Data Protection in Schools – Everything You Need To Know

GDPR in schools

The aim of the Data Protection Act is to protect our privacy. This means that organisations that hold your personal data need to ensure that it’s processed and held securely. It ensures your confidentiality is respected.

This legislation is massively important in numerous sectors, and the field of education is no exception. Schools, after all, handle the personal data of both pupils and potentially their parents, as well as educators, and any other staff. A breech in security could have disastrous consequences.

This blog will equip you with the know-how on your responsibilities when it comes to data protection in schools, and what can happen if data laws are not followed.

What Is Data Protection?

We all have a right to privacy. When we submit our data to the organisations that request it from us, we are forced to trust that it’ll be used fairly and correctly.

This is essentially what data protection is about. It’s about recognising our right to have control over our identity. It is about respecting our privacy, and ensuring our data is handled in accordance with the law.

Under the Data Protection Act we all have the right to:

  • Be told how our personal data is being used
  • Access our personal data
  • Have incorrect data about us corrected
  • Have our personal data erased
  • Restrict or stop organisations processing our personal data
  • Object to how organisations process our data

Organisations found in breach of the regulations can be fined, and this includes schools. Fines are either 4% of global turnover, or £17.5 million, whichever is the highest. Good practice is essential in complying with the law and maintaining the trust of school employees, parents, caregivers and pupils.

GDPR Awareness Training

Our GDPR Awareness Training course provides a thorough understanding of the key aspects of general data protection regulations, data security levels and different types of threats that organisations or workplaces may face.

Principles of Data Protection

The Data Protection Act lists seven key principles that are to be followed with the aim of protecting personal data and data protection in schools. They are:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitations
  6. Integrity and confidentiality
  7. Accountability

School management need to ensure that these principles are adhered to and that all data processors clearly understand what each entails.

What Personal Information Do Schools Hold?

Schools hold a vast amount of personal information on everyone associated with their establishment.

This includes a pupils’:

  • Names
  • Addresses
  • Date of birth
  • Medical history
  • Disciplinary records
  • Performance records

Alongside this, schools hold the personal data of parents, carers, governors, volunteers and, of course, school staff.

Schools also hold what is classed as ‘special category data’ under the UK General Data Protection Regulations (UK GDPR). This is specific information that includes a pupil’s ethnicity, race, religious beliefs, sexuality and biometric data and strict controls are in place to ensure this data is protected.

What Personal Data Can Be Shared?

There are going to be occasions where schools have to share personal data with third parties –other schools, local authorities and social services. Examples could be when a school trip has been arranged in conjunction with another school or a pupil shows signs of abuse and social services need to be informed.

At these times, it is important to carefully consider what information is being sent and ensure that only vital details are transferred over. Due diligence is also needed to make sure that you are actually sending it to the intended recipient.

Sharing of data extends to images too. Many schools have websites, blogs and social media pages. While it may be tempting to post images of school triumphs, not gaining consent beforehand can lead to a breach of data laws.

Data protection
Data protection

Keeping Personal Data in Schools Secure

Schools can also fall foul of cyber attacks, so it’s essential to have robust cyber security measures in place to prevent hacks and attacks. Failure to protect the sensitive information held on school databases can result in fines and penalties.

Data protection in schools should include:

  • Encryption of all electronically stored personal information
  • Installing firewalls and virus protection software, and updating when prompted
  • Limiting access to personal data to a select few
  • Refraining from making unnecessary copies of personal data, especially physical copies
  • Using strong passwords
  • Appointing a dedicated Data Protection Officer

Privacy Notices

Schools, just like companies, that collect our personal data, need to offer transparency on how data on pupils and staff will be used. This is done via the privacy notice. The notice should explain what information is required by the school, why it is needed and how it may be shared with third parties. Full consent to the use of data collected must be granted.

A school privacy notice must also include details on:

  • How data will be kept up-to-date
  • Confidential waste procedure (ie shredding of documents)
  • Cyber security procedures
  • Expectations of staff who have access to and process the data

The privacy notice must be communicated to all and this is usually done by having a dedicated privacy section on the school website and sending a digital copy to parents/caregivers upon enrolment and again at the beginning of the school year.

How to Prevent Data Breaches in Schools


Undertaking a school audit is one way to prevent data breaches. An audit is a way of examining what data you have to see if it is still relevant and has been stored or discarded correctly.

Many changes can take place in a school year. Pupils move homes, move schools, have name changes and care details can change. Auditing the data you hold on them should capture these changes and help to ensure that the data kept is correct.

Data Protection Policy

How you intend to keep data safe should be contained in your data protection policy. The policy will be the go-to document for all data protection issues within the school.

It should cover such topics as:

  • What data protection is
  • Definitions
  • GDPR principles
  • Roles and responsibilities of data handlers
  • How your school will process data lawfully
  • What procedure to follow in the event of a breach

Staff Training

All school staff must be trained on how to keep personal data safe. An understanding of the Data Protection Act, and an awareness of cyber security measures will equip staff with knowledge that will help to prevent breaches as well as what could happen if there is a data breach.

IT Monitoring

Information is passed through a number of channels, and many can be unsecure such as chatrooms, social media platforms and messaging apps. So, it’s crucial to keep an eye on all channels where personal data may be flowing and also to educate pupils on how to stay safe online, so that they don’t contribute to data breaches too.

What Can Go Wrong

A failure to properly secure collected data can have disastrous consequences for an educational body. As an example, the University of Greenwich was fined £120,000 in May 2018, after it was found that a security breach left the personal data of 20,000 students, staff and alumni exposed.

A website set up for a conference that took place back in 2004, was not properly shut down and secured when no longer needed. This enabled cyber criminals to compromise the website and gain access to the university’s computer system that held the personal data.

The University was the first in the country to be fined by the ICO under the Data Protection Act, that came into force that year. Along with the legal repercussions, the school’s reputation was also impacted.

Get To Grips With GDPR and Data Protection Law

Being well informed on data protection is the best way to prevent breaches and avoid fines. The subject can be a bit of a minefield but our GDPR and Data Protection courses are designed to make learning simple and boost knowledge and awareness. Courses can be accessed 24/7 and completed in your own time.

About the author(s)

Authors Photo
Beverly Coleman
Share with others
You might also like