Data protection for schools UK leaders manage is a serious governance, safeguarding and trust issue. Schools, academies, Multi-Academy Trusts (MATs), nurseries, colleges and other education providers process large volumes of personal data every day. This includes pupil records, special educational needs information, safeguarding files, attendance data, medical details, parent contact records, staff HR files, CCTV footage and digital learning data.

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, schools must handle this information lawfully, fairly, transparently and securely. They must also be able to demonstrate compliance through policies, procedures, training, records and accountability measures.

For school business managers, MAT administrators and headteachers, GDPR for schools UK compliance is not only about avoiding fines. It supports safe record keeping, effective safeguarding, responsible data sharing, parental confidence and good governance.

This guide explains what UK education providers need to know, including pupil data, staff data, Data Protection Officers (DPOs), school policies, MAT-level accountability and staff training.

Why Schools Must Take Data Protection Seriously

Schools hold some of the most sensitive information about children, families and staff. A data protection failure can cause distress, safeguarding risk, reputational damage and loss of trust.

A school may hold information about a pupil’s home life, medical needs, special educational needs and disabilities (SEND), safeguarding concerns, behaviour, attendance, family court orders, child protection involvement or mental health. If this information is lost, disclosed to the wrong person or accessed without permission, the impact can be serious.

Schools also process staff data, including payroll records, absence information, disciplinary files, recruitment checks, right-to-work evidence and performance records. These must be handled with the same care as pupil data.

Data protection matters because schools must:

• protect children’s privacy and safety;
• maintain accurate and secure records;
• share information lawfully where needed;
• respond to parent, pupil and staff requests;
• manage third-party systems and suppliers;
• use technology responsibly;
• demonstrate accountability to regulators, governors and trustees.

Ofsted does not usually inspect “GDPR compliance” as a standalone judgement. However, data protection links closely to safeguarding, leadership, record keeping, governance and safe use of information. Poor information handling can undermine evidence of effective safeguarding and well-led practice.

What Personal Data Do Schools Process?

Schools process a wide range of personal data. Some of it is routine, while some is highly sensitive.

Examples of pupil personal data include:

• name, date of birth and address;
• pupil unique identifiers;
• parent and carer contact details;
• emergency contacts;
• attendance records;
• assessment and attainment data;
• behaviour records;
• SEND information;
• safeguarding records;
• medical needs and medication records;
• dietary requirements;
• photographs and videos;
• CCTV footage;
• biometric data, where used;
• online learning records;
• pastoral support notes.

Schools also process staff, governor, volunteer and contractor data, including:

• recruitment records;
• Disclosure and Barring Service (DBS) information;
• payroll and pension details;
• absence records;
• occupational health information;
• performance management records;
• disciplinary and grievance records;
• training records;
• contact details;
• right-to-work checks.

A school is usually a data controller for the personal data it decides to collect and use. This means the school determines the purposes and means of processing and is responsible for complying with UK GDPR. In a MAT, the trust may be the controller for some processing activities, while individual schools may have local responsibilities depending on governance arrangements.

Schools also use data processors. These may include management information system providers, cloud platforms, safeguarding software, catering systems, payment providers, email systems, learning apps, payroll providers and CCTV maintenance companies. Written contracts should define how processors handle school data.

Pupil Data Under UK GDPR — Special Considerations

Pupil data protection needs particular care because children are considered to need specific protection under data protection law. They may be less aware of risks, consequences and their rights.

Some pupil data is ordinary personal data, such as names, class groups and attendance records. Other data may be special category data, which needs extra protection. This can include health information, disability details, ethnicity, religious beliefs or biometric data used for identification.

Safeguarding information can also be highly sensitive. It may include details about family circumstances, social care involvement, concerns raised by staff, disclosures made by pupils or records of multi-agency work. This information should be accessible only to those who need it and shared securely where safeguarding requires it.

For more on sensitive pupil information, read our guide to special category pupil data.

Schools need a lawful basis for processing pupil data. Common lawful bases may include public task, legal obligation, contract, vital interests or consent, depending on the activity. Consent is not always the most appropriate basis, especially where the school must process data to provide education, meet safeguarding duties or comply with law.

Sharing pupil data with parents also needs judgement. Parents with parental responsibility may have rights to information, but schools must consider the child’s rights, age, understanding, welfare, safeguarding risks and confidentiality. In some situations, it may not be appropriate to share certain information with a parent if doing so could place the child at risk or breach another person’s rights.

Schools may also share pupil data with the Department for Education (DfE), local authorities, examination boards, health services, safeguarding partners, school nurses, educational psychologists and other agencies where the law and school policies allow.

Staff Data Protection Obligations

Schools are employers as well as education providers. This means they must protect staff personal data throughout recruitment, employment and post-employment retention.

Staff data may include:

• application forms;
• interview notes;
• references;
• identity checks;
• DBS information;
• payroll records;
• bank details;
• sickness absence records;
• occupational health reports;
• performance reviews;
• disciplinary records;
• grievance records;
• training records.

HR data can be sensitive. For example, sickness records and occupational health reports may include health data, which is special category data. Disciplinary or safeguarding-related staff records may also be highly confidential.

Schools should make sure staff privacy notices explain how employee data is used. Staff should know what records are kept, why they are kept, who they may be shared with and how long they are retained.

Access should be limited. Not every member of the senior leadership team needs access to all HR records. Line managers may need enough information to manage work and support staff, but not always detailed medical information.

Staff also have data subject rights. They may request access to their personal data, ask for inaccurate records to be corrected or object to certain processing. Schools should have a clear procedure for responding to staff data requests.

The Role of the Data Protection Officer in Schools

Most schools and public education providers need a Data Protection Officer (DPO), particularly maintained schools and academies carrying out public tasks and processing large volumes of children’s data. Independent schools should assess their legal position carefully, but many appoint a DPO as good practice due to the nature and scale of pupil data processing.

A DPO’s role is to advise, monitor and support compliance. They should operate independently and should not have a conflict of interest. The DPO can be an internal employee or an external provider, but they must have appropriate knowledge of data protection law and school operations.

The DPO may help with:

• advising on UK GDPR obligations;
• reviewing policies and privacy notices;
• supporting Data Protection Impact Assessments (DPIAs);
• advising on data sharing;
• monitoring staff training;
• supporting breach response;
• advising on subject access requests;
• liaising with the Information Commissioner’s Office (ICO);
• reporting risks to senior leaders or trustees.

The DPO is not responsible for “doing all GDPR”. Accountability remains with the school or trust as controller. School leaders, governors and trustees still need to ensure data protection is properly resourced and embedded.

After appointing or reviewing your DPO arrangements, it is worth strengthening staff capability through data protection training for schools. Wider leadership teams may also benefit from GDPR Essentials for UK Businesses where they need a broader grounding in UK GDPR principles.

Policies Every UK School Should Have

A school data protection policy should not sit alone. Schools need a set of documents and processes that work together.

Key policies and documents include:

Data protection policy
This explains how the school complies with UK GDPR and the Data Protection Act 2018.

Privacy notices
Schools should provide privacy notices for pupils, parents, staff, governors and other relevant groups. These should explain what data is collected, why, lawful bases, sharing, retention and rights.

Retention schedule
This sets out how long different records are kept, such as pupil files, safeguarding records, SEN records, HR records, accident logs and financial information.

Subject access request procedure
This explains how the school recognises, logs, verifies and responds to requests from pupils, parents or staff.

Personal data breach response procedure
This explains how staff report incidents, how breaches are assessed, and when the ICO or individuals may need to be notified.

Data sharing policy
This supports lawful sharing with local authorities, DfE, safeguarding partners, health services, police, exam boards and third-party providers.

CCTV policy
If the school uses CCTV, the policy should explain why cameras are used, where they are placed, who can access footage, how long footage is kept and how people are informed.

Acceptable use and IT security policies
These cover staff and pupil use of systems, devices, passwords, email, cloud platforms and online services.

Records management policy
This supports secure filing, archiving, deletion and disposal of paper and digital records.

The Department for Education advises schools to have policies and processes that help them protect personal data and respond effectively to breaches. These policies should be reviewed regularly and updated when systems, suppliers, law or school practice changes.

For practical support, a school data protection course can help staff understand how these policies apply in day-to-day work. For whole-staff awareness, Data Protection Essentials for All Employees can support general GDPR knowledge.

Training Education Staff on Data Protection

Training is essential because school data is handled by many people, not only the DPO or school business manager. Teachers, teaching assistants, office staff, safeguarding leads, governors, lunchtime supervisors, IT staff, HR teams and senior leaders all interact with personal data.

GDPR for teachers UK training should be practical and role-based. Teachers need to understand how to handle assessment data, behaviour notes, parent emails, pupil photographs, SEND information and classroom systems. Office staff need training on admissions, attendance, parent communications, visitor records and pupil files. Safeguarding leads need deeper understanding of secure information sharing and retention.

Training should cover:

• what personal data is;
• special category data;
• pupil data risks;
• staff data confidentiality;
• data protection principles;
• lawful basis and transparency;
• privacy notices;
• subject access requests;
• safeguarding information sharing;
• email and file security;
• breach reporting;
• retention and deletion;
• CCTV and images;
• use of education technology;
• working with processors and suppliers.

Staff should know how to recognise a data subject request. A parent asking, “Can I see everything you hold about my child?” or a staff member asking for “all records about me” may be making a formal request. For more detail, see our guide to data subject rights for schools.

Training should be repeated regularly. New staff should receive induction training, and existing staff should receive refresher training at appropriate intervals. Higher-risk roles, such as Designated Safeguarding Leads, SENCOs, HR staff and data managers, may need more detailed training.

For a broader explanation of why whole-staff awareness matters, read our guide to employee GDPR training for education staff.

MAT-Level Data Protection Considerations

MAT GDPR compliance can be more complex than compliance for a single school. Multi-Academy Trusts often centralise systems, policies, HR, finance, procurement, IT, safeguarding software and data protection support. This can improve consistency, but it also creates governance questions.

A MAT should clarify:

• whether the trust is the data controller for key processing activities;
• what responsibilities individual schools retain;
• who manages subject access requests;
• who reports personal data breaches;
• who approves privacy notices;
• how retention schedules apply across schools;
• how pupil files transfer between schools;
• how central systems are accessed;
• how suppliers are procured and reviewed;
• how staff training is tracked;
• how trustees receive assurance.

MATs should also consider access controls carefully. Central teams may need access to HR, finance or governance data, but they may not need broad access to all pupil records. Role-based permissions should reflect actual business need.

Consistency is important, but policies should still work at school level. A trust-wide breach procedure, for example, should explain what a class teacher, school office, headteacher and central data protection lead must each do.

Training should also be coordinated. MATs can use central training records to track completion, identify gaps and demonstrate accountability to trustees. However, individual schools still need local reminders and practical examples that reflect their daily routines.

For MATs, a useful data protection dashboard might include:

• staff training completion;
• subject access request response times;
• breach numbers and trends;
• overdue policy reviews;
• DPIA status;
• supplier review status;
• retention audit findings;
• DPO recommendations and action plans.

Data protection should be part of governance reporting, not only a compliance file. Trustees and senior leaders need enough visibility to challenge risks and support improvements.

FAQs

Do schools need to appoint a DPO?

Most schools and public education providers need a Data Protection Officer because they process large volumes of children’s data and carry out public education functions. Independent schools should assess their legal duties carefully, but appointing a DPO is often good practice given the sensitivity of pupil data.

Can schools share pupil data with parents?

Schools can often share appropriate pupil information with parents or carers, especially where they have parental responsibility. However, schools must consider the pupil’s age, understanding, rights, safeguarding risks and whether disclosure would affect another person’s privacy.

How long should schools keep pupil records?

Schools should keep pupil records only for as long as necessary and in line with a clear retention schedule. Different records have different retention periods, so schools should review what they hold each year and securely delete or archive data when it is no longer needed.

Does CCTV in schools need to comply with GDPR?

Yes. CCTV footage can be personal data if individuals are identifiable. Schools using CCTV should have a lawful purpose, clear signage, a CCTV policy, appropriate retention periods, access controls and a process for responding to requests for footage.

What GDPR training do teachers need?

Teachers need practical GDPR training covering pupil data, special category data, safeguarding information, parent communications, assessment records, email security, breach reporting and data subject requests. Training should be refreshed regularly and supported by clear school policies.

Explore our data protection training designed for schools and educational organisations — start with our Data Protection for Schools & Educational Institutions course and help your staff protect pupil, parent and staff data with confidence.