Data protection and sharing information

  • Artificial intelligence (AI): dos and don'ts for data protection
    Take a look at our tips to make sure you stay compliant with data protection around the use of artificial intelligence (AI) tools. Share them with your team to make sure everyone is on the same page.
  • Cheat sheet for data protection officers
    There's lots of new information to absorb now that you've taken on the role of data protection officer (DPO). Download our 'cheat sheet' to help you remember the key UK GDPR principles, deadlines and definitions.
  • Child protection records: transfer guidance
    Find out how to transfer safeguarding files securely, and what information you should include. We also look at communicating with other schools and parents.
  • Data protection impact assessment (DPIA)
    Find out what a data protection impact assessment (DPIA) is, when it must be done and who should be involved. Download and adapt our DPIA template to save you time.
  • Data protection impact assessments: role of the DPO
    As the DPO, you must be consulted when staff are carrying out a data protection impact assessment (DPIA). Understand when a DPIA is needed and learn about your role at each stage of the process. Plus, download and adapt our template DPIA enquiry form for staff to submit to you.
  • DPO's report to governors: template
    Use our template to make sure you're giving your governors all the information they need to know about data protection and your school's compliance with the UK GDPR.
  • Freedom of information: responding to requests
    Know what to do if you receive a request for information under the Freedom of Information Act (FOIA), including when you can charge for a response or refuse the request. Download and use our template letters to help you respond to requests.
  • How to respond to subject access requests in the summer holidays
    Learn how to take practical steps to meet your deadlines for responding to subject access requests over the summer holidays. Find out when you can extend the deadline for 'complex' requests and download our template letter to notify individuals of the extension.
  • Parents' right to access their child's educational record
    Understand your responsibilities to allow parents to access their child's educational record so you can stay compliant with education law and the UK GDPR.
  • Pupil records: transferring to other schools or education providers
    See the rules on transferring pupil records when a pupil moves school, and get guidance on how to do this securely for digital and paper copies.
  • Reporting, sharing and publishing requirements
    Be clear on what you must report, share and publish to stay compliant, as a maintained school or academy.
  • Role of the data protection officer (DPO)
    Understand the DPO's responsibilities, what experience they should have and training they may need. Plus, find out what to consider when determining how much time your DPO needs for their role.
  • 'Special category' data under the UK GDPR
    The UK GDPR classifies some data as 'special category', meaning it's sensitive and needs more protection. Find out what kind of data is defined this way in schools, and the conditions you can use to justify processing it.
  • Subject access requests: guidance and template forms
    Individuals have the right to request access to the information your school holds about them, under the UK GDPR. Use this guidance and our template forms to help you comply with subject access requests and know when you can refuse them.
  • Taking and displaying pupil photos and information
    There are no hard and fast rules under UK GDPR on displaying pupil photos or other information, but you must have a 'lawful basis' for using personal data, and seek consent where necessary. Use our practical examples to work out how to stay compliant in your specific circumstances.
  • The UK GDPR: audit
    Carry out a data protection audit, to make sure you comply with the statutory requirements under the UK GDPR and meet best practice. Check your records management and data processing practices, and evaluate the data protection training you deliver.
  • The UK GDPR: summary
    The UK General Data Protection Regulation (UK GDPR) determines how you must process and store personal data – understand what you have to do and the principles of data processing.
  • The UK GDPR: template record of processing activities
    Under the UK GDPR, you must record how you process the personal data you hold. Use our template and guidance to help you comply with this requirement now and on an ongoing basis in your school.
  • UK GDPR: ‘lawful basis’ for processing personal data
    Under the UK GDPR, you must identify a lawful basis (or legal reason) you can use to justify the specific purpose for processing personal data. Use our guidance to work out which of the 6 lawful bases to use and avoid wasting time seeking consent you don't need.
  • UK GDPR: make sure your suppliers are compliant
    You must make sure that any third parties that process personal data for your school meet UK GDPR requirements. See the steps you'll need to take, and download our checklist for your provider contracts.
  • UK GDPR: personal data breach procedure
    Download our model procedure and use it in the event of a data breach at your school. If you have any data breaches, use our template to record the details.
  • UK GDPR: seeking consent for processing personal data
    Use our guidance to help you decide whether you need to seek consent for processing personal data under the UK GDPR. If you do, download our template consent forms, or use our checklist to make sure your own forms meet the requirements.
  • UK GDPR: sharing safeguarding information
    Be confident in how you share safeguarding information under the UK GDPR. Know the principles to follow, your legal basis for sharing data and your responsibilities for information sharing.
  • UK GDPR: staff posters and handout
    Download our data protection cheat sheet for staff, and display these posters around your school to help everyone remember how to keep personal data safe day-to-day.
  • UK GDPR: using apps and online services with pupils
    Stay compliant with data protection law when using educational apps or other online services with pupils. Work through these questions before setting up a new app or service to figure out your responsibilities, then check your next steps.