How to review your data protection policy

Read our model data protection policy and data breach procedure to see what good looks like, and use our set of key questions to make sure your school is complying with data protection laws.

Last reviewed on 8 May 2025See updates

School types: All•School phases: All•Ref: 38423

Contents

Key facts
What this policy needs to do
3 key questions to challenge the policy
Model data protection policy
Updates to our policy
Model personal data breach procedure
Examples

A note on approval

Your school's data protection policy can be approved by the governing board, an individual governor or the headteacher. However, the governing board should approve your school's policy on the protection of children's biometric information.

Because our model policy (provided by our sister service, The Key Leaders) covers the protection of children's biometric information, we've stated (in section 20 of the policy) that it'll be approved by the full board.

What this policy needs to do

Your school's/trust's policy needs to follow the requirements of the:

UK General Data Protection Regulation (UK GDPR)

The EU GDPR was incorporated into UK legislation, with some amendments, by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020

Data Protection Act 2018 (DPA 2018)

When you review your school's policy, you'll want to look

A note on approval

What this policy needs to do

Want to continue reading?