A Guide to Data Protection for Schools

May 27, 2026
Clock Icon 12 min read

Schools handle large amounts of personal information every day, from student records and safeguarding concerns to staff employment details and parent contact information. As schools process sensitive information about children and young people, they have a legal and ethical responsibility to manage that data carefully. In this article, we’ll explain what data protection means for schools, the types of data schools collect, the seven data protection principles, how to manage subject access requests and who is responsible for data protection within a school environment.

Use the contents below to jump to a certain section of the guide.

What is the Data Protection Act for Schools?

The Data Protection Act 2018 is the UK law that works alongside the UK GDPR (General Data Protection Regulation). It sets out how organisations, including schools, must collect, store, use and share personal information. The law applies to all schools, academies, colleges and other educational settings that process personal data.

Schools process significant amounts of information every day, often relating to children and vulnerable individuals. This means that education settings must take particular care when handling data to ensure it remains secure, accurate and only accessible to authorised people.

Teaching staff looking at the computer

Data protection can be especially challenging in schools because staff regularly need to share information quickly and appropriately. For example, safeguarding concerns may need to be shared with external agencies, teachers may use digital learning platforms and schools may publish photos or achievements online. Staff must understand when information can be shared lawfully and when consent or additional protections are required.

Good data protection practices help schools to:

  • Protect students, parents and staff from misuse of their personal information.
  • Support safeguarding and child welfare responsibilities.
  • Maintain trust between schools and families.
  • Reduce the risk of data breaches and cyber security incidents.
  • Demonstrate legal compliance with UK data protection legislation.

Importantly, data protection law does not prevent schools from sharing information where it is necessary to safeguard a child. Keeping Children Safe In Education (KCSIE) and Working Together to Safeguard Children (WTSC) guidance both emphasise that fears about sharing information must not stand in the way of protecting children from harm.

What Type of Data Do Schools Collect?

Schools collect a wide range of information about students, parents, carers, staff and visitors. Before staff can protect data correctly, however, it’s important to understand what counts as personal data and which information requires additional protection. There are two types of data to understand:

Personal Data

Personal data is any information that can identify a living person, whether directly or indirectly. In schools, this includes information held digitally and in paper records. Schools often collect this information to fulfil their legal duties, provide education, communicate with families and support student wellbeing.

Common examples of personal data in schools include:

  • Names, addresses and contact details.
  • Dates of birth.
  • Attendance records.
  • Assessment and exam results.
  • Behaviour records.
  • Photographs and video recordings.
  • Parent and emergency contact information.
  • Staff employment records.
  • CCTV footage.
  • Online learning and device usage information.
Teacher looking through papers on desk

Special Category Data

Some information is considered more sensitive and so receives additional protection under UK GDPR. This is known as special category data. Schools must have a lawful basis for processing this information and ensure it is only accessed by people who genuinely need it to carry out their role. Examples of special category data in schools include:

  • Medical information and health records.
  • Information about disabilities or additional needs.
  • Ethnicity and racial background.
  • Religious beliefs.
  • Biometric data, such as fingerprint systems used for cashless catering or library access.
  • Safeguarding records.
  • Information about a student’s family circumstances where it relates to social care involvement.
Expert Icon

Looking to Improve Staff Awareness?

Our Data Protection for Schools course helps education professionals understand UK GDPR, how to handle sensitive information appropriately and how to help prevent data breaches in schools.

The 7 Data Protection Principles

The UK GDPR is built around 7 key data protection principles. These principles guide how schools should handle information in their everyday operations and understanding them helps staff make safer decisions when collecting, storing, sharing and disposing of data. The data protection principles apply to all forms of personal information, whether held electronically, in emails or on paper.

The 7 data protection principles are:

1. Lawfulness, Fairness and Transparency

Schools must process data lawfully, fairly and transparently. This means individuals should understand how their information is used and why it is needed. For example, parents and students understand how photographs, videos and online learning platforms are used. 

Schools should also provide privacy notices explaining:

  • What information is collected.
  • Why the information is needed.
  • Who it may be shared with.
  • How long it will be kept.

2. Purpose Limitation

Schools must only collect information for specified and legitimate purposes and should not use it in ways people would not reasonably expect. For example:

  • Contact details collected for emergency purposes should not be used for unrelated marketing.
  • Safeguarding information should only be shared with appropriate professionals.
  • Photos taken for internal school records should not automatically be published online without appropriate permissions.
Children and teacher in the classroom

3. Data Minimisation

Schools should only collect and keep the information they genuinely need. Collecting excessive information increases the risk of data breaches and makes records harder to manage securely. Examples include:

  • Avoiding unnecessary duplication of records.
  • Limiting access to sensitive safeguarding files.
  • Only requesting information relevant to a student’s education or welfare.

4. Accuracy

Personal information must be accurate and kept up to date as incorrect information can create safeguarding risks and communication problems. Schools should regularly review records to ensure information is current, such as:

  • Emergency contact details.
  • Medical information.
  • Attendance records.
  • Staff employment information.

5. Storage Limitation

Schools should not keep personal information for longer than necessary. Retention periods may vary depending on the type of record. For example, safeguarding files often need to be retained longer than routine administrative records. When information is no longer needed, it should be disposed of securely by:

  • Shredding paper documents.
  • Permanently deleting electronic records.
  • Following secure disposal procedures for devices and storage systems.
Papers shredded

6. Integrity and Confidentiality

Schools must protect personal data against unauthorised access, loss or misuse. This principle is especially important when handling safeguarding information or sharing information with external agencies. Practical measures include:

  • Using strong passwords and multi-factor authentication.
  • Locking filing cabinets and offices.
  • Encrypting devices.
  • Restricting access to sensitive information.
  • Training staff regularly on data protection and cyber security.
  • Reporting and managing data breaches promptly.

7. Accountability

Schools must be able to demonstrate compliance with data protection law and actively show they are taking data protection seriously, rather than simply claiming compliance. This means schools should:

  • Maintain clear data protection policies.
  • Train staff regularly.
  • Keep records of processing activities where required.
  • Carry out risk assessments when introducing new systems or technologies.
  • Monitor third-party providers handling school data.

Handling Subject Access Requests (SARs) and Data Rights

Under UK GDPR, individuals have rights over their personal information. One of the most common rights exercised in schools is the right of access, often referred to as a Subject Access Request (SAR). Schools must usually respond to a SAR within one calendar month.

A SAR allows an individual to request:

  • A copy of the personal information held about them.
  • Information about why their data is being processed.
  • Details of who the information has been shared with.
  • Information about how long the data will be kept.

Access Rights for Parents and Students

Handling SARs in schools can be complex because of the relationship between parents and children. A parent does not automatically have the right to access all information relating to their child. In many cases, older children who are considered competent can make their own decisions about access to their information. Schools must consider:

  • The age and maturity of the child.
  • Whether the child can understand their own rights.
  • Whether sharing the information is in the child’s best interests.
  • Any safeguarding concerns.
Children in the classroom

The Right to Rectification and Erasure

Individuals also have the right to request that inaccurate information is corrected. In some circumstances, individuals may ask for information to be erased. However, schools cannot always delete information simply because a request is made.

Parents and staff need to understand that educational settings may need to retain some personal records to comply with legal obligations, safeguarding duties or public interest requirements. For example, safeguarding records are unlikely to be deleted if they are still required to protect a child or comply with statutory guidance.

Sharing Information Safely

Schools must ensure personal information is shared securely and appropriately. The latest KCSIE and WTSC guidance both reinforce that information sharing is essential for effective safeguarding and child protection. Staff should:

  • Verify the identity of anyone requesting information.
  • Share only the minimum information necessary.
  • Use secure communication methods.
  • Keep records of important disclosures where appropriate.

Who is Responsible For Data Protection in Schools?

Data protection is a shared responsibility across the whole school. While some roles have specific legal duties, every member of staff plays a part in protecting personal information. Understanding who is responsible for what, helps schools create clear processes and reduce the risk of mistakes or breaches.

Data Controllers – the Data Controller is the organisation that decides how and why personal information is processed. In schools, the Data Controller is usually the governing body, the academy trust or the local authority for maintained schools. The Data Controller is legally responsible for ensuring compliance with UK data protection law.

Data Protection Officers (DPOs) – most schools are required to appoint a Data Protection Officer who helps the school to:

  • Monitor compliance with data protection law.
  • Provide advice and guidance.
  • Support staff training.
  • Investigate data protection concerns.
  • Act as a contact point for the Information Commissioner’s Office (ICO).
Member of staff looking on his laptop

Third-Party Data Processors – schools often use external providers, known as third-party data processors, to process information for them. Examples include management information systems, online learning platforms, cloud storage, catering payment systems and school photography companies. Schools must ensure any third-party providers handle information securely and comply with UK GDPR requirements.

School Staff – every member of staff has a responsibility to protect personal information. Human error remains one of the most common causes of data breaches in schools, which is why ongoing staff training is essential. All members of staff must:

  • Follow school data protection policies.
  • Keep passwords secure.
  • Report concerns or breaches promptly.
  • Use school systems appropriately.
  • Handle safeguarding information confidentially.
  • Complete regular training in data protection, cyber security and GDPR, where appropriate.

Schools handle large amounts of sensitive information every day. From safeguarding records to student assessments, schools must ensure all data is collected, stored and shared securely and lawfully. By embedding good data protection practices across the whole school, education settings can meet legal requirements, support safeguarding efforts and build trust with students, parents and staff.

Further Resources:

Tags:

Data ProtectionEducationTeachers and Parents