Summary
The policies and processes schools and multi-academy trusts need to protect personal data and respond effectively to a personal data breach.
This toolkit will help school staff, governors and trustees:
- understand how to comply with data protection law
- develop their data policies and processes
- know what staff and pupil data to keep
- follow good practices for preventing personal data breaches
This advice is intended for maintained schools and academies. Independent schools are welcome to use it where appropriate.
Have your say
The Information Commissioner’s Office (ICO) is consulting on amendments to the Data (Use and Access) Act 2025. Share your views on the proposed new lawful basis and complaints process. The consultation closes at 23:59 on 30 October 2025.
If you’d like to be involved in user research to help the Department for Education improve our data protection guidance for schools, register your interest.
Contents
-
Data protection legislation, and who and what it’s intended to protect.
-
Changes to the bill and support available from the Department for Education (DfE).
-
The lawful grounds for accessing, collecting, storing and using personal, special category and criminal offence data.
-
Who is responsible for making sure data is processed securely in a school.
-
How data protection officers can help make sure schools are compliant with data protection laws.
-
How to comply and document compliance with UK GDPR and the Data Protection Act 2018.
-
Who you can share personal data with and what consent you need to get – for example, when publishing exam results, taking photos in school and for immunisation programmes.
-
A subject access request (SAR) is a type of information rights request. A SAR lets people access a copy of the personal data a school holds about them or someone they have parental responsibility for.
-
How to manage other information rights requests, including changing, deleting or restricting the processing of personal information.
-
How to carry out an audit to check what personal data your school holds. You can use a data retention schedule to document how long you'll keep different types of data for.
-
Good practice for preventing personal data breaches in your school. It explains how to recognise and respond effectively to a personal data breach.
-
How to address potential data protection risks of using generative AI in schools.
-
Download resources to help with data protection in schools, including posters, templates, and learning materials.