GDPR for Schools: Pupil Data Protection, ICO Obligations and What the Fines Look Like
Schools are among the UK's largest processors of sensitive personal data — holding pupil records, safeguarding information, special educational needs data, health records, and biometric data for cashless catering systems. Under UK GDPR and the Data Protection Act 2018, schools are data controllers with full compliance obligations. The ICO has investigated and fined multiple schools for GDPR breaches involving inadequate data security, unlawful CCTV use, and failure to conduct Data Protection Impact Assessments. A ransomware attack that exposes pupil records — as occurred when Hackney Council's systems, including those holding pupil data, were hit in 2020 — triggers mandatory ICO notification and potential significant fines.
ICO has fined multiple UK schools for GDPR breaches — inadequate security, unlawful CCTV, and failure to protect sensitive pupil data.
What Data Schools Hold and Why It Matters
Schools process an exceptionally wide range of personal data, much of it falling into special category data requiring enhanced protection under UK GDPR:
- Pupil records: names, addresses, dates of birth, academic records, attendance
- Safeguarding records: child protection files, referrals, social care involvement
- Special educational needs (SEN) data: EHC plans, SEND assessments, medical information
- Health and biometric data: medical conditions, medications, biometric identifiers for cashless systems
- Staff data: employment records, DBS check results, payroll, performance management
- CCTV footage: often covering areas where children are present
Key GDPR Obligations for Schools
Schools must appoint a Data Protection Officer (DPO) — this is a mandatory requirement under UK GDPR for public authorities, which includes maintained schools and multi-academy trusts. The DPO must be independent, have expert knowledge of data protection law, and must not have a conflict of interest. Many smaller schools share a DPO service through their local authority or a specialist provider. Schools must maintain a Record of Processing Activities (ROPA) — a documented register of all the personal data they process, the legal basis, retention periods, and security measures. This must be kept up to date and available for ICO inspection.
ICO Enforcement: What Happens After a Breach
The ICO has powers to fine UK organisations up to £17.5 million or 4% of global turnover for serious GDPR breaches. For schools, enforcement has focused on: failure to report breaches within 72 hours; inadequate security measures leading to unauthorised access; unlawful use of CCTV or biometric systems without proper notice; and sharing pupil data without legal basis. Following a ransomware attack, the ICO will assess whether the school had appropriate technical measures in place before the incident. Demonstrating Cyber Essentials certification, MFA deployment, up-to-date patching, and a tested incident response plan provides a strong defence against regulatory penalties.
EdTech Vendors and GDPR: The Supply Chain Risk
Schools routinely share pupil data with EdTech vendors — learning management systems, assessment platforms, communication tools, and administrative software. Under UK GDPR, schools remain responsible for data shared with processors. Schools must have Data Processing Agreements (DPAs) in place with all vendors that process pupil personal data, and must conduct due diligence on vendors' security practices. The MOVEit vulnerability exploited in 2023 affected universities and education institutions globally that used the file transfer platform — a reminder that EdTech supply chain risk is real and can expose pupil data without any failing on the school's own systems.
Frequently Asked Questions
Does a primary school need to appoint a Data Protection Officer?
Yes. Maintained schools are public authorities under UK GDPR, and appointing a DPO is mandatory. Academy trusts are also required to appoint a DPO. Smaller schools typically share a DPO service through their local authority, diocese, or a specialist GDPR service provider. The DPO must be independent and cannot also be the headteacher or a governor.
What is the 72-hour rule for schools after a data breach?
Under UK GDPR, schools must notify the ICO within 72 hours of becoming aware of a personal data breach where it is likely to result in a risk to individuals' rights and freedoms. The clock starts when the school becomes aware — not when the breach occurred. Schools should have an incident response plan that includes a breach notification procedure, with the DPO responsible for making the notification decision.
Can schools use biometric data for cashless catering systems?
Yes, but with strict conditions. Schools must obtain explicit consent from parents and pupils (where old enough to consent) before processing biometric data. The school must offer an alternative for pupils whose parents do not consent. Schools must also complete a Data Protection Impact Assessment before introducing any biometric system, as processing biometric data for identification is high-risk under UK GDPR.
How should schools handle a ransomware attack under GDPR?
Immediately activate your incident response plan. Notify your DPO or data protection lead. Assess whether personal data has been accessed, encrypted, or exfiltrated — ransomware attacks often involve data theft before encryption. If a breach has occurred or is suspected, notify the ICO within 72 hours. Contact the NCSC's Cyber Incident Response service for technical assistance. Document all actions taken.
Get a free GDPR compliance review for your school
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.