information Commissioner’s Office (ICO) is poking around.

So, where did it all go wrong?
No DPIA.

 

First, What on Earth is a DPIA?

Let’s demystify this acronym. A Data Protection Impact Assessment (DPIA) is like a risk assessment,  but for privacy. It’s a tool that helps you think before you process, especially when new tech, processes, or systems, might affect individuals’ data rights.

The legal bit? Under the UK GDPR, DPIAs are mandatory when data processing is likely to result in a high risk to people’s rights and freedoms.

But let’s not get too stuck in legalese. As your friendly neighbourhood Data Protection Officer (DPO), we like to think of a DPIA as the grown-up version of “have you thought this through?”

 

When Do You Need a DPIA in Schools?

You’d be surprised how often this question crops up. DPIAs aren’t just for massive corporations or government surveillance programs. Schools sit on mountains of personal data, much of it about children, which immediately raises the stakes.

Here’s a peek into your school diary where a DPIA might be needed:

  • Rolling out biometric systems for canteen payments or library check-outs. (Yes, even fingerprint scanners.)
  • Using facial recognition for school entry or attendance tracking.
  • Launching new apps or platforms that monitor student behaviour, learning analytics or mental health.
  • Installing CCTV in new areas, especially if it records audio or is placed in sensitive areas like SEN rooms.
  • Conducting large-scale surveys on pupil wellbeing that include special category data (health, ethnicity, etc.).

Notice the pattern? If it’s new, high-tech, or deals with sensitive data, your DPIA-senses should be tingling.

 

But How Do You Actually Do a DPIA?

Now we’re into the meat of it. Here’s how I’d talk through a DPIA with a member of staff; let’s say the Deputy Head has just discovered an amazing classroom management tool from the USA.

DPO: “Okay, tell me what this thing does.”
DH: “It tracks behaviour points, syncs with parents, analyses learning patterns, and adjusts tasks based on performance!”
DPO: “Cool. What kind of data does it collect?”
DH: “Names, behaviour logs, test scores… oh, and it uses webcam input to assess engagement…”
DPO: deep breath “Right. Time for a DPIA.”

A proper DPIA goes something like this:

  1. Describe the Project and Purpose

Lay it out like you’re explaining it to someone outside education. What are you doing, why are you doing it, and what data are you using?

  1. Assess Necessity and Proportionality

Is there another way to achieve the same goal with less data? Are you collecting only what you need? (You’d be surprised how many tools hoover up data they don’t actually use.)

  1. Identify and Assess Risks

Here’s where it gets juicy. You look at:

  • Risk of data being hacked or leaked
  • Risk of data being used beyond its intended purpose
  • Emotional or psychological risk to students (especially vulnerable ones)
  • Risk to staff if their data is included
  • Risk from poorly vetted third-party vendors
  1. Identify Mitigations

You don’t just throw up your hands and walk away. You work out how to reduce the risk. Encryption? Access controls? Parental consent? Staff training? Less data?

  1. Consult if Necessary

Got a DPO? Use them. Got students or parents involved? Ask them for input. Consultation shows accountability.

  1. Sign Off and Keep It On File

A DPIA is not a dusty form. It’s a living document. It should be stored and updated as the project evolves.

 

DPIA in Action: The Wi-Fi Watcher Incident

One real-world example (with details changed to protect the innocent): A secondary school wanted to monitor student internet usage more closely. They installed new software that logged all online activity, including personal emails and searches.

They skipped the DPIA.

A student complained when their anxiety-related search history was flagged and discussed by a teacher. The school faced backlash for over-monitoring and mishandling sensitive data.

Had they done a DPIA, they might have caught the issue early:

  • The system didn’t distinguish between schoolwork and personal browsing.
  • No consent was sought for monitoring beyond curriculum tools.
  • No clear policy existed for how flagged data would be handled.

With a DPIA, they could have:

  • Restricted logging to school hours or curriculum websites.
  • Built in student safeguards.
  • Created transparent policies with student involvement.

 

Why DPIAs Matter in Education

Ultimately, DPIAs aren’t about red tape. They’re about people. In schools, that means kids, often vulnerable, always trusting, and the staff who support them.

Done right, DPIAs do three things:

  1. Protect students and staff.
  2. Prevent costly (and embarrassing) missteps.
  3. Build trust with your community.

Think of DPIAs like risk assessments for ideas. If you wouldn’t bring an untested experiment into your science lab, why let an untested data process into your school?

So next time someone in your school says, “We found this amazing new app!” just smile and say:

“Great! Let’s DPIA it.”

Because the devil?… It’s always in the details.

/by

FOIs: A Quick Guide to Processing in Education

September marks the start of a new school year and with it, we often see an influx of FOI requests.

It usually starts with an email. The subject line is polite, official (possibly even a little dry): “Request under the Freedom of Information Act 2000.”

You open it, wondering if it’s a mistake. It’s not. Someone; a journalist, a parent, a campaigner, or simply a curious member of the public, wants to know something. And they’ve used the law to ask for it.

If you work in a publicly funded school, college or university, this moment will happen eventually.

What is a Freedom of Information Request?

A Freedom of Information (FOI) request is a formal right, enshrined in law, that allows anyone to request access to recorded information held by public authorities.

In practice, it means that people can ask your institution for all sorts of information: how much you spend on IT software, your attendance policies, the number of staff disciplinaries in the last academic year, or how many trees are on campus. Some questions are serious and data-heavy; others can feel oddly niche. All deserve to be handled with care.

The Freedom of Information Act 2000 is the legal framework that governs this process, and if you’re funded by the state (whether you’re a maintained school, academy, sixth form college, or university) you’re covered by the Act.

What Happens When You Receive One?

The moment a request is received in writing (email is fine), the clock starts ticking. You have 20 working days to respond. Not 20 calendar days. Twenty working days from receipt.

The request doesn’t need to say “Freedom of Information” to be valid, it just needs to ask clearly for information. You’re only required to provide what you already hold in recorded form. That means documents, emails, spreadsheets, and data. Not opinions, hypotheticals or creating new analysis from scratch.

Where Do You Start?

Start by reading the request carefully. Does it make sense? Is it clear what’s being asked? If not, there’s room to seek clarification, but don’t delay unnecessarily.

Then comes the search. This often involves a bit of internal digging: a polite email to a department, a rummage through shared drives, a search of archived documents. Sometimes the answer is easy to find; sometimes it’s buried beneath years of naming conventions like “final_final_USETHIS_one.docx.”

Once the information is located, it needs to be reviewed. Are there personal details? Is there commercially sensitive data? Would disclosure cause harm? The Freedom of Information Act contains a number of exemptions for situations like these, but they must be applied with precision and fairness.

Redaction may be necessary. Context may be helpful. But transparency is the goal, unless there’s a compelling reason to withhold.

What If It’s… Difficult?

Some requests are tricky. Some are frustrating. Some seem designed to test the limits of patience.

The Act allows for requests to be refused if they are vexatious, repetitive, or too costly to fulfil. But this isn’t a get-out clause. It must be justified. There’s a balance to be struck between protecting resources and respecting the public’s right to know.

And while the content of a request might raise eyebrows (how many pigeons have entered the school library this term?), it doesn’t mean it lacks legitimacy.

Why It Matters

Freedom of Information isn’t about catching schools or colleges out. At its heart, it’s about accountability. Education institutions are entrusted with public money and play vital roles in their communities. FOI ensures that trust can be tested and reinforced.

Handled well, FOI requests can be an opportunity to show good governance, sound decision-making, and openness.

Handled badly (ignored, delayed, or dismissed), they can lead to complaints, investigations by the Information Commissioner’s Office, and damage to reputation.

FOI requests are not everyday occurrences for most education staff, but they’re not rare either. They arrive, sometimes quietly, and ask institutions to do what they already strive for: to be transparent, responsible and fair.

A clear internal process helps. So does a calm approach. Most of all, it helps to see these requests not as burdens, but as part of the wider responsibility that comes with public trust.

Because when someone asks, “Can I see that information?”, the best answer is not just “Yes,” but “Here it is, clearly, correctly, and on time.”

/by

Data Use Complaint: A Story from the School Office

It begins with a simple email.

“Dear Office, I’m concerned about the data collected by the new homework app. Could you let me know what’s being stored about my daughter, and whether we can opt out?”

At first glance, your school administrator treats it as a routine enquiry. A parent, understandably cautious. The message gets forwarded to your IT team and is quickly forgotten.

But a few days later, a second email appears:

“I haven’t received a response. Under UK GDPR, I believe I’m entitled to this information.”

At this point, you pause. Is this just a question, or something more? Could this be considered a data protection complaint? Should there be a formal process in place? And if so, who is responsible?

Suddenly, you’re faced with a requirement that, until now, may not have felt urgent – but is now absolutely necessary.

 

A New Legal Expectation for Schools

Before 2025, data protection concerns in schools were relatively informal. A quick reply often sufficed.

But under the Data Use and Access Act 2025, that’s no longer enough.

The legislation introduces clearer expectations for how educational institutions handle complaints related to data protection. The emphasis is now on being structured, transparent, and responsive, especially when the complaint involves the data of a child.

 

What the Law Now Requires from You

The Data Use and Access Act 2025 introduces several concrete requirements for complaints handling:

  1. A Formal Complaints Process

You must have a clear and specific procedure for handling complaints relating to personal data. This should be separate from your general complaints policy and easy to understand.

  1. An Online Complaint Form

It is now a legal requirement to provide a dedicated, electronic form on your website for individuals to lodge a data protection complaint.

  1. Acknowledgment Within 30 Days

You are required to formally acknowledge all data protection complaints within 30 calendar days of receiving them.

  1. A Prompt, Reasonable Response

There’s no strict statutory timeframe for resolution, but the law requires that you respond, “without undue delay.” The ICO will expect to see evidence of timely, proportionate action.

 

Practical Steps You Should Take

If you haven’t already, now is the time to act.

  • Create an accessible digital complaints form

Ensure it’s linked from your privacy notice and easy for parents, pupils, and staff to find.

  • Develop a clear internal process

Define who receives the complaint, who investigates, and who signs off the response. Consider how you will track and document each step.

  • Train staff across departments

Your admin team, teachers, and support staff should know how to recognise a data complaint, and when to escalate it.

  • Involve your DPO early

Your Data Protection Officer or Data Protection Lead should be actively involved in setting up the complaints process and reviewing each case.

 

A Likely Scenario

Imagine this:

A parent asks why a learning platform seems to be recommending content to their child based on interaction history. They ask what’s being tracked, and who can see it. At first, it feels like a casual question, but it meets the definition of a data protection concern.

If you don’t have a formal process in place, there’s a risk of delay or miscommunication, and that’s now a compliance issue.

But with the right system, the response is simple:

“Thank you for raising this. We’ve received your complaint and are reviewing it. You’ll receive a further response shortly.”

That one sentence does more than meet a legal obligation; it demonstrates trust, care, and professionalism.

 

Why This Matters

As a school, you manage sensitive data every day, academic records, safeguarding notes, medical needs, behavioural reports, and increasingly, digital interactions.

The expectations from parents, pupils, and regulators have never been higher.

By developing a clear complaints procedure, you’re not just reducing risk, you’re showing your school community that you take their rights seriously.

A single email could spark a chain of events. But with the right policies and mindset, it doesn’t need to become a crisis.

You have the opportunity to respond confidently, clearly, and in full compliance with the law.

Because when someone raises a concern about how you use their data, or their child’s, it’s not just a legal issue, it’s a matter of trust.

/by

“You’ve Got (Subject Access) Mail!” – Navigating SARs in Schools Without Losing Your Sanity

Imagine it’s a rainy Thursday afternoon. You’ve just finished playground duty and you’re halfway through a lukewarm coffee when the email pings into your inbox. It’s a Subject Access Request (SAR), and not just any SAR, it’s one of those SARs: someone wants “all the information you hold about them.”

Cue internal screaming.

But don’t panic. Whether the request comes from a parent, a staff member, or even a student themselves, SARs are a regular part of school life under data protection law. They might not arrive every day, but when they do, they tend to bring a flurry of questions, and a fair bit of admin.

And thanks to the Data Use and Access Act (DUAA), the rules have been sharpened, the expectations clearer, and some of the grey areas just got a little less grey.

Let’s take a breath and walk through what this actually means for you, the person who now has one calendar month (no, that hasn’t changed) to find and deliver everything that qualifies as “personal data.”

 

So what does “all the information” actually mean?

Here’s where things get interesting. When someone submits a SAR asking for “everything you hold about them,” they’re invoking their rights under the UK GDPR and now the Data Use and Access Act (DUAA), which has reaffirmed and clarified how those rights apply in public bodies like schools.

They’re not just asking for what’s in their file folder; they want everything (digital, physical, historical) that says something about them and is stored by the school.

This could be emails that mention them (yes, even those ones you wish you’d written more diplomatically), reports, assessments, meeting notes, disciplinary hearings, communications between staff about that person, and more.

But it’s not everything, everything.

That private WhatsApp message you sent to a colleague about your frustrating morning? Still probably out of scope, unless you’ve somehow used it to make a formal decision or documented it in school systems.

The DUAA now gives clearer boundaries here: personal communications not forming part of a school’s official processing activities are generally not in scope. But always assess context and purpose.

And here’s a welcome relief:
The DUAA also gives you the right to seek clarification when a request is unclear or too broad. If someone asks for “everything,” but you reasonably believe they’re looking for something specific (say, safeguarding records or a particular incident), you can pause the clock while you ask them to narrow it down. Just make sure you document the clarification request and don’t delay unnecessarily.

This can save hours of time and reduce the risk of over-disclosure or missed data.

 

What should you be including?

If the data says something about the person and you’re holding it in your professional capacity, odds are it’s in.

Think emails, student records, safeguarding files (yes, even the tricky ones), disciplinary records, performance reviews, and any formal or informal notes that contribute to school decisions or knowledge.

Even if the person wasn’t the author of the document, if it’s about them, they get to see it.

And don’t forget metadata, timestamps, usernames, and version history. Under the DUAA, the definition of “personal data” remains broad, and these still count if they can identify the individual.

 

What can you leave out?

Thankfully, not everything needs to be handed over. The DUAA clarifies exemptions around safeguarding, exam scripts, and third-party data, but it also tightens how schools must apply them.

Here’s what remains true (with some added clarity):

  • Truly personal notes not part of the school’s records or decision-making process? Still probably exempt.
  • Informal, handwritten notes not used to inform decisions? Possibly out of scope but under the DUAA, if they’re later referenced in emails or meetings, they become part of the record.
  • Other people’s data? Now more explicitly protected. The DUAA reinforces that schools must redact or anonymise third parties, especially in safeguarding reports or behavioural logs.

Also, the DUAA introduced a more formal “harm-based test” for withholding certain disclosures, especially when releasing data could put someone at risk (e.g. in child protection cases). So while the exemptions are narrow, they are now better defined.

 

Where do you even look?

Data hides in more places than you think. The usual suspects: your MIS, email servers, safeguarding platforms, and cloud learning tools.

But the DUAA now places a firmer expectation on schools to have documented data maps or records of processing, so you can actually find what you need without resorting to digital archaeology.

That means staff shared drives, laptop folders, Teams logs, and even archived paper files may still hold data that must be reviewed.

You don’t need to become Sherlock Holmes, but you are expected to conduct a “reasonable and proportionate search” and the DUAA now helps define what that looks like. It’s less about exhausting every dusty archive and more about having a clear search strategy and audit trail of your efforts.

 

A final word to the wise

A SAR is not just a bureaucratic hoop to jump through. It’s a window into how much we record, how we talk about people, and what assumptions sit in our systems.

The Data Use and Access Act reinforces that access is a right, but also that handling these requests should be structured, documented, and mindful of harm. It’s not just about handing over a stack of papers; it’s about transparency done properly.

So yes, receiving a SAR might still feel like being put under a microscope but, it’s also an opportunity. A moment to tidy up your data habits, update your record-keeping, and reflect on how information flows through your school.

And next time someone asks for “everything you’ve got,” you’ll know where to start, what to include, what to redact and, most importantly, how to stay sane while doing it.

/by

The DUAB is Now Law: What This Means for Education

On the 19th of June 2025, the Data Use and Access Act (commonly known as the DUAB or DUA Bill) officially received Royal Assent, marking a significant update to the UK’s data protection framework. While it doesn’t entirely rewrite GDPR, it does bring a number of key changes that educational institutions need to be aware of.

Let’s break it down and explore what this means for colleges, schools, and educational staff in a practical, easy-to-digest way.

Subject Access Requests: The Clock Pauses for Clarification

We know that managing Subject Access Requests (SARs) can be time-consuming, especially when students or staff request a mountain of data.

Here’s what’s changed:

  • If someone submits a SAR and you need clarification, the response deadline is paused until they respond.
  • You can reasonably ask for clarification if you hold a large amount of data about the person.
  • Once clarification is received, you must still perform a reasonable and proportionate search for the requested data.

Takeaway for educators: If a student or staff member submits a vague or broad SAR, you now have the legal room to ask for specifics before the 30-day countdown begins. This helps you stay compliant and focused on what’s actually needed.

Complaints Must Be Handled Internally First

The new law gives organisations a chance to fix things before complaints go to the ICO (Information Commissioner’s Office).

Now, if someone raises a data protection issue:

  • You must acknowledge their complaint within 30 days
  • Take appropriate steps to investigate and address it
  • And inform them of the outcome

What this means: Colleges should ensure there’s a clear internal complaint process. This is a great time to check that your staff know how to escalate issues internally, before they become a bigger (and more public) problem.

Automated Decision-Making & AI in Education

With AI becoming a growing tool in education, think automated exam marking or application screening, DUAB clarifies how these systems should be handled:

Automated decisions that have legal or significant effects (e.g. admissions, grading) are permitted, as long as:

  • The individual is told their data will be used this way,
  • They are given the option to contest the decision, and
  • Human intervention is available.

Heads up: If your college uses AI to grade tests (like automated multiple-choice scoring), or any automated student decision-making systems, let your data protection lead know. You’ll need to be clear with students about their rights and the role AI plays.

Cookies: A Bit More Flexibility

Let’s talk cookies. No, not the chocolate chip kind.

DUAB introduces exemptions to the consent requirement for certain non-essential cookies. That includes cookies used for:

  • Statistical analysis
  • Website performance
  • User preferences
  • Service improvements

Good news for IT teams: If your college’s website uses cookies only for these purposes, you no longer need to obtain user consent.

Legitimate Interests: A Clearer Path Forward

There’s now a recognised list of “legitimate interests”, making life a bit easier for data protection leads. These include:

  • Safeguarding students and staff
  • Fraud prevention
  • Network and system security
  • Intra-group data sharing (for multi-site colleges)
  • Direct marketing

If your college is processing data for any of the above reasons, you no longer need to complete a Legitimate Interests Assessment (LIA).

Bottom line: This streamlines processes and reduces paperwork when handling security or safeguarding-related data.

What’s Next?

While these updates are now law, the government hasn’t yet published education-specific guidance. In the meantime:

  • Review your current policies, especially around SARs, complaints, and automated decision-making
  • Update your internal processes and staff training to reflect the new rights and obligations
  • Monitor for upcoming sector-specific guidance

If you’d like to explore more detailed legal interpretations or dive deeper into how DUAB changes things across different industries, click here for further information.

Let’s continue to champion responsible data use in our schools and colleges. These changes aim to strike a better balance between protecting individuals’ rights and reducing unnecessary red tape – and that’s something we can all get behind.

/by

“It’s Just Exams” – Until It Isn’t: Mental Health, Exam Stress and What GDPR Really Says About Sharing Student Data

It’s that time of year again.

The corridors are quieter. The library’s full. Revision guides multiply like gremlins. Students are hunched over past papers, and you’ve lost count of how many times you’ve said, “Just do your best.” Exam season: the annual rite of stress, snacks, and sharp-tipped pencils.

We know the drill. We also know that for some students, it’s more than just pressure. It’s panic. Fear. Sleepless nights. And in some cases, a quiet, growing despair that’s not always easy to spot.

So what happens when one of your students hits a breaking point?

Let’s say you’re a form tutor. One morning, during a routine check-in, a Year 11 student makes an offhand comment that stops you cold: “I’m not sure there’s any point in trying anymore. None of this matters anyway.” They brush it off with a shrug, but something in their tone makes your gut twist.

You’ve got safeguarding training. You know the signs. But now you’re also thinking about what you can and can’t say. What happens if you need to tell someone else? What if they’ve asked you not to? How does GDPR come into play?

Let’s be absolutely clear here: UK GDPR does not prevent you from protecting a student’s wellbeing. The law might sound like it’s all about red tape and locked filing cabinets, but when it comes to emergencies, particularly involving someone’s health or life, it’s surprisingly human.

The key phrase in the legislation is “vital interests.” If a person’s life, health, or safety is at serious risk, you can share their personal information without consent. In fact, in those moments, you’re not just allowed to, you’re expected to act.

So in our example, yes, you absolutely can and should inform your Designated Safeguarding Lead. You might also need to involve mental health services, the student’s parents or carers, or in rare cases, emergency services. You don’t need the student’s permission if you’re worried about their immediate safety. You just need to make a professional, proportionate judgment and record your decision clearly.

That might feel uncomfortable. Students often confide in us because they trust us. It’s natural to want to protect that trust. But safeguarding isn’t about keeping secrets, it’s about keeping people safe. And there’s a way to do both. You can tell the student, calmly and compassionately, that you’re concerned and that you’ll be speaking to someone who can help. It’s not a betrayal. It’s part of the responsibility they trust you to carry.

Let’s take another scenario. An exam invigilator notices a student sobbing quietly during a paper. After the exam, the student says they haven’t eaten in two days because of anxiety. They also beg you not to tell anyone, claiming they’ll be fine. Do you stay silent?

Again, the answer is no. Even if the student appears to be “functioning,” extreme stress, particularly if it’s affecting basic wellbeing like eating and sleeping, can quickly spiral into something more serious. Sharing this concern with your safeguarding lead or school counsellor is entirely appropriate under data protection law. The student’s welfare outweighs their request for secrecy when real harm is at stake.

Of course, not every case is black and white. There will be moments of hesitation. But that’s why having a clear understanding of your school’s safeguarding policy and how it works alongside GDPR is crucial. It helps you act with confidence and compassion.

And let’s not forget the pressure educators are under too. These conversations are emotionally exhausting. You’re juggling exam timetables, parents chasing grades, and students in various states of meltdown. But knowing that the law supports you in putting a student’s mental health first can take one worry off your shoulders.

It’s worth remembering that the Information Commissioner’s Office (ICO) has been vocal on this: data protection is not a barrier to sharing information where someone’s safety is at risk. The myth that “GDPR says no” in these scenarios is not just unhelpful, it’s dangerous.

At the heart of all this is a simple principle: if you’re genuinely worried about a student’s wellbeing, you must act, and the law supports you in doing so. Share what’s necessary, with those who need to know, and keep a clear, factual record of what you’ve done and why.

So as exam season stretches on and stress levels rise, keep your eyes open, your ears tuned, and your instincts sharp. You might be the person a student trusts most. And in a moment of crisis, that trust can be life-changing so long as you’re willing to act on it.

Because sometimes, “just exams” are anything but.

/by

Wall Displays and Data Delays: Preparing for Inspection Without Breaching GDPR

There’s something unmistakable in the air when an inspection is on the horizon. You can feel the hum of preparation in every corridor; policies being printed, classroom displays getting a refresh, and colleagues exchanging knowing glances over the photocopier. It’s all hands-on deck, and every detail matters.

But as walls are re-pinned and cupboards reorganised, another question often arises quietly in the background: Are we still within the bounds of data protection law?

The answer isn’t always as straightforward as we’d like. In fact, GDPR considerations often become most visible in the very things we proudly display on classroom walls, in shared corridors, or on digital screens. And during inspection season, those questions only feel more urgent.

Let’s consider a familiar example: a colourful “Star of the Week” board, complete with names, photos, and personal achievements. It’s a lovely way to celebrate success but what if one of those pupils has a parent who didn’t give consent for photos? Or a safeguarding concern that makes public identification risky? Even the most well-intentioned display can inadvertently stray into problematic territory.

The same applies to medical or allergy information. Many schools use posters or visual aids to make staff aware of pupil needs, particularly in lunch halls or near staff kitchens. But if that information includes photos, names, and medical conditions in areas accessed by other pupils or visitors, it crosses into “special category data” under UK GDPR. That kind of information requires extra care.

Digital spaces are no less important. In the rush to prepare documents, it’s easy to leave a screen open or a shared drive exposed. But if personal pupil data is left visible or accessible to those without a legitimate reason to view it, the school could find itself facing not only a privacy concern, but potentially a reportable data breach.

None of this means schools must remove every trace of student celebration or wrap the walls in plain paper. GDPR doesn’t ask us to stop recognising achievement, it asks us to think critically about how we do it.

One school I worked with ran what they called a “privacy walk” in the days leading up to an inspection. Staff took ten minutes to walk through shared spaces with fresh eyes, asking themselves: Can visitors see anything they shouldn’t? Are personal details on show unnecessarily? Are we being mindful with how we display medical or safeguarding information? It was a quick, simple exercise that made a measurable difference to their overall compliance, and their confidence, on inspection day.

Similarly, one teacher I spoke to found an elegant solution to a parent’s concern over public displays of progress. Instead of using names on her reward chart, she assigned each child an animal symbol; “Team Owl,” “Team Fox,” and so on. It respected privacy, kept parents satisfied, and the pupils embraced it wholeheartedly.

What matters most is that schools are able to demonstrate thoughtful, proportionate decision-making. Inspectors don’t expect perfection, but they do expect to see that staff understand the principles of data protection and have taken reasonable steps to comply.

If you’re unsure about a display, a chart, or a staffroom noticeboard, ask yourself: Is it necessary? Is it proportionate? And have we obtained the right consent, where needed? If you’re still unsure, speak to your data protection lead or DPO. Getting the answer right before inspection day is far easier than addressing concerns after the fact.

Ultimately, compliance isn’t about red tape, it’s about respect. Respecting pupils’ rights, respecting families’ expectations, and respecting the trust placed in schools to safeguard not only children, but their information.

So as inspection season gathers pace, take a moment to review the little things. The name tags, the photo walls, the charts with more detail than needed. Because when the inspector walks in and the questions start, you’ll be glad you did.

/by

Data Protection vs. Information Security in Schools — Why Both Matter, and How to Get Them Right

Let’s face it, school leaders today wear a lot of hats.

One minute, you’re supporting staff wellbeing; the next, you’re signing off on an EdTech contract, responding to a Subject Access Request, or checking if the new Wi-Fi rollout has encryption (whatever that means, right?).

In today’s increasingly digital world, two terms often crop up: Information Management (or data protection) and Information Security.

They sound similar, and they are closely connected, but they’re not the same. Both are essential in keeping your school’s data safe, legal, and well-managed. Understanding the difference can help you ask the right questions, delegate responsibilities wisely, and build a strong culture of trust and compliance across your school.

Let’s unpack what each one means, and why both matter equally.

What’s the Difference?

Information Management (Data Protection)

This is about how personal data is collected, used, stored, shared and deleted in line with laws like the UK GDPR and the Data Protection Act 2018. It’s focused on the rights of individuals (like pupils, parents and staff) and ensuring their personal data is treated fairly and lawfully.

Think of it as the “legal and ethical brain” behind how information flows through your school.

Examples:

  • Making sure parental consent is collected for use of a pupil’s photo
  • Responding to Subject Access Requests within the required timeframe
  • Having a clear retention schedule (so you’re not holding on to pupil data for 25 years “just in case”)
  • Ensuring only authorised staff can access safeguarding notes or health records

Lead roles: Usually the Data Protection Officer (DPO) or a senior leader with compliance responsibilities.

Information Security

Information security is about the technical and organisational measures you take to protect information from loss, damage, unauthorised access, or theft, whether it’s stored on paper, a laptop, or in the cloud.

It’s the “digital and physical shield” that keeps your systems and data safe.

Examples:

  • Encrypting devices and backing up files
  • Using strong passwords and locking screens
  • Preventing ransomware attacks
  • Ensuring staff don’t email personal data to the wrong recipient

Lead roles: Typically your IT manager, network team, or a designated security officer, often working closely with the DPO.

Aren’t They Completely Separate?

Not quite.

While information management and information security are distinct disciplines with different focuses, they are both key components of compliance under the UK GDPR.

In fact, the UK GDPR specifically requires organisations (including schools) to:

  • Process personal data lawfully, fairly and transparently (that’s information management)
  • Implement appropriate technical and organisational measures to keep data secure (that’s information security)
  • Be able to demonstrate accountability across both areas

So while they each require different expertise, they’re two sides of the same coin when it comes to protecting personal data.

If you have a great privacy policy but your systems are wide open to cyber threats you’re not GDPR compliant. And vice versa: even bulletproof IT security can’t cover for poor practices around data sharing, consent, or retention.

Why You Need Both

Let’s say that your school introduces a new wellbeing platform for pupils.

  • You’ve reviewed its privacy notice
  • You’ve completed a DPIA
  • You’ve told parents how the data will be used

But…

  • Staff are accessing it using shared logins
  • The password is “admin123”
  • You haven’t enabled two-factor authentication

You’ve done your information management well but failed on information security. That could still result in a data breach.

On the flip side, imagine the platform is highly secure; encrypted, password protected, hosted in the UK, but the school didn’t check the legal basis for processing or review the contract terms.

Now you’ve got a data protection problem.

Bottom line?
You need both working together to meet your responsibilities, legally and ethically.

 

So What Does Good Practice Look Like in a School?

Here’s a blended checklist of best practices to help keep your school safe, compliant and prepared:

Do Regular Data Audits

  • Know what personal data you hold, where it’s stored, why you need it, and how long you’re keeping it.
  • Review systems, spreadsheets, email lists, and apps, not just paper records.

Train Staff in Both Areas

  • Teach all staff the basics of data protection and information security, from recognising phishing emails to understanding how to respond to a Subject Access Request.
  • Tailor training for higher-risk roles (e.g. safeguarding, admin, SEND).

Lock It Down

  • Use strong passwords, screen locks, and encrypted devices.
  • Remove access for staff who no longer need it (or have left the school).
  • Consider multi-factor authentication for sensitive systems like MIS or safeguarding platforms.

Review and Share Clear Policies

  • Acceptable use, email and internet use, breach reporting, retention and disposal policies, these shouldn’t be buried on your intranet.
  • Keep them short, practical, and jargon-free.

Don’t Keep Data “Just in Case”

  • Apply your retention schedule and securely delete or archive data once it’s no longer needed.
  • Shred paper records and securely wipe devices.

Be Breach-Aware

  • Know what a breach is (It’s not just data hacking, sending data to the wrong person counts too!)
  • Have a simple breach reporting process that all staff understand
  • Keep a breach log and review it regularly with SLT and your DPO

Shared Responsibility

Data protection isn’t just the DPO’s job. And security isn’t just for the IT team.

Every member of staff has a part to play, from the headteacher to the lunchtime supervisor. By making these two areas part of your everyday school culture, you create a safer environment for your staff, your students, and your wider community.

If you’re not sure where your school stands on data protection or security, you’re not alone. Many schools benefit from a joint review with their DPO, IT team, and SLT, looking at risks, roles, and readiness.

If you’re looking to strengthen both areas, consider:

  • Running a joint INSET session on “Data Protection + Cyber Hygiene”
  • Reviewing your breach log together with IT and DPO staff

Booking an external audit of your information governance and security setup

/by

SARs vs School Records: Subject Access or Education Regulations?

If you’ve ever opened your inbox and seen a message from a parent asking for “all the information you hold on my child,” your first thought was probably:

“Subject Access Request!”

But hold on — not every request for pupil information automatically falls under the UK GDPR. Sometimes, it’s actually a request under education regulations, depending on what’s being asked — and the type of school you are.

Understanding the difference is key. Not only does it help you respond lawfully and efficiently, but it also helps manage expectations and avoid unnecessary workload.

There are two main legal routes parents (or pupils themselves) might use to request access to information:

  1. Subject Access Request (SAR) – under the UK GDPR / Data Protection Act 2018

This allows an individual, including a pupil depending on their age and capacity, to request their own personal data.

  1. Request for the Educational Record – under the Education (Pupil Information) (England) Regulations 2005

This allows parents to request a copy of their child’s educational record, but only if the child attends a maintained school.

Let’s look at each in a little more detail.

Subject Access Requests (SARs) – GDPR territory

This is all about personal data.

Anyone can ask for a copy of the data you hold about them, including pupils (depending on their age and maturity), staff, or parents asking for their own data.

When it comes to parents asking for their child’s data, you’ll need to check whether the child is old enough and mature enough to understand what’s being asked. If they are, they should normally be the one making the request or at least give permission for the parent to do it on their behalf.

If they’re younger or not able to understand, the parent can usually make the request.

What does a SAR cover?

Any personal data you hold about that person. That might include:

  • Behaviour notes
  • Emails mentioning the pupil
  • Health or SEN info
  • Safeguarding logs (with care!)
  • CCTV footage (if the pupil is clearly visible)

When it comes to Subject Access Requests, any type of school may receive a request, including maintained, academies, free schools, and independents and you have 1 calendar month to respond.

Request for the Educational Record – Pupil Regulations

This one is specifically for parents of children at maintained schools (i.e. those run by local authorities). It gives them the right to see their child’s educational record, which is basically anything to do with their progress, learning, and life in school.

What counts as an educational record?

Think stuff like:

  • School reports
  • Attendance records
  • SEN plans
  • Notes from parent-teacher meetings
  • Behaviour points
  • Targets or interventions

It doesn’t include:

  • Child protection files
  • Teacher’s personal notes
  • Information that could seriously harm the child or someone else

Under these regulations, you have 15 school days to respond. You can also apply a charge to cover printing or postage, though most schools just send it electronically for free these days.

For academies and free schools, the right to the educational record doesn’t apply. But many still choose to share records in a similar way, just to be helpful and consistent. It is the same deal with Independent schools, there is no right to the educational record. Parents need to go down the SAR route if they want information about their child, and only if the child isn’t old enough to make the request themselves.

While SARs and education record requests are different, there’s a bit of crossover. Some information might be shared under both, and that’s OK. The key is understanding which law applies and making sure you’re not accidentally oversharing or withholding something you shouldn’t.

When in doubt, take a breath, talk to your DPO, and go from there.

/by

“It’s Not the End of an Era Without a Hoodie”: School Leavers, Traditions and the Truth About GDPR

It’s that time of year again.

The weather’s warming up (at least in theory), the final exam papers are piling up in the staffroom, and the Year 11s, full of nervous energy, optimism, and just a hint of mischief, are preparing to say their goodbyes. It’s the season of leavers’ assemblies, nostalgic slide shows, and of course, the all-important question: “Can we get hoodies with all our names on them?”

Cue the GDPR panic.

Every year, in schools up and down the country, a familiar scenario plays out. A well-meaning teacher or member of the PTA offers to organise personalised hoodies or put together a yearbook featuring class photos and messages. And then, someone asks the question that stops the printer in its tracks: “Wait… is this even allowed under GDPR?”

Let’s unravel this together, because despite what some may believe, GDPR isn’t the fun police. It doesn’t mean you have to cancel prom or produce an anonymised yearbook with stick figures instead of class photos.

The truth is, most of these cherished school traditions can go ahead, so long as they’re handled with care, clarity, and a bit of common sense.

Take the humble leavers’ hoodie. It’s one of those rites of passage that students will cling to years after they’ve grown out of it. Names printed on the back, sometimes nicknames, sometimes surnames, sometimes the dreaded full first-middle-last-name combo. From a data protection point of view, names are indeed personal data. But does that mean you can’t print them?

Absolutely not. You just need a lawful basis to do it—and in most cases, that’s as simple as getting consent.

Whether it’s for hoodies, a yearbook, or a slideshow featuring baby photos, if you’re collecting and sharing personal data outside of core educational purposes, it’s best practice to ask students (or their parents, depending on age) for permission. A simple form will do the trick. The key is to be clear about what data you’re using, where it will appear, and who will see it. No tricks, no fine print in size six font.

And yes, you can still include photos. There’s no secret clause in the UK GDPR that says a picture of Year 11 on the school field at lunchtime is forbidden. If it’s for a yearbook, prom night collage, or school website tribute, the same principle applies; be transparent, get the appropriate permissions, and store images securely. That’s it.

There’s a myth that GDPR somehow outlawed all joy in schools, but the reality is it just asked us to stop being sloppy with data. It’s about respect, not restriction.

Then there’s the classic signing shirts. The ink-stained rite of passage, where uniforms are transformed into messy tributes of inside jokes and hastily scrawled farewells. A few educators have raised their eyebrows at this tradition, worrying it could constitute “uncontrolled data sharing.”

Realistically, if a student voluntarily hands their shirt to a friend and says, “write something embarrassing on my back,” this isn’t a data protection issue, it’s a social one. GDPR doesn’t govern private, student-to-student interactions unless the school is actively collecting and publishing that content. So, you don’t need to enforce a shirt-signing ban (and if you tried, good luck…).

Now, about prom. Some schools host their own; others let parents or external companies run the show. Either way, collecting names for tickets, dietary needs, or emergency contact details is fine, just make sure you’re only collecting what you actually need, and that the data isn’t floating around on someone’s USB stick or unprotected spreadsheet. The golden rule? If you wouldn’t want your own teen’s info handled that way, don’t do it to someone else’s.

So here’s the bottom line: don’t let GDPR myths steal the spotlight from your leavers’ celebrations. Data protection doesn’t mean you can’t celebrate your students. It just asks that you do it with intention.

After all, what better way to send off the next generation than by teaching them that privacy and parties can coexist?

Let them have their yearbooks. Let them wear hoodies emblazoned with names they’ll cringe at later. Let them dance the awkward final dance at prom. And let them remember that their school cared enough to protect their memories without over-policing their goodbyes.

/by