Check out the courses we offer
Knowledge Base » Business » Understanding the Legal Framework Surrounding School Data Protection

Understanding the Legal Framework Surrounding School Data Protection

In an increasingly digital world, the protection of personal data has become a critical concern for institutions across all sectors, including education. Schools hold a vast amount of sensitive information about students, staff and parents, ranging from academic records to health details. As such, understanding the legal framework surrounding data protection is essential to ensure compliance with laws, safeguard individuals’ privacy, and mitigate risks of data breaches. 

Safeguarding in schools is a fundamental aspect of ensuring that all children can learn, grow and succeed in a protected and nurturing environment. Safeguarding measures promote a safe, secure and supportive learning environment and this includes ensuring that sensitive data is protected. Schools have many roles and responsibilities and data protection is just one of these.

Key Legislation and Regulations

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a legal framework set by the European Union in order to protect the privacy and personal data of individuals within the EU and the European Economic Area (EEA). It was implemented on 25 May 2018, replacing the earlier Data Protection Directive of 1995.

The main purpose of the GDPR is to give individuals more control over their personal data and to ensure that organisations handling such data follow strict guidelines. It applies to any organisation that processes the personal data of individuals in the EU, regardless of where the organisation is based.

The key principles of the GDPR include:

  • Lawfulness, fairness and transparency – data must be processed in a legal, fair and transparent manner.
  • Purpose limitation – data should only be collected for specified, explicit and legitimate purposes.
  • Data minimisation – only the minimum necessary data should be collected and processed.
  • Accuracy – personal data must be kept accurate and up to date.
  • Storage limitation – data should only be kept for as long as necessary for the purposes for which it was collected.
  • Integrity and confidentiality – personal data must be processed in a way that ensures its security, including protection against unauthorised access, loss or damage.
  • Accountability – schools are responsible for complying with the GDPR and must be able to demonstrate this compliance.

The GDPR applies to organisations across all sectors, including schools, which handle sensitive personal data related to students, parents and staff. Its relevance to schools primarily lies in ensuring that educational institutions manage and protect this data responsibly. 

Key requirements for schools include:

  • Consent – schools must obtain clear consent from students (if they are of age) or parents/guardians to collect and process their personal data, particularly when using it for purposes like communication or third-party services.
  • Parental rights – the GDPR grants parents and students certain rights over their data, such as the right to access, correct or delete personal information.
  • Data Protection Officer (DPO) – schools may be required to appoint a DPO who ensures compliance with the GDPR and is responsible for managing data protection strategies.
  • Data breach notification – if there is a breach of personal data, schools are obligated to report it to authorities and, in certain cases, inform affected individuals within 72 hours.
  • Third-party service providers – schools often use external service providers for various educational technologies and services. Under the GDPR, the school remains responsible for ensuring these providers comply with data protection laws.
  • Record-keeping – schools need to keep records of all personal data processing activities, including how consent was obtained and what data protection measures are in place.

Data types protected by the GDPR in schools include:

  • Personal identifiable information – name, address, date of birth, email addresses of students, parents and staff.
  • Sensitive data – health records, special education needs and biometric data.
  • Behavioural and academic records – grades, attendance, disciplinary records and other academic data.
personal-data-

Data Protection Act 2018

The Data Protection Act 2018 (DPA 2018) incorporates the General Data Protection Regulation (GDPR) into UK law, and it has several specific provisions concerning the protection of personal data in the context of education and children. 

The DPA 2018 and the GDPR recognise children as vulnerable individuals, particularly deserving of protection when it comes to their personal data. Some key points include:

  • Age of consent for data processing – under Article 8 of the GDPR, which is incorporated into UK law through the DPA 2018, the minimum age at which children can provide their own consent for the processing of their data by information society services (such as social media platforms) is 13 years old. If a child is under 13, parental consent is required.
  • Best interests of the child – in all instances involving the processing of children’s data, the best interests of the child are a primary consideration.
  • Clear communication – any information or communication directed at children must be presented in plain, clear language that a child can understand, enabling them to make informed decisions.

Educational institutions collect a wide range of data about students, staff and parents. The DPA 2018 regulates how schools, colleges and universities handle this data.

Schools must establish a lawful basis for processing children’s data under the GDPR principles. Typically, this is grounded in the school’s public task, contractual necessity, legal obligation or sometimes consent.

Some categories of children’s data, such as health information or information about racial or ethnic origin, fall under special category data, which requires additional protection. Schools must have explicit consent or a clear legal basis for processing this data.

Schools must carry out Data Protection Impact Assessments (DPIAs) when processing activities pose a high risk to the rights and freedoms of children. This is particularly relevant when new technologies or automated decision-making systems are introduced in schools.

Parents, or children themselves once they reach a certain age, have the right to access the personal data held by the school. They also have the right to request corrections to inaccuracies or, in some cases, the deletion of data.

Children, as data subjects, have various rights under the DPA 2018. These include:

  • Right to access – children (or their guardians) can request access to their data held by educational institutions or other organisations.
  • Right to rectification and erasure – children or their parents have the right to request the correction of inaccurate data or the deletion of personal data in certain circumstances.
  • Right to object – there are also rights to object to data processing and to request the restriction of processing, e.g. a parent might object to their child’s data being shared with third parties.
  • Right to data portability – children or their guardians can request that data be transferred from one educational institution to another.

Freedom of Information Act 2000

The Freedom of Information Act 2000 (FOIA) applies to public authorities in the UK, including schools, and provides the public with the right to access information held by these institutions. State-funded schools, including academies, free schools and local authority-maintained schools, are subject to the FOIA. Independent schools and private schools are generally not covered, as they are not public authorities.

Under the FOIA, the public has the right to request information from schools, including, policies and procedures, for example behaviour policies, safeguarding policies, curriculum details, financial information including budgets and spending, governance information, i.e. minutes of governors’ meetings, and school improvement plans.

Schools are legally required to:

  • Respond to FOIA requests within 20 working days.
  • Provide the information unless an exemption applies, such as if personal data is protected under the Data Protection Act 2018 and the GDPR, confidential information or data that may affect national security.
  • Proactively publish information through a publication scheme, which lays out the types of information the school makes regularly available, e.g. performance data.

Schools can refuse to release information if it falls under a qualified exemption, such as information that could harm someone’s safety or cause serious harm to the school’s ability to operate efficiently. 

Other Relevant Regulations

The Education Regulations 2005 outline how schools in England must manage and share information about pupils. It mandates that schools:

  • Keep accurate pupil records, including academic progress, behaviour and attendance.
  • Share certain pupil information with parents, local authorities and other schools when students transfer.
  • Share specific data with government agencies like the Department for Education (DfE).

The Protection of Freedoms Act 2012 (Biometric Data) governs the use of biometric data, such as fingerprints, by schools. Schools must:

  • Obtain written parental consent before collecting or using a pupil’s biometric data.
  • Offer an alternative option for pupils who do not consent to biometric data collection.

The Information Commissioner’s Office (ICO) is the UK’s regulator responsible for upholding information rights and overseeing data protection laws. Schools must register with the ICO if they process personal data and comply with ICO guidance on data handling, storage and protection.

Keeping Children Safe in Education (KCSIE) 2023 is statutory guidance and requires schools to manage data about safeguarding incidents and pupil welfare and ensure appropriate record-keeping. It includes guidance on:

  • Protecting sensitive personal information related to child protection.
  • Secure storage and restricted access to safeguarding records.

The National Pupil Database (NPD) ensures that schools must provide certain data to the National Pupil Database managed by the Department for Education. This database holds detailed information about pupils, including exam results, school history and demographics, used for research and policy making.

Responsibilities of Schools

Data Controllers and Data Processors

Schools, as data controllers, have important responsibilities when managing personal data, especially in compliance with data protection laws. These roles and responsibilities are aimed at safeguarding the privacy and security of individuals’ personal information. Here are the key roles and responsibilities of schools as data controllers:

  • Lawful collection and processing of data – schools must ensure that any personal data they collect and process is for legitimate purposes directly related to education and the administration of the school. They must have a lawful basis for processing personal data, which could be consent, contractual necessity or legal obligation.
  • Data minimisation – only necessary data for the specific purpose should be collected and processed. Schools are required to inform individuals (parents, students, staff) about what data is collected, why it is collected, how it will be used, and who it may be shared with.
  • Ensuring data accuracy – schools must take reasonable steps to ensure that the personal data they hold is accurate, up to date and complete, and individuals should have the right to request corrections of inaccurate data.
  • Data security – schools must implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss or damage. Schools should have data protection policies, including IT security measures (encryption, access controls) and staff training on data handling.
  • Data retention policy – schools need to define how long they will keep personal data and ensure it is not retained longer than necessary. After the retention period, data must be securely deleted. Secure methods of archiving and disposal should be in place, such as shredding paper files and ensuring digital records are permanently erased.
  • Responding to data subject requests – schools must be prepared to respond to Subject Access Requests (SARs), where individuals can request access to their personal data or the data of their child. In certain cases, individuals may request that their data be transferred to another organisation. Under specific circumstances, individuals can request the deletion of their personal data.

For further reading about best practices for storing and managing data in schools, please see our knowledge base.

Data Protection Officer (DPO)

A Data Protection Officer (DPO) in a school is responsible for overseeing the school’s compliance with data protection laws. The DPO ensures that the school handles the personal data of students, staff and other stakeholders responsibly and legally. This includes tasks like safeguarding data privacy, preventing data breaches and educating staff on proper data handling.

Some key responsibilities of a DPO in a school include:

  • Monitoring compliance – the DPO ensures the school complies with data protection regulations. This includes reviewing how personal data is collected, stored and processed.
  • Advising on Data Protection Impact Assessments (DPIA) – the DPO helps the school conduct risk assessments when introducing new systems or projects that involve personal data.
  • Liaising with regulatory authorities – the DPO is the school’s point of contact with data protection authorities and may need to report any data breaches or significant issues.
  • Raising awareness and training – the DPO trains staff and educates them on their responsibilities regarding data protection and privacy.
  • Managing data breaches – if a data breach occurs, the DPO coordinates the response and ensures that the breach is handled in accordance with legal requirements.
  • Handling data subject requests – the DPO manages requests from individuals regarding their personal data, such as requests for access, rectification or deletion.
  • Documenting data processing – the DPO helps document and assess data processing activities within the school to ensure they are lawful and transparent.

The role is crucial in ensuring that the school maintains trust and protects the sensitive personal information of its community.

Record-Keeping and Documentation

Schools must keep a record of processing activities (ROPA) under Article 30 of the UK GDPR. This record should document:

  • Data controller’s details – the name and contact details of the school data controller and, where applicable, the Data Protection Officer (DPO).
  • Purposes of processing – why the school collects and processes personal data.
  • Categories of data – types of personal data processed, e.g. student names, contact details and health data.
  • Data recipients – details of any third parties to whom data is disclosed, e.g. local authorities, exam boards or contractors.
  • Retention periods – how long the school retains different categories of data and the justification for those periods.
  • Security measures – a description of the technical and organisational measures taken to secure the data.
Student-data

Data Protection Principles in Practice

Consent

Schools must balance the need for data collection to support educational outcomes with the obligation to protect students’ privacy and data rights. Parents have the right to access their child’s educational records and data. They can request information on how their child’s data is used and seek corrections if needed.

For children under the age of 13, parental consent is typically required for the processing of personal data, particularly for online services or platforms. For children aged 13 and over, they can generally give their own consent, but schools and service providers must still ensure that the data is managed in accordance with the DPA/GDPR principles.

Data Access and Rectification

Parents or guardians of students under 18, and students themselves if they are 13 or older, can request access. This can be done by submitting a Subject Access Request (SAR) to the school. This can usually be done via a written letter or email to the school’s Data Protection Officer (DPO) or administrative contact. You should include details such as the student’s name, date of birth, and any specific information you are seeking, if applicable.

Schools must respond to SARs within one month of receiving the request. This period can be extended by two months if the request is complex or numerous. Generally, accessing your data is free of charge. However, if the request is manifestly unfounded or excessive, schools may charge a fee or refuse to comply.

If you find inaccuracies or incomplete information in your data, you should notify the school as soon as possible. Submit a request to the school, ideally in writing, specifying the incorrect data and providing the correct information. This can be done via email or letter to the school’s Data Protection Officer or administrative staff. Schools should address requests for data correction promptly, typically within one month.

If you are not satisfied with the school’s handling of your data request, you can escalate the matter to the Information Commissioner’s Office (ICO), which is the UK’s independent authority for upholding information rights.

Schools usually have a data protection policy that includes contact details for their Data Protection Officer or a designated contact person for data protection issues. You can often find this information on the school’s website. For routine updates, for example address changes, schools often have specific forms or online systems where parents and students can submit updates directly. 

It’s always a good idea to check the specific policies and procedures of the school in question, as there may be slight variations in how they handle data requests and corrections.

Data Security

Ensuring data security in schools is crucial to protect sensitive information about students, staff and operations. Here are some best practices for safeguarding data in educational institutions:

  • Role-based access control (RBAC) – restrict access to sensitive information based on the user’s role. This limits data exposure to only those who need it.
  • Multi-factor authentication (MFA) – request additional verification steps in addition to passwords, especially for administrative users.
  • Password policies – encourage strong passwords and require periodic password changes.
  • Regular data encryption – encrypt data in transit and at rest. Use SSL/TLS protocols to secure data being transmitted across the network and encrypt stored data to prevent unauthorised access.
  • Cloud encryption – ensure that cloud-based systems used for storing student and school data are encrypted, both on the cloud provider’s servers and during transmission.
  • Backup and disaster recovery plans – regularly back up critical data to prevent loss due to system failures or cyberattacks like ransomware.
  • Offsite backups – store backups in a secure, offsite location, preferably using cloud storage with encryption. Regularly test backup restoration to ensure data can be quickly recovered if needed.
  • Conduct security awareness training – train all employees on cybersecurity best practices, such as identifying phishing emails, avoiding suspicious links and reporting security incidents.
  • Student awareness – educate students on the importance of digital hygiene, including protecting personal data and understanding safe online behaviour.
  • Update and patch systems regularly – regularly apply software updates and patches to fix known vulnerabilities in operating systems, applications and school network infrastructure.
  • Automated updates – enable automatic updates for critical software to ensure that systems remain protected against emerging threats.
  • Install and maintain security software – implement firewall protection to prevent unauthorised access and use intrusion detection systems to monitor network activity.
  • Antivirus and anti-malware software – install security software on all devices, and ensure it’s regularly updated to defend against the latest threats.
  • Web filtering – use content filtering tools to block access to malicious websites or inappropriate content.
  • Monitor and audit access logs – maintain logs of access to critical systems and data, including who accessed it and when. Periodically audit logs to identify any unusual or unauthorised access patterns. Set up automated alerts for unusual access attempts or suspicious activity to enable immediate response.
  • Limit data collection – collect only the minimum amount of personally identifiable information necessary for school operations. Establish policies for retaining data for only as long as necessary and securely deleting it afterwards.
  • Lock and secure devices – ensure that servers, desktops and other sensitive equipment are stored in secure areas, accessible only to authorised personnel.
  • Controlled access to facilities – use key cards, biometrics or other security measures to control access to areas where sensitive data is stored or processed.
  • Email encryption – use encrypted email services for transmitting sensitive information, like student records or staff credentials.
  • Secure messaging platforms – use encrypted messaging tools for internal communication among staff to ensure data is not exposed via unsecured channels.
  • Video conferencing security – implement security measures like meeting passwords and encryption for virtual classrooms and administrative meetings.

Handling Data Breaches

Identification and Reporting

Identifying and reporting a data breach in a school is a critical process, as educational institutions handle the sensitive personal information of students, staff and parents. This process involves both technical and legal aspects. 

A data breach involves unauthorised access, disclosure or loss of personal data. Signs that a breach may have occurred include:

  • Unusual system activity – sudden or unexpected access to databases or student management systems.
  • Data loss or corruption – missing or altered personal information of students, parents or staff.
  • Phishing or hacking incidents – evidence of cyberattacks or suspicious emails leading to unauthorised access.
  • Accidental disclosure – sending personal data to the wrong recipient via email, posting it on public platforms, or misplacing physical records.
  • Malware/ransomware attacks – infections that compromise or lock access to sensitive school data.

Incident Response

It is vital to contain the breach and isolate affected systems to prevent further unauthorised access or data leakage. You should then:

  • Change access credentials and take compromised systems offline if necessary.
  • Limit damage by determining which data has been affected and who might have gained access.
  • Assess the severity and determine what personal data was involved, who has been affected and the potential impact on individuals, e.g. identity theft, or reputational damage. You should also assess the extent of the breach, including how many individuals are affected.
  • Reporting the breach to the relevant authorities is essential, depending on the severity.

Schools, as data controllers, have several legal obligations when handling data breaches, including notifying the ICO. Under the UK GDPR, schools must notify the ICO if the breach is likely to result in a risk to individuals’ rights and freedoms. This should be done within 72 hours of becoming aware of the breach, even if all details aren’t yet available.

The notification should include:Reporting the breach to the relevant authorities is essential, depending on the severity.

  • The nature of the breach.
  • The likely consequences of the breach.
  • Steps the school is taking to mitigate the impact.
  • The contact details of the school’s Data Protection Officer (DPO) or another responsible person.

The ICO provides an online Breach Notification Form on their website for reporting such incidents.

If the data breach poses a high risk to individuals’ rights and freedoms, the school is obligated to inform the affected individuals without undue delay. The notification should be clear, explaining the nature of the breach, the possible consequences, and steps they can take to protect themselves.

Even if the breach doesn’t require ICO notification, schools are required to document all breaches internally, including the nature of the breach, the response taken, and reasons for decisions regarding notifications.

Steps to take post-breach include:

  • Review and update security measures – assess your school’s security systems and take steps to prevent future breaches.
  • Training and awareness – educate staff and students on cybersecurity best practices, especially recognising phishing attempts and handling sensitive information.
  • Audit and monitoring – implement regular audits of data security systems and review data handling procedures.
Staff-Training

Training and Awareness

Staff Training

Providing regular training and resources on cybersecurity best practices is essential for maintaining a secure environment in educational institutions. Develop a comprehensive curriculum covering key topics such as password security, phishing, data protection and safe internet use. There are various ways to provide training including:

  • Interactive workshops – host live workshops and webinars with interactive elements such as Q&A sessions and case studies.
  • E-Learning modules – provide online training modules that can be completed at individual convenience.
  • Simulations and drills – conduct phishing simulations and security drills to provide hands-on experience.
  • Micro-learning – offer short, focused training sessions or tips delivered via email or internal platforms.
  • Updates and refresher courses – regularly update training materials to reflect the latest threats and best practices. Offer refresher courses as needed.
  • Gamification – incorporate game elements, such as quizzes and leader boards, to make learning more engaging.
  • Recognition and rewards – recognise and reward individuals or teams who demonstrate strong cybersecurity practices.
  • Provide resources and support – create a centralised repository of resources, including guidelines, FAQs and best practice documents.
  • Helpdesk and support – offer access to cybersecurity experts for questions and support.

Creating a Data Protection Culture

Implement and enforce school-wide cybersecurity policies, such as acceptable use policies for technology and data protection guidelines. Start clubs or teams that focus on cybersecurity, where students can engage in projects, competitions and discussions.

Encourage students to share their knowledge and experiences with their peers to foster a collaborative learning environment. Organise events like cybersecurity awareness weeks or competitions to engage students and raise awareness. 

Invite cybersecurity professionals to speak to students about real-world applications and career opportunities in the field. Facilitate opportunities for students to gain practical experience and insights into the cybersecurity industry.

Case Studies and Real-World Examples

Examples of Compliance

Parklands High School, Chorley adopted a proactive approach to data protection by integrating GDPR compliance into their daily operations. They implemented new systems to ensure staff and students’ data was handled appropriately.

Their key successes involve conducting regular data audits to track all personal data being collected and stored. The school ensured that parents were informed about how their children’s data was being used and sought their consent when needed.

They also monitor third-party data processors to ensure compliance with data protection regulations.

Lessons Learned

East London Primary School faced a data breach due to a lack of staff awareness and a failure to encrypt sensitive data.

This incident highlighted the need for continuous staff training. Ensuring that all employees know how to handle data securely is crucial to preventing breaches. The school implemented encryption on all sensitive documents and devices post-breach.

Resources and Support

Guidance Documents

The ICO provides guidelines and regulations and is crucial for bolstering cybersecurity, particularly in the context of protecting sensitive student data. The ICO is responsible for enforcing data protection laws, most notably the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, which apply to educational institutions. 

The ICO promotes awareness and training for school staff regarding data protection and cybersecurity best practices. The ICO’s purpose in the context of school cybersecurity is to ensure compliance with data protection laws, promote robust cybersecurity measures, provide guidance on data protection, and enforce legal standards, ultimately safeguarding sensitive information against cyber threats.

Support Networks

In the UK, there are several recommended tools and platforms for cybersecurity training and awareness, catering to different needs such as individual learning, corporate training and specific certifications. Here are just a few examples:

  • National Cyber Security Centre (NCSC) resources – this is a government-backed scheme to help organisations protect themselves against common cyber threats.
  • CyberAware – provides guidance on how to stay secure online, targeting individuals and small businesses.
  • Exercise in a box – a free tool to help organisations test and improve their cyber resilience.
  • CybSafe – a behavioural security platform focused on improving security awareness, behaviour and culture within organisations. It includes personalised, adaptive training modules and risk assessments based on user behaviour.
The-United-Kingdom-National-Cyber-Security-Centre-

Conclusion

In conclusion, understanding the legal framework surrounding school data protection in the UK is essential for ensuring the privacy and security of students, staff and all involved within educational institutions. The key legislative elements, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, impose strict obligations on schools to handle personal data responsibly, transparently and lawfully. Compliance requires schools to implement robust data protection policies, appoint a Data Protection Officer (DPO), and continuously assess data handling practices to minimise risks of breaches.

As technology continues to evolve, so do the risks associated with data management, making it crucial for schools to stay informed about legal updates and best practices in data protection. Safeguarding personal data is not only a legal obligation but also a vital aspect of maintaining trust between schools, parents, students and authorities. By encouraging a culture of data privacy and security, schools can better protect sensitive information and contribute to the broader aim of protecting individuals’ rights in the digital age.

Data Protection in Schools

Data Protection In Schools

Just £20

Study online and gain a full CPD certificate posted out to you the very next working day.

Take a look at this course


About the author

Claire Vain

Claire Vain

Claire graduated with a degree in Social Work in 2010. She is currently enjoying her career moving in a different direction, working as a professional writer and editor. Outside of work Claire loves to travel, spend time with her family and two dogs and she practices yoga at every opportunity!



Similar posts