Data Protection in Schools – Guidance for the Education Sector

March 4, 2015
Clock Icon 14 min read

The Data Protection Act 1988 is designed to protect the privacy of individuals. It requires that any personal information about an individual is processed securely and confidentially.

This includes both staff and pupils. How you obtain, store, share and use information is critical as personal data is sensitive and private. Everyone, adults and children alike, has the right to know how the information held about them is used.

Data Protection Guide

The links below help you navigate to a specific section in the guide.

What is Personal Information?

Personal information is anything relating to a person that can be used to identify them. This includes both manual paper records and digital records.

In a school, examples of personal information include:

  • Names of staff and pupils.
  • Dates of birth.
  • Addresses.
  • National insurance numbers.
  • School marks.
  • Medical information.
  • Exam results.
  • SEN assessments and data.
  • Staff development reviews.

This guide provides you with an overview of your responsibilities under the Data Protection Act if you work in education.

Back to Top

Registering with the ICO

Under the Data Protection Act, all data controllers must notify the Information Commissioner’s Office (ICO) about how they process personal information.

Each individual school is a data controller and so must register with the ICO. Failure to do so is a criminal offence.

Registration is done via a simple online form. It must be signed and sent to the ICO along with the annual fee. To access the registration form, go to the ICO’s website.

Schools must notify the ICO of:

  • The purpose for which the school holds personal data.
  • What data it holds.
  • To which countries they intend to transfer the data.
  • The source of said data.
  • To whom they intend to disclose the data.

Once you’ve registered, the ICO publishes certain details in the register of data controllers, which are available to the public.

woman on computer training

Back to Top

Fair Processing / Privacy Notices

When you collect information about a child, parent or staff member, you must be clear and transparent about how you intend to use it.

Schools need to explain in clear language that the personal data of everyone in the school (both staff and students) will be processed and why they are doing so (for example: to facilitate education or to arrange school trips).

In order to comply with the Data Protection Act Principles, schools should have ‘fair processing notices’ or ‘privacy notices’ in place.

The aim of a privacy notice is to summarise what information is needed, why it is being collected and which third parties it may be passed on to. The person whom the information is about must give their consent in order for you to hold it.

Different services, such as primary versus secondary schools, have different data requirements. So each service needs an individual privacy notice.

Generally, a privacy notice should state:

  • Your identity and, if you are not based in the UK, the identity of your nominated UK representative.
  • The purpose or purposes for which you intend to process the information.
  • Any extra information you need to give individuals in the circumstances to enable you to process the information fairly.

Include the notice in any enrolment documentation and on the bottom of any forms used to collect personal information. It should also be displayed in the school reception area or on the school’s website. Many schools send out a copy of their privacy notice to students at the start of each school year.

When a letter or other document requires a student, parent, or staff member to provide personal data, fields that are vital could have an asterisk placed next to them. This make it clear to the person what they must fill in and where they can leave spaces blank.

Information must not be collected just because it might become useful later – it must be essential for the present intended purpose.

To help you write a privacy notice, take a look at the ICO’s guidance document.

office computer

Back to Top

Information Security

Once personal information about students, parents and teachers has been gathered, it must be kept secure.

Unauthorised access or loss of information can cause serious harm to people. The ICO can issue fines if they learn that appropriate safety precautions are not being taken.

Both manual and digital records need to be secure. The level of security should reflect the potential harm that could result from the loss or misuse of the data. Memory sticks perhaps need the most consideration as they are very easy to lose. Either avoid the use of memory sticks completely or ensure they are password protected and fully encrypted.

Back to Top

The 8 Data Protection Principles

  1. Data must be processed fairly and lawfully.
  2. It should be obtained only for one or more specified and lawful purposes
  3. All data held shall be adequate, relevant, and not excessive.
  4. Data should be accurate and up to date.
  5. It should be held no longer than for the purpose it was originally collected.
  6. All data should be processed in accordance with the data subject’s rights under the Act.
  7. Data should be secured.
  8. It should only be transferred to other countries if they have suitable or equivalent security measures.

The information provided throughout this guide helps you comply with all 8 of these principles.

Back to Top

Security Measures

Security measures need to be appropriate to the data being held. Furthermore, procedures should be in place to respond to any security breaches and prevent unauthorised access. Not all security measures need to be complicated: sometimes just a simple check-in and check-out system can help reduce risks.

Possible security measures for data protection include:

  • Shredding all confidential waste.
  • Using strong passwords.
  • Installing a firewall and virus checker on your computers.
  • Encrypting any personal information held electronically.
  • Disabling any ‘auto-complete’ settings.
  • Holding telephone calls in private areas.
  • Checking the security of storage systems.
  • Keeping devices under lock and key when not in use.
  • Not leaving papers and devices lying around.

You must ensure that a hard drive is erased securely if you are physically disposing of it. Technical support may be required as simply erasing the data or formatting the drive might not be enough.

Back to Top

Student Subject Access Requests

A student, or someone acting on their behalf, has the right to make a request to see any personal data their school holds about them and why. All pupils have a right to see their own personal information. It must be provided should they ask.

Parents are only entitled to access the personal information held about their child if the child is unable to act on their own behalf, or if the child has given consent to their parent. Even if the child is young, the personal data being held is still their personal data. It doesn’t belong to anyone else, including their parents or guardian.

Before responding to a subject access request for information, you need to consider whether the child is mature enough to understand their rights. If they are, then your response to the request should go to the child, not their parent.

Parents, however, do have the right to see their child’s educational records. A subject access request needs to be made in writing, whether it’s a letter, email or social media message.

You may wish to consider creating a standard form for people to fill in. The maximum fee you can charge for dealing with a request is £10.

You can learn more about subject access requests in the ICO’s guidance document.

Back to Top

Sharing Personal Information

There are occasions where sharing personal data with local authorities, other schools, different departments or social services cannot be avoided. It may be that without sharing the data, actions cannot be completed.

For example, you may need to pass on details about a child showing signs of harm to social services, or another school may need to know which pupils will be present at their sports day event.

You must consider all the legal implications and ensure that you have the ability to share the specified data.

For example, what is the intention behind sharing? Who requires the data, which data is needed and what will it be used for?

Consent must be given by the individual before their personal information can be shared. This is usually part of the privacy notice issued when the data is first collected.

This applies whether you are sharing data between people or online, such as photographs on the school’s Facebook page.

Letters sent from schools to parents should have a data protection statement at the bottom where relevant. For example, if a reply slip is included and requires providing personal data).

Data should only be transferred to other countries if they have suitable or equivalent security measures.

All European Union countries have equivalent data protection rules, so it’s safe to transfer to them if necessary. However, explicit consent should be acquired from the individual if personal data needs to be processed outside of the UK. If the school cannot establish a safe system of data protection with a country outside the EU, they should not even consider sharing personal data.

Back to Top

Sensitive Personal Identifiable Information (SPII)

This refers to information about more sensitive topics. For example: a person’s race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality, and criminal offences.

There are greater legal restrictions on sensitive personal data than regular personal data. Most schools will hold some form of sensitive data about pupils and staff, so processing this requires extra care.

Back to Top

Holding Data and Keeping it Up-to-Date

During the time when you hold data about a person, and for as long as it is being used, it must be monitored for accuracy. It’s essential that you ensure it remains relevant and up-to-date.

Carry out an information audit at least annually.

  • Write a letter at the start of each school year asking parents and students to check that their details are correct. This also helps prevent emergency risks, e.g. if an old address or phone number is on record.
  • Check that ‘live’ files are accurate and up to date.
  • Any time you become aware that information needs amending, do so immediately
  • Any personal data that is out of date or no longer needed should be ‘destroyed’. This may involve shredding documents or deleting computer files securely so that they cannot be retrieved.
  • Schools must follow the disposal of records schedule. This schedule states how long certain types of personal data can be held for until it must be destroyed. Some stipulations are legal obligations while others are best practice.

You are violating the Data Protection Act if you keep any data for longer than it is needed.

Schools must not acquire data and process it in any manner that doesn’t relate to the intended purpose. For example: data acquired about students for assessments can’t then be used on the school’s website.

Determining what may be excessive includes looking at forms and deciding what information is absolutely critical for the intended purpose. Anything else may be considered excessive and irrelevant.

Back to Top

Publishing Exam Results

The Data Protection Act does not stop schools from publishing exam results online or in the local pres. But if you intend to do so, you must act fairly. Inform students first that their results will be published and how the information will be displayed. For example, will the results be published in alphabetical order or in grade order? The latter can be quite controversial. This gives the student time to object and withdraw their result from the list if desired.

Students also have the right to make a subject access request to see their examination script, marks or markers’ comments. These should be provided if called upon. However, information comprising of the answers given by a candidate during an exam cannot be provided. This means a subject access request cannot be used to obtain a copy of the student’s completed exam script.

Learn more about publishing exam results with the ICO’s guidance document.

Back to Top

Taking Photos in Schools

When is consent needed/not needed for photos?

  • Personal use: parents photographing/videoing the school play. Consent is not needed.
  • Official school use: photos or videos taken for use in the school prospectus and on the website. Consent is needed from the person being videoed or photographed.
  • Media use: photos taken for a newspaper article. Consent is needed.

If an image of a student is used their name must not accompany it and vice versa.

The ICO provides further guidance on taking photos at school.

Back to Top

Data Protection Policies and Training

The aim of a data protection policy is to help staff understand how to safely and fairly process personal information.

The policy should include practical guidance on what can and cannot be done with data. Furthermore, it should be communicated to employees regularly. It’s important that all staff receive guidance on the confidentiality of personal information.

The policy will stipulate how individuals can use the internet and email for private communications securely. It should also cover issues of security when the school’s intranet is accessed from outside of the school grounds via a phone or tablet etc.

Aspects that a use policy should cover include:

  • Email – is homework or other personal data allowed to be shared between students and staff via email? Can it be done securely? Can emailing parents sensitive data be avoided? When sending bulk emails, are staff using BCC so that potentially hundreds of email addresses not disclosed?
  • Chat rooms – students should only have access to chat rooms that are educational in nature and are moderated. As part of e-safety education, teach students to never give out their or others’ personal data over chat.
  • Mobile technology – the policy should stipulate how these can be used securely and safely and what restrictions apply where needed. Aspects to consider include video messaging, mobile access to the internet, entertainment services (e.g. streaming), and information-based services.
  • School websites – a clear, detailed privacy statement should be displayed on the website. It should state how any information the school acquires will be used.


Back to Top

Preventing Data Security Breaches in Schools

Schools must consider how to prevent breaches of data through the internet, intranet, and email systems.

  • Does the school have a Data Protection Policy in place?
  • Does the school have a Use Policy in place?
  • Is the use of the internet, email, and/or chat rooms monitored and regulated in some way?
  • Are filtering systems used to prevent access to inappropriate materials and sites on the internet and network?
  • Is there a reporting procedure in place for accidental access to inappropriate materials or sites?
  • Is internet safety taught as part of the curriculum?
  • Does the school follow safe practices when publishing images and names of students on their website?
  • Is information sent to parents via email?

Indicators of inadequate data protection practices include a lack of e-safety education across the curriculum, no internet filtering or monitoring, and students being unaware of how to report problems.

Back to Top

People Responsible for Data Protection in Schools

Ultimately, everyone has a responsibility in ensuring data is processed securely in a school. Staff and even students who handle personal data need to prevent it from coming into possession of anyone who hasn’t been given permission to view or process it.

There should be specifically elected individuals who are educated on data protection and who implement and uphold systems and policies.

The Senior Information Risk Officer (SIRO)

All schools should have a senior member of staff who is familiar with information risks and the school’s risk-reduction strategies. This is usually a member of the Senior Leadership Team.

The Senior Information Risk Officer must:

  • Ensure appropriate mitigations are in place to minimise risks.
  • Foster a culture that values, protects, and utilises information securely and in a way that benefits the organisation.
  • Take charge of the information risk policy and risk assessments, and ensure they are implemented by the Information Asset Owner(s).
  • Act as an advocate for information risk management.

SIROs should undertake training annually to keep their skills and capabilities up to date and relevant to their organisation. It’s essential that they have the necessary knowledge and skills to fulfil their role and ensure people’s privacy.

The Information Asset Owner (IAO)

The IAO is a member of the school community who is responsible for compiling or working with specific personal information. According to, they must:

  • Know what information the organisation holds and for what purpose.
  • Understand how information is amended, added to, removed, or moved overtime.
  • Know who has access to the data and for what purpose.
  • Recognise how the information is retained and disposed of securely.

Information Asset Owners should:

  • Maintain a log of access requests made to the organisation.
  • Monitor users’ rights to transfer information to removable media, i.e. USB and external hard drives.
  • Negotiate, manage, and approve agreements on the sharing of personal information.
  • Monitor access to personal information.
  • Provide an annual written assessment to the SIRO detailing the security and use of their asset.

When appointed to their position, they must undertake information management training, and retake it at least annually.

Back to Top

Data Processors and Data Controllers

Data Processors and Data Controllers must liaise.

The school may give some degree of responsibility to an individual or third party for data protection. This individual is known as the data processor. A written contract should be made, which requires the processor to implement appropriate security measures for protecting any personal data processed.

However, the data controller is still responsible under the Data Protection Act for data protection. The data processor is purely acting on their behalf. This is why data controllers must have methods for ensuring that the data processor is consistently complying. For example: requesting regular written updates about security measures or carrying out full audits (e.g. visiting the premises).

Back to Top

What to Read Next:

Like This Article?
Share it on social.