Schools and colleges across the UK handle a significant amount of personal data - from student records and safeguarding information to staff employment details and parental contact data.

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, education providers have a legal responsibility to protect this information and ensure it is collected, used, stored and shared in a lawful and secure manner.

Understanding your obligations is essential to maintaining trust and ensuring the safety and privacy of your school community.

To support our members, this page shares some of the key data protection responsibilities and considerations, and signposts schools and colleges to important information from the Information Commissioner’s Office (ICO).

The ICO is the statutory independent regulator for data protection and information rights in the UK. As well as enforcing the law in these areas, it has a duty to issue advice and guidance to stakeholders.

The ICO has a wealth of information for anyone working in an educational setting, covering topics such as responding to data requests, managing data breaches and ensuring safe online practices.

The Union has also published our own guidance on topics related to data protection and privacy.

General guidance and support

ICO

Schools, Universities and Colleges
Guide to Data Security

National Cyber Security Centre

Cyber Security for schools

Specific issues for consideration

ICO

Advice for Schools on the FOIA and Responding to Requests for Information
Information and Advice on Students Carrying out Cyber Attacks in Schools

NASUWT

UK GDPR and AI
Live Streaming, Data Protection and Privacy