How to review your data protection policy

Read our model policy to see what good looks like, and use our set of key questions to make sure your school is complying with data protection laws. Get a sense of what a good personal data breach procedure includes using our model.

Last reviewed on 7 November 2023See updates
School types: AllSchool phases: AllRef: 38423
  1. Key facts
  2. What this policy needs to do
  3. 3 key questions to challenge the policy 
  4. Model data protection policy
  5. Updates to our policy
  6. Model personal data breach procedure
  7. Examples 

Key facts

  • This policy is statutory
  • You can delegate the approval of this policy to an individual, committee or the headteacher 
  • The Department for Education (DfE) recommends you review it annually
  • The headteacher and senior leadership team will write and be responsible for the implementation of this policy

If you're in a multi-academy trust (MAT), it's likely this policy will be set centrally

A note on approval

Your school's data protection policy can be approved by the governing board, an individual governor or the headteacher, according to the DfE's guidance on statutory policies. However, the governing board should approve your school's policy on the protection of children's biometric information. 

Because our model policy (provided by our sister service, The Key Leaders) covers the protection of children's biometric information, we've stated (in section 20 of the policy) that it'll be approved by the full board.

What this policy needs to do

Your school's/trust's policy needs to follow the requirements of:

It's also based on guidance published by the Information Commissioner’s Office (ICO) on the UK GDPR.

When you review your school's policy, you'll want to look for the following: 

Definitions and data protection principles

Look for a list of definitions of data-related jargon, such as:

  • Personal data 
  • Processing
  • Data controller 
  • Personal data breach

You can also expect to see a list of the UK GDPR data protection principles that staff and governors must comply with.

The data controller 

A note stating that the school/trust is a data controller, and whether:

  • It's registered with the ICO
  • It has paid its data protection fee to the ICO

Collecting and sharing personal data 

You can expect the policy to include:

  • Why the school might process personal data i.e. when they have 1 of the 6 'lawful bases' to do so under data protection law
  • When the school needs to seek consent for using personal data 
  • That personal data will be deleted or anonymised once it's finished with
  • The circumstances in which the school might need to share personal data 

Subject access requests

This section will outline:

  • What information an individual can request from the school (such as access to a copy of their data)
  • That personal data about a child belongs to the child, and whether parents/carers can make a subject access request for them
  • How subject access requests can be submitted
  • How the school will respond to subject access requests, including when the school might not disclose some information

Photograph and videos, biometric recognition systems and CCTV

These sections will depend on the context of your school and how it uses different technology. For example:

  • CCTV: why the school uses it, how it's signposted and where any enquiries should be directed to
  • Biometric recognition systems: how your school uses them and that the school needs consent for usage
  • Photographs and videos: where photos/videos could be used in school, how the school will obtain consent and how the school will protect the child's identify as much as possible

Disposal of records 

How the school will properly dispose of personal data that is no longer needed, inaccurate, or out of date. This could include shredding or incinerating papers, and overwriting or deleting electronic files. 

Personal data breaches

What the school will do in the unlikely event of a data breach such as:

  • Following relevant procedures
    • Your school's procedure could be part of the policy, or set out separately
    • See our model below
  • Reporting the breach to the ICO when appropriate 

Staff roles, responsibilities and training 

This will include what data protection activities and responsibilities fall under the roles of:

  • The governing board 
  • The data protection officer (DPO)
  • The headteacher
  • Members of staff

It might also feature details of how and when staff and governors receive data protection training.

3 key questions to challenge the policy 

1. Does this policy reflect the context of our school?

This policy should be tailored to reflect your school's context (e.g. whether it's primary or secondary). It needs to be adapted based on things such as:

  • The technology your school uses, such as biometric recognition systems or CCTV
  • How your school uses photographs and videos for communication, marketing and promotional materials 
  • How your school manages data protection, e.g. with data protection leads in addition to a data protection officer (DPO)

2. Is it made clear to staff how data should be handled, stored or published?

The main purpose of this policy is that staff understand how to properly handle, store and publish data. Ask your senior leaders how they've made this as clear as possible for staff, for example by:

  • Listing definitions of the data-related jargon featured in the policy 
  • Clearly explaining what staff are responsible for 
  • Explaining what staff need to do if they're unclear on anything, i.e. contact the DPO

3. How will we know that this policy is working, and being properly implemented?

Senior leaders should be able to explain:

  • The key objectives of the policy and how they'll measure success
  • How implementation will be monitored and reported

MATs: further questions for trustees and governors

Further questions

See more questions to ask when reviewing any policy.

If you're in a MAT, find out more about how to review a trust-wide policy

Model data protection policy

This model document (provided by our sister service, The Key Leaders) is not meant as a guide for writing it, since that's your senior leaders' job. Instead, use it to give you a sense of what a good policy looks like. 

Download: data protection model policy

This model document is designed for your senior leaders to adapt to suit your school’s context. 

It was created in partnership with Emma Swann, an education lawyer and consultant, and has been approved by Forbes Solicitors.

If you're in a MAT, you may need to adapt the information on roles and responsibilities to reflect the organisational structure of your trust. Where you do so, please make sure that roles and responsibilities meet any relevant requirements. Please also make sure, where applicable, that your adapted policy meets any relevant conditions in your funding agreement/articles of association, as these can vary.

Although the UK GDPR doesn't require you to have a data protection policy, it is included in the DfE's list of statutory policies.

Updates to our policy

We've reviewed our model policy (20 September 2023) to add a section on the use of artificial intelligence (AI).

We updated our policy (16 May 2022) to remove links to the ICO's surveillance camera code of practice as it's out of date and no longer on the ICO website. Instead, we link to this guidance on video surveillance – the ICO has confirmed to us that the guidance is accurate and up to date. You may need to update any references to the code of practice in sections 2 and 12, but your duties and responsibilities around this issue have not changed.

Earlier changes

We previously updated our model policy on:

  • 22 June 2021: to reflect the EU GDPR being incorporated into UK legislation as the 'UK GDPR'. If you haven't updated your policy since then, you'll need to update your wording around relevant legislation
  • 14 September 2020: to point you towards the ICO's self-assessment tool, and to reflect advice from our legal partner, Forbes Solicitors
  • 7 May 2019: in line with the Data Protection Act 2018 and the latest guidance from the ICO

Model personal data breach procedure

We've created a model personal data breach procedure based on guidance on personal data breaches from the Information Commissioner's Office (ICO). 

This model document is not meant as a guide for writing or updating your school's procedure, since that's your school leaders' job. Instead, use it to give you a sense of what a good procedure looks like. 

Download: model data breach procedure

Approved by Forbes Solicitors, all of our model documents take account of relevant requirements and good practice.






The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.