You are here:

Administration and finance : Data protection and information management

Data protection and information management

Financial efficiency
Transparent Spacer

Cost-saving centre

Includes downloads, advice and practical resources to help you with income generation, cost-effective staffing, procurement and more.

View moreView more arrow
New from The Key
Transparent Spacer

Compliance Tracker

"I love the idea that if Ofsted came, you don’t have to get into lots of spreadsheets to find out the answers. You can just show them the tool"

View moreView more arrow
8 articles
  • Collecting information
    • Common transfer file: definition and contents Learn what data you should include in the common transfer file (CTF), and the ways in which you can send it. You'll also find out what action you should take if you haven't received a new pupil's CTF data.
    • Pupil record: contents and cover sheet Know what should be included in your pupil records, and what should be on the records' cover sheets. See as well what should be kept separate to the record.
    • Recording disciplinary incidents How should schools record behaviour incidents that lead to disciplinary action? In this article, we relay advice from one of our associate education experts on recording disciplinary information. You will also find advice on how long to retain records of pupils' behaviour.
    • School admission registers Most schools need to hold an admission register. Find out what should be in it.
    • School census: key dates and guidance Make sure you know the deadlines for submitting the census, and find out where to go if you have any questions about completing it.
    • Subject leader's file: what should it contain? What should a subject co-ordinator's file include? We relay advice from three of our associate education experts on what a subject leader's file could contain. We also link to a toolkit from a local authority, and refer to school policies that set out what a file might include.
    • Taking medical information on trips Taking pupils with medical conditions on trips requires a little extra preparation. This article looks at what medical information you should take with you and what you should be aware of when managing this situation.
    • Updating personal data efficiently Read our expert's tips on how to update student and staff information efficiently on your management information system (MIS). We also link to our GDPR-compliant model privacy notices.
    Show all articles
    54 articles
  • Data protection and sharing information
    • 'Cheat sheet' for data protection officers There's lots of new information to remember now that you've taken on the role of data protection officer (DPO). Print our 'cheat sheet' to help you remember the key GDPR principles, deadlines and definitions.
    • Child protection files: transfer Read about transferring child protection files securely, and check what information to include. We also look at communicating with other schools and parents.
    • Data protection impact assessments Find out what data protection impact assessments (DPIAs) are and when they must be done.
    • Data protection impact assessments: template and checklist As the DPO, you must be consulted when staff are carrying out a data protection impact assessment (DPIA). Get clarity on your role in the process, and share our checklist and template to help your colleagues identify when a DPIA is needed and cover everything they're required to.
    • Data protection: latest updates DPOs need to stay on top of changes in the world of data protection. We’ve collected all the updates you need in one place, so you don’t miss anything.
    • Data protection officer: who can it be? Schools must appoint a data protection officer (DPO) from May 2018 under the GDPR. There’s little authoritative, practical guidance on how to do this in a school, so read on for our experts’ recommendations on who to appoint depending on your context.
    • Data sharing agreements If there is a risk to sharing data with an organisation, it is recommended that you have a data sharing agreement in place. Understand when you might have one and which organisations you may have one with.
    • DPO's report to governors: template Use our template to make sure you're giving your governors all the information they need to know about data protection and your school's compliance with the GDPR.
    • DPOs: what your school must do for you Your school must fulfil certain requirements to help you carry out your role of data protection officer (DPO). We've set them out here so you know what you're entitled to. You can also share or discuss this with your school leaders to get them up to speed.
    • Email security: sending personal data Any personal data you send by email must be kept secure. Use our tips to help you keep personal data safe in emails to ensure you’re doing everything you can in line with the GDPR to avoid a data breach.
    • Fingerprint scanning: seeking consent Fingerprint scanning pupils has unique rules attached to it that go alongside the GDPR. Read about how to seek consent before processing a child's fingerprints.
    • Freedom of information: responding to requests Know what to do if you receive a request for information under the Freedom of Information Act, including when you charge for a response and when you can refuse the request. Use our template letters to help you respond to requests.
    • GDPR: at what age can pupils give consent? There's no statutory age at which pupils can give consent for data processing under the GDPR. Learn what age is usually appropriate, and how to manage issues around seeking pupils' consent.
    • GDPR audit Audit your current data processing arrangements to make sure they comply with the GDPR and meet best practice. Check your records management practices and find out if you’re storing physical and electronic copies of personal data securely.
    • GDPR compliance for visiting staff You need to ensure GDPR compliance for your visiting staff who have access to personal data held by your school. Use the following guidance to help you determine their employment status and satisfy yourself that they’re compliant.
    • GDPR: contacting parents Use this article to figure out how to handle the contact details of parents under the GDPR, and when you will need consent to contact parents. We look at scenarios including messages about emergency situations, marketing and fundraising, and sending out newsletters.
    • GDPR: ensuring your suppliers are compliant You must make sure that any third parties who process personal data on your behalf are GDPR compliant. See the steps you'll need to take, and download our checklist so you know what details you must include in your contracts with these providers.
    • GDPR jargon buster The world of data protection is filled with jargon and technical terms, but our GDPR glossary makes it accessible for you.
    • GDPR: managing your photo archives Figure out what to do with your old photographs of pupils and staff with the GDPR in place. We look at whether previous consent will be enough and explain that you may not need to seek consent if archiving photos for certain purposes.
    • GDPR: most common questions one year on Answers to the most common questions you're currently asking us about the GDPR. Get clarity on the key principles and understand what’s expected of you.
    • GDPR mythbuster Avoid the scaremongering around the GDPR and use our mythbuster to separate the fact from the fiction when it comes to visitor books, photo archives, fines, consent and more.
    • GDPR: personal data breach procedure UpdatedDownload our model procedure and use it in the event of a data breach at your school. If you have any data breaches, use our template to record the details.
    • GDPR: seeking consent for processing personal data Use our process to help you work out whether you need to seek consent for processing personal data under the GDPR. If you do, use our template consent forms, or our checklist to make sure your own forms meet the requirements.
    • GDPR: sending out direct marketing Understand the GDPR and ePrivacy rules surrounding marketing so you can ensure you're compliant. We set out what these rules are and what you'll need to do to comply, and suggest alternative marketing methods you can use.
    • GDPR: sharing medical information Learn under what circumstances you can share pupil and staff medical data under the GDPR. We set out what lawful bases you can typically rely on, and outline good practice on sharing information with staff so that they're prepared for emergencies but the data is kept secure.
    • GDPR: sharing safeguarding information Be confident in how you share safeguarding information under the GDPR. Know the principles to follow, your legal reasons for sharing data, and your responsibilities for information sharing.
    • GDPR: template record of processing activities Under the GDPR, you must record how you process the personal data you hold. Use our template and guidance to help you comply with this requirement now and on an ongoing basis in your school or MAT.
    • GDPR: using apps and online services with pupils If you're using educational apps or other online services with pupils, like assessment platforms or homework portals, make sure you stay compliant with data protection law. Work through these questions before setting up a new app or service to figure out your responsibilities, then see what you need to do next.
    • Help your staff understand the GDPR: posters and handout Download our data protection cheat sheet for staff, and display these posters around your school to help everyone remember how to keep personal data safe day-to-day.
    • How to choose which ‘lawful basis’ to use under the GDPR Under the GDPR, it’s crucial to identify the lawful basis (or legal reason) you can use to justify why you process personal data. Use the process below to work out which of the 6 lawful bases to use for each of your data processing activities, and avoid wasting time seeking consent that you don't need.
    • How to clean out your data: decision flowchart Filing cabinets bursting at the seams? Drowning in years-old personal data that you’re nervous about discarding or unsure whether to keep? Use our decision flowchart to determine what to retain, minimise or delete so that you stay compliant with data protection law.
    • How to comply with the General Data Protection Regulation Here's what you need to do to make sure your school is compliant with the GDPR, in force since 25 May 2018.
    • How to respond to subject access requests in the summer holidays Schools must respond to SARs within 1 month, which could be more difficult over the summer. 42% of the DPOs we polled don't know how they'll manage this yet, so we've got you covered with practical solutions and a template letter to extend the deadline for 'complex' requests.
    • Information audit: template Use our downloadable audit template, which includes school-specific prompts, to help you identify the personal data you hold. Carrying out an information audit will help you to meet requirements under the GDPR.
    • International data transfers under the GDPR Use this step-by-step guide to determine whether your school can lawfully share personal data with countries outside the European Economic Area. This includes sending it directly to an international organisation or when it’s kept in a server abroad.
    • MATs: getting GDPR-compliant across your trust As a MAT, you're the legal entity responsible for data processing across your schools, and so the responsibility for GDPR compliance sits with you. Here are the steps you now need to take to get your trust ready.
    • Parents' right to see their child's educational record Under education law, parents and those with parental responsibility have the right to access information about their child. These are the key points you need to be aware of.
    • Poll results: how is the DPO role taking shape? We asked 300 data protection officers (DPOs) in schools what their role looks like currently, now that the GDPR is in force. See how your school compares.
    • Poll results: who are schools choosing as their data protection officer? Deciding who to appoint as a data protection officer is causing widespread confusion in schools. We asked 1,000 of our school leader community how their schools are responding - let them help you to make a call.
    • Pupil records: transferring to other schools or providers We've set out the rules on transferring pupil records when a pupil moves school, and guidance on how to do this securely for digital and paper copies.
    • Recording and managing consent under the GDPR Read this article for guidance on recording consent to process pupils’ personal data under the GDPR. You can also see examples of how two schools are managing consent, plus some top tips to help you manage your consent procedures efficiently.
    • Requests for information: guidance and template record Learn about the 3 different methods individuals might use to request information from your school, and use our template record for managing such requests.
    • Requests from parents to see pupils' information: FAQs What rights do parents have to view information about their child? We answer FAQs from our members about information that schools can release in response to parents' requests. The article cites subject access requests and the right to access a child's educational record.
    • Schools' reporting requirements What are schools' reporting requirements? We explain that academies must produce annual reports and maintained schools must complete the Schools Financial Value Standard (SFVS). We also refer to The Governance Handbook and outline what information all schools must publish.
    • Sending personal data home with pupils Sending letters and reports home with children that contain personal data can present a risk to the security of the data. Understand how to manage the risks and find guidance on alternatives to sending personal data home with children.
    • Sharing data in schools Official guidance on sharing data has not yet been updated for the GDPR. We will be updating this article when the new code of practice is published, but until then we've relayed the current rules around it here.
    • 'Special category' data under the GDPR The GDPR classifies some data as 'special category', meaning it's sensitive and needs more protection. Read on to find out what kind of data is defined this way in schools, and the conditions you can use to justify why you need to process it.
    • Subject access requests: guidance and template forms Individuals have the right to request access to the information your school holds about them, under the GDPR. Use this guidance and our template forms to help you comply with subject access requests and know when you can refuse them.
    • Taking and displaying pupil photos and information There are no hard and fast rules under the GDPR specifically on displaying pupil photos or other information, but you must have a 'lawful basis' for using personal data, and seek consent where necessary. Use the advice below to work out how best to manage this in your school.
    • Taking documents home: securing personal data Personal data accessed by staff at home must be kept secure. With more staff than ever working remotely, take these steps to keep documents containing personal data safe, to avoid a data breach and stay compliant with the GDPR.
    • The General Data Protection Regulation explained The General Data Protection Regulation (GDPR) applies from 25 May 2018 and determines how you process personal data and keep it safe. This article will help you get to grips with the key points of the legislation.
    • The General Data Protection Regulation (GDPR) We summarise the GDPR in just one page. You can also download this QuickRead as a ready-made resource to share with colleagues, to get them up to speed with this new legislation.
    • The role of the data protection officer (DPO) Schools must appoint a data protection officer under the General Data Protection Regulation. We explain the duties of the role, what experience they should have, and what training they may need. You can also download and adapt our template job description and person specification.
    • Using personal devices: securing personal data Personal data accessed by staff on their own devices, such as through remote working or BYOD policies, must be kept secure. Take these steps to ensure the security of personal devices and keep data safe, to avoid a data breach and stay compliant with the GDPR.
    Show all articles
    4 articles
  • Retaining records
    • Child protection records: retention We summarise guidance on keeping child protection records, including the information on the pupil file, records of allegations made against members of staff, and records of court orders.
    • GDPR: retention and disposal of records Find out how long you need to retain school records for, and why and how you should establish a retention schedule. Plus, learn how to dispose of data securely.
    • Retaining first aid, accident and medical records Records relating to first aid, accidents and medicines have different retention requirements set by various pieces of legislation. Get the guidance all in one place to help you manage your records effectively.
    • Staff personnel files: what to include What information should be kept in staff personnel files? This article features advice from ACAS and One Education on compiling and retaining employee personnel files. It also looks at whether Ofsted will ask to see personnel files.
    Show all articles