How to review your data protection policy

A note on approval

Your school's data protection policy can be approved by the governing board, an individual governor or the headteacher, according to the DfE's guidance on statutory policies. However, the governing board should approve your school's policy on the protection of children's biometric information. 

Because our model policy (provided by our sister service, The Key Leaders) covers the protection of children's biometric information, we've stated (in section 20 of the policy) that it'll be approved by the full board.

What this policy needs to do

Your school's/trust's policy needs to follow the requirements of:

• UK General Data Protection Regulation (UK GDPR)
• The EU GDPR was incorporated into UK legislation, with some amendments, by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020
• Data Protection Act 2018 (DPA 2018)

It's also based on guidance published by the Information Commissioner’s Office (ICO) on the UK GDPR.

When you review your school's policy, you'll want to look for the following: 

Definitions and data protection principles

Look for a list of definitions of data-related jargon, such as:

• Personal data 
• Processing
• Data controller 
• Personal data breach

You can also expect to see a list of the UK GDPR data protection principles that staff and governors must comply with.

The data controller 

A note stating that the school/trust is a data controller, and whether:

• It's registered with the ICO
• It has paid its data protection fee to the ICO

Collecting and sharing personal data 

You can expect the policy to include:

• Why the school might process personal data i.e. when they have 1 of the 6 'lawful bases' to do so under data protection law
• When the school needs to seek consent for using personal data 
• That personal data will be deleted or anonymised once it's finished with
• The circumstances in which the school might need to share personal data 

Subject access requests

This section will outline:

• What information an individual can request from the school (such as access to a copy of their data)
• That personal data about a child belongs to the child, and whether parents/carers can make a subject access request for them
• How subject access requests can be submitted
• How the school will respond to subject access requests, including when the school might not disclose some information

Photograph and videos, biometric recognition systems and CCTV

These sections will depend on the context of your school and how it uses different technology. For example:

• CCTV: why the school uses it, how it's signposted and where any enquiries should be directed to
• Biometric recognition systems: how your school uses them and that the school needs consent for usage
• Photographs and videos: where photos/videos could be used in school, how the school will obtain consent and how the school will protect the child's identify as much as possible

Disposal of records 

How the school will properly dispose of personal data that is no longer needed, inaccurate, or out of date. This could include shredding or incinerating papers, and overwriting or deleting electronic files. 

Personal data breaches

What the school will do in the unlikely event of a data breach such as:

• Following relevant procedures
• Your school's procedure could be part of the policy, or set out separately
• See our model below
• Reporting the breach to the ICO when appropriate 

Staff roles, responsibilities and training 

This will include what data protection activities and responsibilities fall under the roles of:

• The governing board 
• The data protection officer (DPO)
• The headteacher
• Members of staff

It might also feature details of how and when staff and governors receive data protection training.

3 key questions to challenge the policy 

1. Does this policy reflect the context of our school?

This policy should be tailored to reflect your school's context (e.g. whether it's primary or secondary). It needs to be adapted based on things such as:

• The technology your school uses, such as biometric recognition systems or CCTV
• How your school uses photographs and videos for communication, marketing and promotional materials 
• How your school manages data protection, e.g. with data protection leads in addition to a data protection officer (DPO)

2. Is it made clear to staff how data should be handled, stored or published?

The main purpose of this policy is that staff understand how to properly handle, store and publish data. Ask your senior leaders how they've made this as clear as possible for staff, for example by:

• Listing definitions of the data-related jargon featured in the policy 
• Clearly explaining what staff are responsible for 
• Explaining what staff need to do if they're unclear on anything, i.e. contact the DPO

3. How will we know that this policy is working, and being properly implemented?

Senior leaders should be able to explain:

• The key objectives of the policy and how they'll measure success
• How implementation will be monitored and reported

Further questions

See more questions to ask when reviewing any policy.

If you're in a MAT, find out more about how to review a trust-wide policy

Model data protection policy

This model document (provided by our sister service, The Key Leaders) is not meant as a guide for writing it, since that's your senior leaders' job. Instead, use it to give you a sense of what a good policy looks like. 

Download: data protection model policy

This model document is designed for your senior leaders to adapt to suit your school’s context. 

It was created in partnership with Emma Swann, an education lawyer and consultant, and has been approved by Forbes Solicitors.

If you're in a MAT, you may need to adapt the information on roles and responsibilities to reflect the organisational structure of your trust. Where you do so, please make sure that roles and responsibilities meet any relevant requirements. Please also make sure, where applicable, that your adapted policy meets any relevant conditions in your funding agreement/articles of association, as these can vary.

Although the UK GDPR doesn't require you to have a data protection policy, it is included in the DfE's list of statutory policies.

Updates to our policy

We've reviewed our model policy (20 September 2023) to add a section on the use of artificial intelligence (AI).

We updated our policy (16 May 2022) to remove links to the ICO's surveillance camera code of practice as it's out of date and no longer on the ICO website. Instead, we link to this guidance on video surveillance – the ICO has confirmed to us that the guidance is accurate and up to date. You may need to update any references to the code of practice in sections 2 and 12, but your duties and responsibilities around this issue have not changed.

Earlier changes

We previously updated our model policy on:

• 22 June 2021: to reflect the EU GDPR being incorporated into UK legislation as the 'UK GDPR'. If you haven't updated your policy since then, you'll need to update your wording around relevant legislation
• 14 September 2020: to point you towards the ICO's self-assessment tool, and to reflect advice from our legal partner, Forbes Solicitors
• 7 May 2019: in line with the Data Protection Act 2018 and the latest guidance from the ICO

Model personal data breach procedure

We've created a model personal data breach procedure based on guidance on personal data breaches from the Information Commissioner's Office (ICO). 

This model document is not meant as a guide for writing or updating your school's procedure, since that's your school leaders' job. Instead, use it to give you a sense of what a good procedure looks like. 

Download: model data breach procedure

Approved by Forbes Solicitors, all of our model documents take account of relevant requirements and good practice.

Examples 

Primary

• Eldon Grove Academy, Hartlepool
• Vernon Park Primary School, Stockport

Secondary 

• Gartree High School, Leicester
• St Bernadette Catholic Secondary School, Bristol

Special

• Manor Green School, Windsor and Maidenhead (under 'UK GDPR policy')
• Ash Lea Special School, Nottinghamshire 

MATs

• Diocese of St Albans (13 academies)
• Inclusive MAT (3 academies)