The GDPR requires any organisation that handles personal information about people to comply with all data protection regulations. Since schools hold information on both staff and pupils, they are legally obliged to comply with the GDPR’s requirements.

Processing data can involve collecting, editing, retrieving, storing, archiving, disclosing and destroying either electronic or hard copies. It is important that each of these processes is compliant with the GDPR.

Various roles exist within the data protection process; this guidance document explores these roles in detail, providing information on what is required to enable schools to handle data correctly.


Data subjects


The data subject is an individual who is the subject of personal data; their data is kept under the responsibility of data controllers and data processors.


Data controllers


School managing boards are classed as the data controllers for all pupil, staff and parent data; therefore, it is not necessary to outsource a data controller. As a data controller, there are rules that must be adhered to; these include the following:

  • Processing personal data legally and fairly
  • Data must only be collected for legitimate reasons and used accordingly
  • Data collected must be relevant, adequate and not excessive in relation to the reason for its collection
  • Data must be regularly updated to ensure accuracy
  • If the data is incorrect, it must be possible to rectify, remove and block the information
  • Any data that identifies an individual must not be kept longer than necessary
  • Any personal information must be protected against accidental, unlawful destruction, alteration and disclosure – especially when processing over networks

As the data controller, schools must implement appropriate security measures that ensure the correct level of protection for all data stored and processed.

Complaints can be sent to the data controller if any individual (pupil, staff member or parent) believes that their data has been compromised. If the individual feels that their complaint has not been handled to their satisfaction, they can forward it to the ICO.


Data processors


A data processor is any person who processes personal data on behalf of the data controller. Some data can be collected and used by the school; in this case, the school acts as both the data controller and processor; however, in some situations, schools will outsource their data to an external processor. Examples of when data will be sent to an external processor include the following:

  • Parent systems, such as text messaging, payments and bookings
  • Information sent for statutory returns and exams
  • Online curriculum software that requires pupil details
  • Finance, employment, staff and governor records

These processing procedures are already taking place within schools, meaning that it is not necessary to employ new staff. The GDPR requires the data processor to comply with its regulations, with an obligation to maintain a record of all processing activities.

Processors are required to process any personal data under the controller’s guidelines and should not dictate how data is managed; it is likely that specific instructions will be included in the data processing agreement.

Under the GDPR, both data controllers and data processors have an obligation to ensure that data is handled correctly.


Data protection officers (DPOs)


Schools should consider appointing a DPO to oversee and monitor the school’s data processing practises; here, employing a new member of staff may be beneficial to protecting data. While the school can act as both the data controller and data processor, the data protection officer is a role that needs to be filled by either a new or existing member of staff. The main role of the DPO is to ensure that all school procedures comply with the requirements of data protection legislation in force at the time.  

It should be noted that, when an employee is appointed as the DPO, there must be no conflict of interest. The GDPR states that the DPO will be appointed based on their professional qualities and expert knowledge of data protection law.

The DPO’s knowledge of data protection law should be relevant to the type of data processing that is carried out within schools. They will need to understand the level of confidentiality that is required when processing individual pupils’, staff members’ and parents’ personal information.

The decision as to whether or not a school requires a DPO depends on the size of the organisation. If an academy is part of an MAT, a DPO may be shared across the trust. Maintained schools can share a DPO through collaboration with other schools and local agreements; however, this is not a requirement. If they wish to take on a DPO exclusively to their school, then they may do so.

DPOs must work closely with the data controllers and processors, both of whom should provide the DPO with the necessary resources and information to fulfil their role. The data controllers and data processors must also ensure that the DPO is regularly involved with all issues regarding data protection at the school. The GDPR states that DPOs must be able to report freely to the highest level of management.


What’s next?


To prepare for the enforcement of the GDPR, we have created a GDPR Resource Pack which includes resources to minimise the risk of data breaches. The pack contains a GDPR Data Protection Policy, which outlines provisions compliant with the GDPR with regards to data processing procedures in schools. Our Preparing for the General Data Protection Regulation – 3 Minute Read summarises the changes that may affect schools, keeping everything that you need to know in one place.




GDPRiS Lynne Taylor (2017) ‘Schools’ obligations as data controllers’, <>
[Accessed: 20 October 2017]

ICO (2016) ‘Overview of the General Data Protection Regulation (GDPR)’, <>
[Accessed: 20 October 2017]

ICO (2017) ‘The Guide to Data Protection’, <> [Accessed: 30 October 2017]