Tackling data protection challenges in schools

From contact details to exam results, school trusts collect and process a large amount of personal data, which often belongs to young people and includes sensitive information. This can raise unique challenges when it comes to protecting this data and responding effectively to any situation that may compromise it.

Hafeeza Joorawan, Senior Policy Officer at the ICO

Responding to subject access requests (SARs), inappropriate disclosures of personal data and combating cyber breaches are just some of the key challenges facing schools. Everyone has a responsibility for data protection so school trusts must ensure that everyone involved with handling personal data has the training and support that they need to get it right. At the Information Commissioner’s Office (ICO), we offer a wealth of advice and resources to educate staff on these responsibilities.

Here are some practical steps to tackle key challenges when it comes to navigating data protection legislation:

Dealing with SARs

If someone asks you for a copy of their information, it’s called a subject access request (SAR). By law, you have to respond, because it’s their right to request copies of their information. These requests must be answered within one month and schools often struggle to meet this timeframe, especially during the holidays. They also face the challenge of considering a child’s best interest when the requests are made by parents.

Plan ahead: Make a robust plan for how you’ll deal with SARs, including who is responsible for responding, the timeframes you need to meet and your methods for sending information.

Practice good records management: If you know what information you hold about students, where you keep it and how you can search for it, you’ll find it easier to handle your next SAR.

Train your staff: All staff should be trained to recognise a SAR so they can spot it early. Often, these requests can be missed if they are received verbally or in the middle of an email. The person doesn’t need to provide a reason or reference data protection law as part of their request.

Inappropriate disclosures

The most common data breaches that occur in schools include data sent to the wrong party and discussing students personal data in front of others. It is important to understand what can constitute an inappropriate disclosure of personal data – for example, publishing the reasons for staff absence online, or forgetting to use BCC (blind carbon copy) when sending emails. You can minimise the risk of a data breach significantly by handling personal data with care.

Store personal data securely: Some simple security measures could include storing paperwork in a locked cabinet and putting strong passwords on all your devices. Introduce a clear desk policy to reduce the risk of sensitive information being left unattended.

Take care when redacting data: When responding to a SAR, you may need to remove or redact information about other students. Make sure you are thorough and check the information can’t still be seen or recovered.

Improving cyber security

The education sector has been hit hard by cyber-attacks recently, which can have a devastating impact on affected schools. It is crucial that school trusts contain and minimise any damage to their networks in the event of a cyber-attack.

Back up your data: You should back up your data regularly. If you’re using an external storage device, keep it somewhere other than your main office – encrypt it, and lock it away if possible.

Use strong passwords: Make sure you use strong passwords on devices or accounts where personal information is stored. Where possible, you should consider using multi-factor authentication.

Be wary of suspicious emails: You need to know how to spot suspicious emails. Look out for signs such as bad grammar, demands for you to act urgently and requests for payment. Given the sector is also a target for ransomware attacks, schools may also find our ransomware guidance helpful.

If your school suffers a data breach as a result of a cyber-attack, you should report this to the ICO within 72 hours of becoming aware of it. You don’t have to wait for 72 hours – the sooner you contact us with detailed information the better.

During our flagship Data Protection Practitioners’ Conference (DPPC) on 3 October, we will offer practical workshops on a number of data protection issues affecting schools. Run by ICO staff, this conference will be an opportunity to improve knowledge about data protection principles and learn about key resources available.
 

The CST Blog welcomes perspectives from a diverse range of guest contributors. The opinions expressed in blogs are the views of the author(s), and should not be read as CST guidance or CST’s position.

Join the CST Professional Community for Data Leaders for more advice and support with data protection.

Blog Finance and operations Data protection

Confederation of School Trusts, registered in England & Wales, company no 05303883, charity no 1107640
CST Professional Development Ltd, registered in England & Wales, company no 10354936, VAT registration no 270088018
Registered offices both at Fifth Floor, 167-169 Great Portland Street, London W1W 5PF

Contact Details

The Confederation of School Trusts is the sector body and employer body for school trusts in England. We advocate for, connect, and support executive and governance leaders.

© Confederation of School Trusts 2025 | Website and CiviPlus Designed and built by Compuco