Data Protection for schools – everything you need to know

Written by Luke Peach on 18/09/2020

Schools can learn from Data Protection Officers

As legislation goes, the GDPR could be unique in its insistence that a new professional role, the Data Protection Officer (DPO), be created to ensure its mandates are properly met. But getting a DPO in place is no simple recruitment exercise, and that’s especially true for schools.

For starters, people with the requisite mix of abilities and experience to do the job in educational environments are hard to find. However, schools don’t necessarily have to recruit externally, as the GDPR guidelines allow for other options. Governors and members of school staff can be made DPOs – although given the baseline career skills and background required, this is probably not feasible.

In the UK, schools can also request their Education Authority manage the DPO requirement on their behalf. However, a more robust option is to outsource the job to third-party data security specialists, since the data protection in the education sector can task schools more than commercial businesses.

School DPOs are also concerned about risk exposure and educational establishments of all kinds are targeted by malicious cyber threats.

School-specific data governance challenges

Schools naturally handle a lot of sensitive information about children, which means special provisions in the Data Protection Act 2018 (the UK’s implementation of the GDPR) must be observed. Some data may be accessed by students themselves, which introduces extra risk compared to managing data security among an enterprise workforce. Part of the school DPO’s role is to maintain cyber awareness among younger end-users who may not be as receptive to cyber dos and don’ts as salaried employees.

School DPOs are also concerned about risk exposure and educational establishments of all kinds are targeted increasingly by malicious cyber threats. Cyber criminals know that the digitalisation of learning processes creates opportunities for new forms of attack (such as phishing), aimed directly at students and teaching staff.

GDPR in Schools

Funding pressures are always an acute issue for many educational establishments, and hiring a DPO only compounds matters. Schools are faced with having to recruit a new staff member whose exceptional skills and abilities place a premium on the salaries DPO candidates can demand. According to Glassdoor, these range from £32k per-annum to £79k per-annum, with £50k being the national average. Add to this any additional budget to pay for third-party cover when the DPO is on leave, off sick or otherwise indisposed. The sum total can be a significant expense for resource-strapped schools. The thorny issue of cost is one of the primary reasons that educational establishments are increasingly outsourcing the DPO role for an affordable monthly cost.

Another key factor in the trend to outsourcing is finding candidates with the relevant educational experience. DPOs don’t technically require professional qualifications to undertake the role – the GDPR stipulates only that DPOs should have ‘expert knowledge’ of data protection law and practices, plus a good understanding of IT infrastructure and organisational models. However, to be an effective DPO for a school you’d need to add experience of the education sector into the mix. And that makes the recruiting challenge even harder.

All this means it’s crucial that a school DPO’s purpose is clearly understood by all levels of school management, including students, right from the outset. It’s important to avoid any perception of the DPO as a serial box-ticker who works outside of day-to-day educational operations.

It’s important to avoid any perception of the DPO as a serial box-ticker who works outside of day-to-day educational operations.

DPOs help avoid fines

Probably the first and most obvious benefit of having a DPO onboard is that they will help prevent a school’s data protection processes and procedures from being found wanting by the regulator, resulting in a fine. The Information Commissioner’s Office (ICO) has taken a fairly lenient approach toward the education sector so far in terms of actual penalties. However, since 2018 the ICO has instigated a series of audits of selected Multi-Academy Trusts (MATs) and their education establishments.

The ICO’s findings suggest a significant proportion of schools are still on a learning curve when it comes to getting their head (and their processes) around GDPR requirements. Audit reports made public by the ICO indicate that most schools did not achieve satisfactory levels of data protection practice. The regulator conducted GDPR compliancy audits of hundreds of schools across 12 MATs and subsequently published detailed reports for 10 of them, scoping some 347 academies, primary, and secondary schools assessed across the criteria of Data Sharing, Governance & Accountability, Training & Awareness, and Requests for Personal Data Portability.

DPOs help avoid fines

Although some of the ICO audit results likely embarrassed the MATs named, and potentially harmed their standing in the education market, the audits do highlight an additional benefit an effective DPO can bring: avoidance of reputational damage that can attract criticism from parents and educational authorities – and impair a school’s ability to attract quality teaching staff.

What are DPOs protecting against?
A DPO who knows their GDPR obligations thoroughly can save their school time and resources by knowing when a data compromise incident has to be reported.

Over-reporting security incidents wastes school resources

The savvy DPO can also add value when it comes to advising when not to take action. For example, of 1,385 school data security incident referrals handled by the ICO in the year after the GDPR went live, just 208 (15%) resulted in orders for action to be taken. This was attributed to schools being overly concerned to make sure they were covered, but the figure also suggests a lack of awareness of the circumstances in which incidents must be reported.

“It does reflect a misunderstanding of what the GDPR actually means for schools,” said a consultant quoted in Schools Week. “It may be that the schools that are self-reporting just don’t understand what they’re doing.”

A DPO who knows their GDPR obligations thoroughly can save their school time and resources by knowing when a data compromise incident has to be reported – and when it does not.


Your local regulatory go-to person

The scope of data governance has widened markedly over the last two years, and its work is added to by the changes to data protection compliance caused as the UK leaves the EU. The Government plans changes to the GDPR and Data Protection Act 2018 to retain EU GDPR provision in UK law (until then the EU Withdrawal Act retains the GDPR in UK regulation).

It’s unlikely that your typical DPO’s work-a-day focus will be just on the GDPR and the Data Protection Act. There are multiple other regulatory compliances schools have to meet, such as the Freedom of Information Act 2000 and the Privacy and Electronic Communications Regulations (PECR).

Your local regulatory go-to person

Schools must also increasingly ensure that third-party suppliers that process their data are also properly GDPR-compliant. This has assumed greater criticality in the context of the GDPR as digital transformation enters the education sector and more schools rely on cloud services providers to host their applications and data. As these compliances affect more aspects of day-to-day educational activities, the DPO becomes the regulatory go-to person for the schools and trusts.

It’s unlikely that your typical DPO’s work-a-day focus will be just on the GDPR and the Data Protection Act.

Understanding schools’ special data protection needs

Schools face added complexity due to the special provisions for the protection of data that pertains to children. Schools process and store large amounts of data that concerns personal information: students’ academic records, medical profiles, contact details, ethnicity, biometrics, still and video images, and so on. Schools also hold data on teaching and administrative staff, governor activity, external volunteer activity and suppliers.

Such data was already governed by the old Data Protection Act 1998. What changed in the new Data Protection Act 2018 (the UK’s implementation of the GDPR) was increased security provisions, enhanced rights for individuals, as well as the requirement for schools to also document why and how they process personal data.

Understanding schools’ special data protection needs

For example, children have the right to request a copy of their personal data under the GDPR-empowered Data Protection Act 2018, and have the right to request that a school no longer processes their data. The GDPR explicitly requires that children’s data is protected and, additionally, it stipulates that privacy notices must be articulated in ways that are clear and accessible to a child or worded specially for them.


Summary card header

In summary

Hiring a DPO is not quite comparable with the appointment of other data-management related roles within an organisation, such as a Chief Data Officer (CDO) or Chief Information Officer (CIO). To start with, the articles of the GDPR say that DPOs are not supposed to fit into conventional managerial hierarchies.

Although they’ll work closely with the IT and legal functions, they’re not seconded to those functions – they must report directly to senior management – or board of governors, in the case of schools. This is to ensure a DPO is free to work without any conflicts of interest. The significant cost and challenge of recruiting a data protection expert with education sector experience are the primary drivers for schools outsourcing this role, as it delivers a better service at a manageable cost.

  • To ensure state of compliancy does not cause penalties
  • To reduce unnecessary incident reporting
  • A school’s public reputation for improved data protection standards
  • The school’s IT security team in the face of ever-more cyber attacks
  • Colleagues need of a local source of regulatory information and insight

We chose Bulletproof as our school DPO as they had impressive knowledge of the data privacy requirements within our industry. Our consultant is always on-hand to assist with reviewing and updating our internal procedures, as well as providing quick responses to our data protection queries. Bulletproof is professional and friendly - a great extension to our team.


Bryon White  Head of Legal Services, London School of Science and Technology



Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.