You are here:

Data protection policy and privacy notices: models

Ref: 804
Last updated on 13 July 2018
Statutory/mandatory for: Maintained schools Academies Free schools Independent schools Sixth-form colleges Pupil referral units Non-maintained special schools What does this mean?
Policy article
Our GDPR-compliant model data protection policy and privacy notices for parents, pupils, staff and others will help make sure you're compliant with the data protection reforms. You can download and adapt them to your context.

Article tools


  1. 1 Read this note before adapting our model documents
  2. 2 Model data protection policy
  3. 3 Model privacy notices
  4. 4 How to issue your privacy notices

Article features

  • 7 external links

Recent updates to this article

This article was updated on 13 July 2018 to include new model privacy notices for visitors, suppliers and alumni.

Read this note before adapting our model documents

Our model data protection policy and model privacy notices comply with the General Data Protection Regulation (GDPR) and, as far as possible at this point in time, the Data Protection Act 2018. The Data Protection Act 2018 is now law, but the Information Commissioner's Office (ICO) has yet to release detailed guidance on its provisions. 

Use the model documents to review as much of your existing policy and notices as you can now. We expect to update the following elements as soon as the ICO releases its guidance:

  • Conditions for processing special categories of personal data
  • Processing of criminal offence data
  • The provision of 'online services' to children 
  • International transfers of data
  • Subject access requests

We'll let you know when we update these models. Subscribe to updates by clicking 'save for later' at the top of the page.

Model data protection policy

Approved by Forbes Solicitors, and created in partnership with Emma Swann, an education lawyer and consultant, this model document is designed for you to adapt to suit your school’s context. All of our model documents take account of relevant requirements and good practice. They are easy to adapt, will save you time and help you keep your school compliant.

For more model policies and complete policy support from The Key, see the policy bank.

Model privacy notices

You are required to provide certain information to data subjects, typically through a privacy notice. Some schools refer to this document as a 'fair processing notice' instead.

Download and adapt our model privacy notices to make sure you cover all the requirements. There are models for all of the groups of people you're most likely to hold data for. 

If you hold data on any other groups, choose the most applicable notice and adapt it accordingly. 

Our notices are based on the Department for Education's model notices for schools and advice from Emma Swann, Graeme Hornsby, Helen Cooper and Forbes Solicitors.

Are there GDPR-compliant examples from schools?

We're waiting for schools to update their policies and privacy notices before we link to examples here. We'll update this article as and when we find good examples.

How to issue your privacy notices


Data subject: the person whose personal data is held or processed (e.g. all your pupils and staff will be data subjects)

Data controller: a person or organisation that determines how and why personal data is processed (e.g. your school)


You must provide certain information to data subjects, including:

  • Identity and contact details of the data controller (the school, or trust) - and the data protection officer
  • Purpose and lawful basis for processing (read our article on how to work out your lawful basis)
  • Categories of personal data processed
  • Any person or organisation the personal data is shared with

Read the full list of required contents on the ICO's page on the right to be informed


The information you supply about the processing of personal data must be: 

  • Concise, transparent, intelligible and easily accessible
  • Written in clear and plain language
  • Written in child-friendly language when addressed to a child
  • Free of charge


You must provide this information where you:

  • Obtain data directly from the individual, you must give them your privacy notice at the time you collect this data from them 
  • Do not obtain the data directly from the individual. In this scenario, you must provide your notice: 
    • Within 1 month of having collected the data
    • When you use their data to communicate with them for the first time 
    • Before you disclose their data to another recipient

Who to inform

You must provide this information directly to the data subject, unless you do not feel they would be able to comprehend its contents.

For example, young children or pupils with certain special educational needs (SEN) may not be able to understand what the information means, even if it is written in accessible language.

In these cases, provide the information to the parent or carer of the data subject. You can decide when this is appropriate.

This is according to advice we received from the ICO's helpline.

Where to put your notices

Privacy notices can be issued in a number of ways, according to the Department for Education's GDPR toolkit for schools (see page 40). You could issue them:

  • When providing 'initial registration' information as a pupil joins the school 
  • Along with other information and data provided at points during the school year
  • On the school website
  • For staff, at points during the 'life cycle' of an employee, such as: 
    • Applying for a role
    • When the contract of employment is issued
    • At an annual appraisal
    • When the contract ends 

When keeping pupils informed, make sure pupils fully understand what you're doing with their data so they don't worry unnecessarily. With younger children in particular, you could first introduce the issue in an ICT lesson. This will allow you to tailor your language to your pupils, check their understanding, and allow them to ask questions. 


Emma Swann is a solicitor specialising in education law. She has experience of acting for academies and diocesan boards, and regularly contributes to the Department for Education’s academies working group.

Graeme Hornsby is an education consultant with significant experience of school business management at a senior level. He has particular expertise in strategic financial planning, human resources and governance.

Helen Cooper is an HR consultant with HC Associates. She has experience of working with local authorities on staff appraisal and management restructuring projects.

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence.