Data protection model policy

Use our model data protection policy to keep yours up to date with the latest regulations and guidance. It'll save you time and help you stay compliant with this complex area.

Last reviewed on 26 June 2024See updates
Ref: 41707
Statutory/mandatory for:
Maintained schools
Academies
Free schools
Independent schools
Sixth-form colleges
Further education
Pupil referral units
Non-maintained special schools
Contents
  1. You must have policies and procedures in place
  2. Model data protection policy
  3. Need to write or update privacy notices too?

You must have policies and procedures in place

In March 2024, the DfE published new lists of statutory policies for both maintained schools (in the maintained schools governance guide) and academies, including free schools (in the academy trust governance guide). Data protection is not included as a statutory policy in these lists.

However, it is a legal requirement that your school has data protection policies and procedures in place. These should be regularly reviewed and updated.

You should also review your other statutory policies and documents with data protection in mind.

This is explained in the DfE's guidance on data protection.

You must also have privacy notices. If you collect biometric information from your pupils, your privacy notices should include information about how this data is processed and stored, including the rights of individuals relating to the processing. See page 11 of the DfE's guidance on protection of biometric information of children in schools.