Data protection model policy

Use our model data protection policy to keep yours up to date with the latest regulations and guidance. It will save you time and help you stay compliant with this complex area.

Updated

on 29 May 2026See updates

Ref: 41707

Statutory/mandatory for:

Maintained schools

Academies

Free schools

Independent schools

Sixth-form colleges

Further education

Pupil referral units

Non-maintained special schools

Contents

You must have policies and procedures in place
Download our model policy
If you need to write or update privacy notices …

You must have policies and procedures in place

It's a legal requirement that your school has data protection policies and procedures in place. These should be regularly reviewed and updated.

You should also review your other statutory policies and documents with data protection in mind.

This is explained in the DfE's guidance on data protection.

You must also have privacy notices. If you collect biometric information from your pupils, your privacy notices should include information about how this data is processed and stored, including the rights of individuals relating to the processing.

See page 11 of the DfE's guidance on protection of biometric information of children in schools.

From 19 June 2026, you must also have a process for handling data protection complaints to your school or trust. These are new requirements introduced by the Data (Use and Access) Act 2025.

Download our model policy

Model policy: data protection DOCX, 787.4 KB

Download

You must have policies and procedures in place

Download our model policy

Want to continue reading?