Data protection guidance for schools and trusts

School subject access requests can feel overwhelming for a busy school DPO. However, replies to SARs only require a ‘reasonable’ response. Whilst you cannot ask a requestor to narrow or reduce their request, you can ask for clarification of what specific information they require. This is particularly relevant if you hold a large amount of information which contains their name. If the requestor refuses to engage with you to help provide clarification, then this may be one of the factors you consider when considering if the request is manifestly unfounded or unreasonable.

You do not need to go beyond what is reasonable to find and extract personal data from your records- so you should not need to comb through 1000s of emails. However, even if you think a request is unreasonable, you should still reply to the requestor, explaining why you cannot action their request as it stands. Our team can advise how to engage reasonably with requestors to ensure their rights are satisfied without an undue burden on your school, including how to refuse a subject access request when necessary.

It can cause concern when someone who has parental responsibility asks for information when they are not otherwise involved in a child’s life. You may also be told by the resident parent and the child that they don’t want any information to be shared. Parents who have parental responsibility in maintained and special schools have the right of access to educational records while those in academies and independent schools have the right to receive an annual report.

However, if sharing this information could harm the child, it may be best to deny the request. Children- not their parents- hold subject access rights under data protection law, though parents can exercise these rights where it benefits the child, or the child consents. If fulfilling a request doesn't serve the child's best interest, it may be deemed invalid. Dealing with parental SARs can be complex. Schools should avoid involvement in parental disputes; our team is here to assist school DPOs and staff with navigating the complexities of information requests that could risk harm to the child.

Individuals are increasingly exercising their rights to request information from schools, whether under data protection or freedom of information legislation. It can feel frustrating when busy school staff received requests that are sent to many schools, particularly when they land in the last week of term. It can feel tempting to ignore them. However, schools and academies are ‘public authorities’ under the Freedom of Information Act 2000 so are required by law to respond to all requests.

Working out how long schools have to respond can help- schools have 20 ‘school’ days to respond, so the clock stops ticking during holidays (but no longer than 60 working days). There are also limits on the time you need to spend on dealing with the request and exemptions that can limit the information that needs to be provided. Our new data protection support pack includes all the guidance and template resources you may need when dealing with freedom of information requests.

Yes! Adding AI functionality to an existing tool could pose additional risk which must be carefully considered- not just data protection risk, but also risk of discrimination and bias, lack of accountability, and even cyber risk. You should carry out a careful risk assessment process, ensuring that you fully understand how the AI works and how you will protect users.

The ICO, Ofsted and JCQ may ask you questions about how you ensure safe AI use and you should be confident that you could answer those before enabling AI tools. Our AI governance support pack gives you the framework to govern safe AI practice, including template AI DPIA documents.

Personal data is any information that can either directly or indirectly identify a living individual. In a school setting this means the personal of data of students, staff, parents and families, visitors and professionals providing support to the school functions is regularly collected and used by the school.

Personal data includes direct identifiers, such as names, photographs and even initials. Indirect identifiers are things such as car registrations, pupil UPN or ULNs, payroll or national insurance numbers.

The best way to prepare for a data breach in a school is to adopt a proactive and positive culture- focusing on prevention, detection and response. Schools are already used to dealing with prevention, detection and response in relation to accidents and health and safety incidents- and understand that denial that they can and do happen is unhelpful. The same approach should be adopted in relation to data breaches. 

Prevention is always better than cure, and schools should look to adopt a multi-pronged approach, including technical measures such as making sure access to systems is limited to those authorised to use them, strong passwords and encryption techniques, as well as organisational measures such as staff training, regular reminders and data protection policies. 

Detection is an important part of preparation for data breaches; all staff should feel confident to identify and report data breaches, including minor or near miss incidents. Self- reporting is also important; mistakes and mishaps can and do happen in schools, and staff should not feel fear of reprise when admitting the mistakes that they have made. Near miss incidents are a valuable source of learning, taking action to improve processes can help reduce the risk of more serious incidents happening later. 

Responding to a data breach is imperative - by acting swiftly risk can be mitigated or removed, as well as helping the school to meet reporting obligations where required. Schools should all have clearly accessible data breach procedures, with all staff clear on what to do in the event of a data breach.

Both the UK GDPR and the Data Protection Act 2018 apply to schools. Schools should consider both pieces of legislation together, and school DPOs should be confident on how they interact. The Data Protection Act gives schools important additional grounds for processing personal data, such as a lawful basis to process ‘special category’ data where necessary to ensure the safeguarding of children. 

The Data Protection Act also contains important ‘exemptions’ which mean that in certain circumstances data can be withheld from subject access requests, or the need to be transparent about processing. Understanding this legislation can be complex, and our team of dedicated lawyers, with extensive experience of applying data protection laws to an educational context can help schools to understand and apply the law. 

Schools handle some of the most private data in society- handling sensitive information about pupils, including their health and disabilities, attainment and learning needs. They also process personal data about families, some of whom are vulnerable. On top of that, they also hold the personal data of staff, including details of criminal convictions, banking, health and salary details. The Information Commissioner’s Office (ICO) has identified that schools are second only to the health sector in relation to the number of data breaches they report- and have also stated that protection of children’s personal data is at the top of their regulatory focus. Where schools and academies have been audited by the ICO, there have also been public regulatory reprimands for school those that have failed to comply with the law.

Yes, maintained and academy schools are classed as ‘public authorities’ which means that it is a statutory requirement to have a data protection officer (DPO). In addition, independent schools should consider if they are required to appoint a DPO- there are several circumstances where appointing one is required, including when an organisations core function is processing special category data- this includes health and special educational needs data.

For many independent schools, it will be a core part of their provision to care for and educate pupils with complex needs.

Yes. The Freedom of Information Act 2000 applies to all publicly funded schools, including maintained and academy schools as well as free or special schools.

The Freedom of Information Act 2000 significantly impacts schools, granting the public the right to request information such as school budgets, performance data and key decisions about staffing and other sensitive matters. 

The purpose of the Act is to allow public scrutiny about how schools are run and money is spent, but can cause an impact on school operations, and can be time consuming to deal with, particularly when there are a number of FOI requests about a controversial decision or plan which is already taking up a lot of time and staff capacity, causing additional stress and pressure. 

There are several steps that schools can take to be prepared for FOI requests, including being as transparent as possible to reduce the need for people to make requests, and having clear policies and procedures, as well as ensuring there is staff capacity. 

Training staff to deal with FOI is also important, so that they know the rules around how long they have to respond and any exemptions (reasons to withhold or redact information) that can be applied. Schools and academies now receive an ever-increasing number of FOI requests- whether from interested or aggrieved parents or staff, journalists, researchers or members of the public. 

Our updated Data Protection Support pack now includes a comprehensive suite of documents to support schools, reflecting the increasing burden that requests place on schools. In addition, our experienced lawyers, with extensive knowledge of FOI in education can help schools to manage the often-difficult nature of requests and how best to deal with them. 

The requirements to respond to subject access requests are no different for schools than any other organisation, and school holidays do not ‘stop the clock’. There may be some confusion as for Freedom of Information requests, schools do have 20 ‘school’ days to reply, rather than 20 ‘working’ days. However, the same does not apply to the subject access request regime. This means that schools have one calendar month to respond, with an additional two months where requests are complex. This means that a request received on 27^th July would be due to be responded to by 27^th August, regardless of the school holiday. 

Whilst schools cannot escape this statutory responsibility, they should help requesters to manage their expectations, with clear explanations of school closure dates, and details of which email boxes will be ‘open’ for communication during closure times, on the school website and on auto-responses for emails. Being transparent and working with a requester to help manage their request is an important step. Stating in an auto-response that emails will not be received or responded to, but then reading and responding to some is the digital equivalent to ‘crying wolf’ and is less likely to be seen sympathetically by the regulator (the ICO) if a complaint is later made about the school. 

Yes. Anything that school governors (whether using official school systems, or even their own private messaging systems) create, hold or record in the course of their duties could potentially be requested via a FOI request.

The same applies for subject access requests. This is why school governors should be included in training and reminders about these important obligations.

Schools should only keep pupil records whilst pupils attend their school, only keeping them for longer where there is a legal or organisational need to do so. When pupils leave the school to move to another school, their records should generally move with them too, with the old school only keeping records where necessary.

The ‘last known school’ is required to store records for a longer time, usually until the pupil reaches the age of 25, but with additional retention being justified for pupils who have had SEND provision or there are records relating to child sexual abuse.

Schools do also need to keep some pupil data after pupils have left, specifically admissions and attendance registers, which need to be kept for six years (this was changed from three to six years by the School Attendance (Pupil Registration) (England) Regulations 2024). Managing pupil records can be complex, particularly where records are held electronically, rather than on paper as they were in the past.

All schools should have comprehensive records management and retention policies to ensure that all staff are clear on exactly where pupils records are stored, what pupil records should be retained and for how long.

Our updated Data Protection Support Pack contains a template records management and retention policy authored by one of the expert contributors to the Information and Records Management Society Retention Toolkit for Schools and Academies. The template reflects the way that schools store data, and reflects the reality that records are rarely held in paper format in these modern times.