Data Protection - Schools

Schools hold and process a huge range of personal data. This includes data on their pupils, pupils’ parents, guardians and their own staff.

To meet our Data Protection team please click here and our Education team here.

For the latest data protection news please click here.

With the GDPR increasing the regulatory requirements on schools, and new ePrivacy laws due, the importance of the right safeguards is key. With an increased number (and size) of fines, schools cannot afford to ignore the issues.

We can help schools with their data privacy obligations. We have acted for numerous schools and colleges, both in ensuring they have the right systems and processes in place, and to respond to issues as they arise (for example when they receive a data subject access request from a pupil/parent and where there is a data breach). 

By now schools should be meeting their personal data processing and management obligations.

Compliance is an evolving process. Complaints have risen significantly. Since the GDPR came into force, the number of investigations has greatly increased. Likewise, we are seeing more frequent exposure to significant fines as well as damaging publicity, both in the national press and on the “enforcement action” section of the ICO’s website, where perpetrators are named and shamed.  

 In the private sector, we have seen a huge increase (in the UK and across Europe) in proposed fines for data privacy violations, including for British Airways and the Marriott Group. There have also been a number of prosecutions of those who have infringed the rights of employees, customers and other individuals. 

Increased complaints

The reasons for complaints are broad, but the most common ones relate to individuals requesting access to their personal data, unlawful disclosure of data and security breaches. Common areas of ICO investigations are -

  • Sending or sharing personal information without a lawful basis to do so
  • Collecting and otherwise processing personal data unlawfully
  • Accessing personal information without authorisation
  • Not holding personal data safely or securely
  • Marketing by text and email without permission
  • Phoning people who have opted out of marketing or sales calls via the TPS register
  • Selling personal data unlawfully
  • Not responding quickly enough or at all to data subject access requests 

What is clear is that organisations, and in particular managers with employee and third party data responsibilities will increasingly find themselves under the ICO’s well-resourced eye. 

How we can help

Our data protection team advises clients on all of the data protection and related issues they face. Areas where we regularly help clients like you in the education sector include -

  • Handling large and complex data subject access requests, using an end to end eDiscovery tool, as required
  • Recognising the rights of pupils and the rights of parents, and the steps to take when these conflict
  • Ensuring schools adhere to the safeguarding principle when handling pupils’ personal data.
  • Handling and reporting data privacy breaches, including whether notifications need to be made to data subjects (including pupils and parents) and/or the ICO, and the best way to mitigate the impact of such breaches
  • Challenges brought by pupils, employees and other data subjects to the ICO and dealing with the ICO on behalf of the school
  • Employee monitoring and investigations in a variety of cases including alleged bullying and harassment
  • Employee screening and background checks (including criminal records checks for staff)
  • Drafting and reviewing data protection documentation
  • Data Protection Impact Assessments (DPIAs) for high risk processing, such as when introducing new absence management software and other new technologies
  • Overseas data transfers and advising how to do these lawfully
  • Training staff to meet a range of needs, from general staff awareness of GDPR through to bespoke training for data protection managers, business development managers and other areas where specific risks or issues have been identified

Fixed price

We also have a range of fixed price packages which we can discuss with you when we have scoped out the requirements of your school including - 

  • Data flow mapping – working out what data you have and what happens to it
  • Data processing activity reports (Article 30 reports) – setting out why you have the data, categorising it, and explaining the security measures in place to protect it
  • Compliance gap reporting – setting priorities for improvements, including cost-effective “quick wins” which are swift and cheap to put in place, and timeframes and costings for longer-term improvements
  • GDPR follow up audits – seeing how well you’re doing “on the ground” at a later stage in the process and making further recommendations where appropriate
  • Suites of data protection policies, procedures, notices and contracts to cover data breach management, data retention, employee and other privacy notices, data subject access request forms, template data processing agreements.

Recent work includes -

  • Handling data subject access requests received from pupils’ parents. We helped the school first recognise their obligations under the request, work with the parent to understand the scope of the search and then complete the searches. We helped them compile their response and review the data to ensure they did not breach their data privacy obligations to third parties.
  • Advising schools and colleges on their data protection responsibilities in light of the COVID-19 pandemic. We advised a sixth form college when two teachers were self-isolating (before the UK lockdown) after being in contact with individuals who had tested positive for COVID-19. We advised on how to communicate this to other staff members (ensuring they did not breach their data privacy obligations) and pupils, balancing the public health duties with the individuals’ rights to privacy.
  • Drafting necessary data privacy documents for a school. We reviewed and updated a college’s data privacy notices (for staff and third parties) and their data protection policies. This helped ensure they had suitable systems in place to mitigate the risk of data breaches and outline processes if any data issues arise at a later date.  
  • Reviewing a college’s processes and documents to lawfully conduct background criminal checks. We reviewed the existing policies, updated these to clearly set out their lawful basis and provided bespoke appropriate policy documents to handle criminal record data. 
  • Practical full day GDPR workshop for IAPS focusing on data protection issues in schools, comprising: how to devise a compliance plan, data breach management and notification, contracts, policies and notices, case studies and quiz
  • Training other lawyers at the Employment Lawyers Association Annual Conference on a wide array of data protection issues with an HR focus.

To meet our Data Protection team please click here and our Education team here

Recent feedback for the Data Protection team includes -

  • Piers Leigh-Pollitt is called a "beacon for common sense and pragmatism in difficult situations" by clients.”
  •  “Piers is very good - on the ball, articulate, credible and reassuring.”
  •  “Thank you very much indeed for your support throughout, and please pass on my appreciation to Mike (Hibberd).” 
  •  “Mike’s advice was spot on. He judged the project just right and managed and led the process effectively.”
  • "Declan (Bradley) is an extremely commercial lawyer who always takes a view and provides insightful, pragmatic and thoughtful advice. He will always make himself available and is extremely responsive and diligent in his client communications. His fees are transparent and cost effective. I highly recommend his services."
  • “Really great service, Declan is an expert and certainly went the extra mile."
  • “Great working with Declan. Very good communication and client-centric approach. Was particularly happy with the pragmatic nature of the advice."
  • "Honest. Authentic. Diplomatic. Empathetic. Makes the complex feel simple. In trying to sum up Rose (Smith) and her talents, these are the first words that come to mind."
  • "Really appreciate the depth of thought Rose shares so that I could make solid, reasoned choices without pressure."

To find out how we can help you please email Piers Leigh-Pollitt at or call +44 (0)118 951 6761.

For the latest data protection news please click here and schools news here.

To see data privacy law experts Piers Leigh-Pollitt and Mike Hibberd guide employers through the thorny questions arising with health data in light of COVID-19 please see below or click here

Areas they cover include - Why is health data treated differently to other types of data? Are employers allowed to process such data? What written records must be kept? Can employers screen their staff and ask health related questions? For businesses with many visitors how should they collect visitor data and what can they do with it? What guidance is available from the data privacy watchdog, the ICO?

Back to top