Children in robotic class showing the impacts of data protection and GDPR on U.K. schools and educational establishments
Data Protection and GDPR in UK Schools and Educational Establishments by Ed Hyde, Co-Founder and Director at Soft Egg

Data Protection and GDPR in UK Schools and Educational Establishments

GDPR has been in effect since the 25th May 2018, replacing previous data protection legislation, with the aim of making all data collection, storage and use more transparent. Companies and organisations that do not comply with the new regulations face heavy fines and penalties.

Older regulations could be more difficult to understand, especially in the terminology used in documentation, leaving people confused as to their rights when it came to what data of theirs was being collected, used and shared. Whilst these changes initially had people looking at industries like healthcare and banking, schools and other educational establishments have also had to make major changes in order to stay in line with the new regulations.

The importance of GDPR in schools

All educational establishments have a duty of care towards their students, and this extends to protecting their data too. Schools collect more data than just educational records after all; telephone numbers, home addresses, email addresses, next of kin details, medical records and even photos are all held by schools for security and emergency reasons, but all of this data is sensitive and valuable to potential cyber criminals.

Educational establishments also collect and store all of this data with regard to their staff and may include further information such as employment history.

There are many regulations related to GDPR that schools have to follow, as well as advised extra steps to ensure the safety of the collected data, such as using the latest IT systems, firewalls and malware protection software.

Registering with the ICO

Like all data controllers, educational establishments need to register with the Information Commissioner’s Office to notify them of what data they will be collecting, the purpose of storing that data, where the data has been collected from, and who will be given access to that data. After registration, the establishment will need to repeat this process annually.

Privacy notices

In addition to registering with the ICO, schools need to have privacy notices in place, so that their data protection policy is completely transparent. Both staff and parents are trusting the school to manage sensitive data correctly, so these privacy notices should provide peace of mind and be easily accessible to anyone whose data is being held.

The privacy notices should list the purpose for holding the information and how the data is collected and kept up to date, as well as the establishment’s procedures for security breaches, lost and stolen data, and the correct disposal of confidential waste. The notices should also detail how they encrypt personal data and what security is being used in the form of computer passwords, firewalls and anti-virus software.


The implementation of GDPR also means that schools have to be clear on the matter of consent. A school will not usually need consent to collect and store personal data if the school is processing that data as part of the provision of education in accordance with its statutory obligations. However, schools should obtain consent for anything that isn’t within the typical day-to-day running of the school, such as for extra-curricular trips or activities, especially if it involves a third party handling the data.

Data Protection Officers

The new GDPR legislation requires all schools to have an appointed Data Protection Officer who is in charge of maintaining GDPR compliance. This officer can be employed internally, or they may be an external party covering several schools. The officer needs to be a reliable point of contact for queries and concerns regarding data protection and, as such, they must possess expert knowledge of data protection regulations.

Student Access Requests

One of the aspects of GDPR that is specific to educational establishments is dealing with Student Access requests. Students have the right to request their own personal data, as do the parents or legal guardians of any student, but if the student is of legal age and mature enough to understand their rights, the authority to grant this access is solely theirs.

Third parties

With the implementation of GDPR, all schools have had to review their relationships with third parties. Contracts that concern data sharing – even with trusted outside sources such as local authorities and organisations who contribute to improving the learning experience of students – need to be reviewed to ensure they are in line with regulations.

These third parties must also be GDPR compliant and have an agreement in place with the school regarding how they handle data, and this information must be written in similarly clear and easy to understand language.

Security Breaches

One of the biggest worries for schools regarding data is a security breach that allows unauthorised third parties to access personal information. This is especially sensitive when that data concerns children who are expected to be safeguarded.

If there is a data breach, the individuals who have their personal data processed must be notified immediately, as well as informed about what steps are being taken to deal with the problem. Breaches must also be reported to the relevant authorities within 72 hours of discovery.

GDPR and Schools Post-Brexit

The current GDPR legislation is based on regulations agreed upon by the European Union, so schools need to be wary that legislation may change following Brexit. These changes could include the age of consent to have personal data collected as well as how the collected data is used. Currently, it seems likely that the UK will continue to operate a similar GDPR policy, though nothing has been confirmed yet.

Schools and educational establishments have had to make some major changes since the implementation of GDPR, even going as far as installing entirely new IT systems to ensure that data can be stored securely.

As such, further importance has been stressed on training staff to be familiar with GDPR policy, as well as what constitutes personal data, where that data has come from and who has access to it.


UPDATE: This article has been updated to clarify the need for consent to collect and store personal data.