GDPR Data Protection Guide for Schools: From DPO Appointment to Breach Response
UK GDPR compliance for schools is more complex than many headteachers and governors realise. Schools are data controllers for a wide range of sensitive personal data — pupil records, safeguarding files, SEN assessments, staff employment records, and CCTV footage. They must appoint a Data Protection Officer, maintain a Record of Processing Activities, respond to data subject rights requests, conduct Data Protection Impact Assessments, and notify the ICO within 72 hours of qualifying breaches. The ICO has fined UK schools and investigated many more — and data breaches caused by cyberattacks are among the most common triggers for ICO involvement.
ICO investigations of UK schools have involved inadequate security, unlawful CCTV, failure to report breaches, and missing Data Processing Agreements with EdTech vendors.
Appointing a Data Protection Officer
All maintained schools and academy trusts are public authorities under UK GDPR and must appoint a Data Protection Officer. The DPO must have expert knowledge of data protection law, must be independent (cannot be the headteacher, a governor, or anyone else with a conflict of interest), and must have the resources to carry out their role effectively. Most schools appoint a DPO through their local authority, diocese, or a specialist GDPR service provider. The DPO's contact details must be published on the school's website and registered with the ICO.
Record of Processing Activities (ROPA)
Schools must maintain a ROPA documenting all the personal data they process. The ROPA should include: the purpose of each processing activity; the categories of data involved; the legal basis for processing; retention periods; who has access; and the security measures in place. The ROPA must be kept up to date and made available to the ICO on request. Many schools have outdated ROPAs that do not reflect new EdTech platforms introduced since the last review.
Data Processing Agreements with EdTech Vendors
Every EdTech vendor that processes pupil personal data on behalf of the school must have a signed Data Processing Agreement (DPA) in place before any data is shared. The DPA must specify what data is being processed, for what purpose, for how long, and what security measures the vendor will maintain. Vendors must notify the school of any breach within 72 hours. Schools should maintain a register of all DPAs and review them periodically — particularly when procurement of new EdTech tools occurs.
Responding to Data Subject Rights Requests
Pupils (and their parents where pupils are under 13, or in some cases older) have rights under UK GDPR: the right to access their data (Subject Access Request), the right to rectification, the right to erasure (in limited circumstances), and the right to object to processing. Schools must respond to SAR requests within one month. Schools should have a documented process for receiving and responding to SARs, and should not charge a fee unless the request is manifestly unfounded or excessive.
ICO Breach Notification: When and How
Qualifying personal data breaches must be reported to the ICO within 72 hours of the school becoming aware. A qualifying breach is one that is likely to result in a risk to individuals' rights and freedoms — this includes most ransomware attacks, accidental disclosure of sensitive pupil data, and loss of unencrypted devices containing personal data. The ICO online portal (ico.org.uk) provides the notification form. Where the breach is high risk, affected individuals must also be notified directly without undue delay.
Frequently Asked Questions
Can a governor serve as the school's Data Protection Officer?
No. The DPO must be independent and must not have a conflict of interest. A governor is part of the governing body — the data controller — and therefore cannot act as the DPO. The same applies to the headteacher, business manager, or any member of staff with significant decision-making power over data processing activities. Schools should appoint an external DPO service if no independent internal candidate exists.
How long should schools keep pupil records?
Retention periods for school records are set out in the Information Records Management Society (IRMS) Schools Toolkit, which provides recommended retention schedules. As a general guide: pupil curricular records should be kept until the pupil turns 25; child protection records until the pupil turns 25 (or longer for serious cases); and SEN records until the pupil turns 25. Schools should document retention periods in their ROPA and have a deletion process for data past its retention period.
Do schools need consent to photograph pupils?
Consent is one legal basis for processing images, but not the only one. For official school activities — school photography, newsletters, the school website — legitimate interests or the performance of a task in the public interest may provide a legal basis without requiring consent. However, schools must conduct a legitimate interests assessment and must give parents the opportunity to object. For social media sharing of pupil images, consent is generally the more appropriate basis. Schools should have a clear photography and image use policy.
Get a GDPR health check for your school
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.