UK GDPR: using apps and online services with pupils

Stay compliant with data protection law when using educational apps or other online services with pupils. Work through these questions before setting up a new app or service to figure out your responsibilities, then check your next steps.

Last reviewed on 8 January 2024
School types: AllSchool phases: AllRef: 35317
  1. Are you the data controller?
  2. Would use of the service be necessary for educational purposes?
  3. Steps to follow when setting up a service

Are you the data controller?

If pupils’ using the service means your school has to process any personal data, you're the data controller.

This applies if:

  • You need to collect and share personal data with the service provider (e.g. you'll give them the names of the pupils using the service); and/or
  • You receive data back from the provider (e.g. you'll get scores from a test done on the service)

If your school doesn't need to process personal data, then you're not the data controller.

You're not processing data if:

My school is the controller You’re responsible for getting everything in check under data protection