Cybersecurity for Secondary Schools: Exam Data, Student Records, and DfE Standards Compliance

Why Secondary Schools Are High-Value Targets

Secondary schools combine several factors that make them attractive ransomware targets:

• Operational dependency: schools must function during term — any disruption to MIS, email, or learning platforms creates immediate pressure to restore systems
• Exam data sensitivity: GCSE and A-level predicted grades, special arrangements, and completed work represent high-value data
• Financial systems: school finance functions process significant payments to suppliers and contractors
• UCAS and HE application data: sixth form colleges and secondary schools with sixth forms hold university application data
• Large attack surface: hundreds of staff devices, thousands of student devices, numerous cloud services

Exam Data Security: A Specific Risk

Exam data — particularly predicted grades and advance information about examination content — is sensitive in ways specific to secondary education. Unauthorised disclosure of predicted grades can affect UCAS applications. Exposure of exam content in advance constitutes serious malpractice. The exam boards (AQA, Edexcel, OCR) have strict data security requirements for schools that hold exam materials. Secondary schools should ensure exam-related data is stored separately from general school systems, with access limited to staff with a direct role in exam management. MIS exam modules should be reviewed for appropriate access controls, and exam scripts and working papers should be stored securely until submission to the board.

DfE Standards in the Secondary Context

The DfE Cyber Security Standards require secondary schools to demonstrate compliance across five domains: governance; protection; response; recovery; and ecosystem (third-party risk). For a secondary school with a dedicated IT team, the path to compliance is clearer than for a primary — but the scale of the environment makes implementation more complex. Key priorities for secondary schools that often lag behind: MFA on all staff accounts (email, MIS, remote access); patching all devices within 14 days; network segmentation between student and staff systems; and a tested incident response plan that governors have reviewed.

Student and Staff Data at Secondary Scale

A typical secondary school of 1,200 students processes personal data for those students across multiple systems: the MIS (SIMS, Arbor, iSAMS), Google Classroom or Microsoft Teams, assessment platforms, communication tools, library systems, and sports management. Each system represents a potential breach point, and many secondary schools have not completed a full Record of Processing Activities mapping all data flows. UK GDPR requires schools to have a legal basis for each processing activity, Data Processing Agreements with each vendor, and documented retention periods. An annual review of the ROPA — identifying new EdTech tools adopted informally by teachers — is essential to maintain compliance as the EdTech stack evolves.

Sixth Form and UCAS Data: Additional Obligations

Secondary schools with sixth forms and sixth form colleges processing UCAS applications hold a category of student data with specific handling requirements. UCAS application data — including academic references, personal statements, and predicted grades — is confidential and must be handled according to UCAS data sharing agreements. Schools must ensure that access to UCAS systems is restricted to authorised sixth form staff, that UCAS portal credentials are protected with appropriate authentication, and that personal statement drafts are not shared insecurely.

Frequently Asked Questions