DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Schools and Educational Institutions: Pupil Data, Parental Rights, and Staff Records

#gdpr #privacy #education #compliance

Schools are data-intensive environments. Every day, a typical school processes pupil attendance records, special educational needs (SEN) assessments, medical information, safeguarding files, behavioural incident reports, parental contact details, CCTV footage, exam results, religious education data, ethnicity statistics for national census returns, and dozens of other data categories — many of which are classified as special category data under UK GDPR.

Despite this, many schools treat data protection as an administrative afterthought rather than a core governance responsibility. That is increasingly dangerous. The Information Commissioner's Office (ICO) has made clear that schools are not exempt from enforcement, and the sensitivity of the data they hold — particularly children's data — places them under heightened scrutiny.

This guide covers the full UK GDPR picture for schools: what data schools hold and why it matters, the special category data issue, lawful bases, the complex rules around parental versus children's rights, safeguarding record retention, CCTV, third-party data processors, and what school governors need to know.

What Data Do Schools Typically Hold?

Before addressing compliance, it is worth cataloguing the data a typical school holds, because the breadth is easily underestimated:

Pupil data:

  • Admissions records (name, date of birth, address, previous school)
  • Attendance registers
  • Academic records, assessments, and exam results
  • Special educational needs (SEN) records and Education, Health and Care (EHC) plans
  • Safeguarding and child protection records
  • Behavioural and exclusion records
  • Medical information (allergies, medication, conditions)
  • Free school meals eligibility
  • Ethnicity, religion, and first language (for DfE census returns)
  • Photographs and video (trips, performances, CCTV)
  • Online activity on school devices and networks
  • Library records

Parent and family data:

  • Contact details (address, phone, email)
  • Parental responsibility documentation
  • Court orders (e.g., residence orders, contact restrictions)
  • Financial information (for school meals, trips, payments)
  • Communication records

Staff data:

  • Recruitment applications and interview notes
  • Employment contracts and payroll records
  • Performance appraisals and disciplinary records
  • DBS (Disclosure and Barring Service) check records
  • Training records
  • Sickness and absence records
  • References

Each of these categories carries its own retention requirements, lawful basis considerations, and access rights — making a school's data protection obligations genuinely complex.

Special Category Data: The Schools Problem

UK GDPR Article 9 identifies special categories of personal data that require a higher level of protection and a specific condition for processing beyond a standard lawful basis. Schools routinely process several of these categories:

Health data — medical conditions, allergies, medication, physical and mental health assessments, NHS information shared for safeguarding purposes, records from the school nurse.

SEN data — special educational needs information frequently reveals or implies health conditions, learning disabilities, neurodevelopmental conditions (autism, ADHD), and mental health difficulties. EHC plans are effectively health records.

Racial and ethnic origin — collected for DfE census returns (the School Census) and for equality monitoring.

Religious or philosophical beliefs — inherent in the curriculum at faith schools, disclosed through RE attendance, and collected for food and assembly preferences.

Biometric data — some schools use fingerprint or iris recognition for cashless catering systems or library access. These systems require explicit consent and must be turned off if a parent or pupil objects (under the Protection of Freedoms Act 2012, which adds additional requirements on top of UK GDPR).

Processing special category data requires a lawful basis under Article 6 plus a condition under Article 9. For schools, the most commonly applicable Article 9 conditions are:

  • Article 9(2)(b) — processing necessary for employment, social security, or social protection law obligations (covers staff health data and some pupil welfare data)
  • Article 9(2)(c) — vital interests (emergency medical situations)
  • Article 9(2)(g) — substantial public interest (covers much of schools' statutory data processing, implemented in the UK via Schedule 1 DPA 2018)
  • Article 9(2)(h) — medical purposes by health professionals (applies to school nurses and visiting health staff)
  • Article 9(2)(a) — explicit consent (last resort, not the primary basis for most school data processing)

Schools need to document which Article 9 condition they are relying on for each category of special category data they process. This is commonly missing from school privacy notices and Records of Processing Activities (RoPA).

Lawful Bases for School Data Processing

UK GDPR requires a lawful basis for every processing activity. Schools operate across a mixture of bases, but legal obligation is the dominant one — and schools are unusual in how much of their data processing is directly mandated by statute.

Legal Obligation (Article 6(1)(c))

Schools have extensive statutory obligations that require data processing:

  • DfE School Census — schools must submit pupil-level data to the Department for Education, including ethnicity, SEN status, free school meals eligibility, attendance, and exclusions
  • Attendance registers — legally required under the Education Act 1996
  • Child protection records — maintained under the Children Act 1989 and statutory guidance (Working Together to Safeguard Children)
  • EHC plans — required under the Children and Families Act 2014
  • Ofsted inspections — schools must share data with Ofsted under statutory inspection powers
  • Exam board submissions — pupil data submitted to awarding bodies for examinations
  • Local authority returns — various statutory returns to the local authority

Where a legal obligation exists, schools do not need consent — and indeed should not ask for consent for legally required processing, as consent implies the person has a genuine choice.

Public Task (Article 6(1)(e))

Maintained schools and academies exercising their statutory functions can rely on public task for processing that is necessary for those functions but not directly mandated by a specific law. This covers much of a school's core educational activity — teaching, assessment, pastoral care, school trips.

Independent schools can also rely on public task where they exercise functions of a public nature, though this is more restricted than for state schools.

Legitimate Interest (Article 6(1)(f))

Legitimate interest is available to independent schools and can be used by all schools for processing that is not covered by legal obligation or public task. It requires a three-part test: the legitimate interest must be identified, the processing must be necessary, and the school's interests must not override the individual's rights and freedoms. The ICO provides a Legitimate Interests Assessment (LIA) template.

Consent (Article 6(1)(a))

Consent is appropriate for discretionary processing — things the school does that are not required by law and not part of its core educational function. Examples include:

  • Publishing photographs of pupils on the school website or social media
  • Including pupils in promotional videos or marketing materials
  • Sending non-statutory newsletters or marketing to parents
  • Using pupil data for educational research beyond statutory requirements

Consent from pupils aged 13 and over can be given by the pupil themselves for digital services (the UK's digital age of consent under the Children's Code). For younger children, parental consent is required. However — and this is crucial — consent is not valid for processing that the school would do regardless. Consent must be freely given, and if the processing is effectively non-negotiable, it is not freely given.

Parental Rights vs. Children's Rights: Gillick Competence

This is one of the most nuanced areas of schools' GDPR obligations, and one where many schools get it wrong.

The Default Position

Parents with parental responsibility are generally entitled to exercise data rights on behalf of their children. A parent can submit a Subject Access Request (SAR) to see their child's school record. A parent can request correction of inaccurate data. This reflects the reality that young children cannot meaningfully exercise data rights themselves.

However, this is not an absolute rule.

Gillick Competence and Data Rights

The concept of Gillick competence (from the 1985 House of Lords case Gillick v West Norfolk and Wisbech Area Health Authority) establishes that a child who has sufficient understanding and intelligence to comprehend what is being proposed can make their own decisions — without requiring parental consent.

In the data protection context, this means that a sufficiently mature child can exercise their own data rights independently of their parents. A 16-year-old who understands the implications of a subject access request can submit one themselves. A 15-year-old who objects to the school sharing their medical information with their parent may have the right to have that objection respected.

The ICO's guidance acknowledges this: it is not a fixed age threshold but a case-by-case assessment of the child's maturity and understanding. In practice, schools should:

  • Not automatically defer to parents over the objections of older, clearly competent pupils
  • Not share information with a parent that a Gillick-competent child has a reasonable expectation of keeping private (this most commonly arises with mental health records, sexual health information accessed via school nurses, or disclosures made in confidence)
  • Document their assessment of competence when it is relevant to a data access decision

Where Parental Rights Are Restricted

There are circumstances where a school should not fulfil a parental SAR even for a younger child:

  • Where sharing the information with the parent would put the child at risk of harm (safeguarding concern)
  • Where a court order restricts the parent's access to the child's information
  • Where the information was provided in confidence by the child and the child objects to disclosure

Schools should have a clear policy on how they handle conflicting parental and pupil data rights.

Separated Parents

Where parents are separated, schools must be careful. Both parents with parental responsibility generally have equal rights to their child's school record, unless a court order specifies otherwise. Schools should maintain records of parental responsibility arrangements and any court orders, and apply them consistently.

Safeguarding Records: The Deletion Problem

One of the most common GDPR misunderstandings in schools involves safeguarding records. A parent submits a SAR or a right to erasure request ("right to be forgotten") — and demands deletion of a safeguarding file.

Schools cannot simply comply.

Safeguarding records must be retained for specific periods regardless of individual requests, because:

  • The Children Act 1989 and statutory guidance under Working Together to Safeguard Children require schools to maintain safeguarding records
  • Safeguarding records may be needed for legal proceedings years after the fact
  • Early safeguarding records can be critical if a child is the subject of later abuse — the historical pattern of concern is often essential evidence
  • Destruction of safeguarding records could constitute obstruction of justice in some circumstances

The ICO's guidance is clear: the right to erasure is not absolute. Article 17(3) UK GDPR provides that the right to erasure does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.

Recommended retention for safeguarding records:

  • Until the child's 25th birthday (or 26th if the child was 17 when the incident was recorded, to ensure 8 years of adult retention)
  • Some guidance recommends retention until the child's 75th birthday for the most serious cases

Schools should have a documented Retention and Disposal Schedule that covers safeguarding records specifically, and train staff on why deletion requests cannot simply be actioned.

CCTV on School Premises

CCTV is common in schools — on perimeter fencing, in corridors, in car parks, and occasionally in specialist areas like science labs or dining halls. The ICO has issued specific guidance on CCTV in schools.

Lawful Basis for School CCTV

Schools generally rely on legitimate interest (for independent schools) or public task (for state schools) as the lawful basis for CCTV. The processing is necessary for school security, safeguarding, and the prevention of crime. A Data Protection Impact Assessment (DPIA) is required for CCTV systems given the systematic monitoring of children.

Key Requirements

  • Signage — people must be informed they are being recorded. CCTV signs must be clear, visible, and include the school's name and contact details for data queries.
  • Footage retention — the ICO recommends retaining footage for no longer than 31 days in most circumstances, unless it has been flagged for a specific purpose (incident investigation, police request)
  • Access controls — footage should only be accessible to named individuals with a legitimate need
  • No cameras in sensitive areas — toilets, changing rooms, prayer rooms, and similar spaces must never be monitored
  • Cameras in classrooms — the ICO advises extreme caution. Classroom CCTV is highly privacy-intrusive and is very difficult to justify under the legitimate interest test. It is likely to chill the educational environment and is generally not recommended
  • Body-worn cameras — some schools have introduced body-worn cameras for staff in challenging environments. These carry the same GDPR requirements as fixed CCTV, with additional considerations around staff dignity

Footage of children is likely to constitute special category data if it reveals health information, ethnic origin, or other protected characteristics — so the special category data conditions apply in addition to the standard lawful basis.

Sharing CCTV Footage

Schools frequently receive requests from police to share CCTV footage. This can be done under Article 6(1)(e) or 6(1)(c) (where there is a legal obligation to assist law enforcement) or Article 6(1)(d) (vital interests in emergency situations). Schools should not simply hand over footage without verifying the request is legitimate, and should document every disclosure.

Sharing Data with Third Parties: Ofsted, Local Authorities, Exam Boards

Schools share data with multiple external bodies, many of which are statutory. Understanding the basis for each disclosure is essential.

Ofsted

Ofsted inspectors have statutory powers to access information held by schools under the Education and Inspections Act 2006. Schools are legally required to share data with Ofsted during inspections. The lawful basis is legal obligation. Schools do not need to obtain consent for this sharing, and should not tell parents that data will only be shared with Ofsted if they consent.

Local Authorities

Local authorities have various statutory functions that require schools to share data: safeguarding referrals to children's social care, exclusions, attendance enforcement, SEN casework, and DfE returns passed via the local authority. The lawful basis is typically legal obligation or public task.

Schools that are academies or free schools may have a more limited relationship with the local authority but still have obligations to share specific data (particularly around looked-after children and SEN).

Exam Boards (Awarding Organisations)

Submitting pupil data to awarding organisations for examinations is a statutory requirement. The lawful basis is legal obligation. Schools should have a Data Processing Agreement (DPA) in place with each awarding organisation.

The Department for Education (DfE)

The DfE collects extensive pupil-level data through the School Census and other national data collections. This is a statutory requirement. The DfE acts as a data controller in its own right for national data it holds, not simply as a processor for schools. The DfE shares data with other government departments, researchers, and approved third parties — information about these flows is available on the DfE's data protection page.

Multi-Agency Safeguarding Hubs (MASH) and Children's Social Care

When safeguarding concerns arise, schools share information with multi-agency safeguarding teams, social workers, and police. The lawful basis is typically legal obligation and/or vital interests (for urgent disclosures). The principle that data protection law does not prevent safeguarding information-sharing is well-established — the ICO has stated explicitly that GDPR does not create a barrier to sharing information to safeguard children.

School Management Software: Data Processing Agreements

Schools use management information systems (MIS) like SIMS (by Capita), Arbor, Bromcom, RM Integris, and iSAMS to manage pupil records, attendance, SEN data, and assessments. These systems hold some of the most sensitive data in the school and are cloud-hosted, meaning the software provider processes school data on the school's behalf.

Under UK GDPR Article 28, schools must have a Data Processing Agreement (DPA) in place with each provider before sharing personal data. A DPA must include:

  • A description of the data being processed and the purposes
  • The processor's obligations (technical and organisational security measures, confidentiality, not processing beyond instructions)
  • Obligations around sub-processors
  • Assistance with data subject rights requests
  • Deletion or return of data on contract termination

Most established MIS providers provide standard DPA terms. Schools should review these terms rather than simply signing without reading. Key questions:

  • Where is data stored? (UK/EEA is safest; transfers outside the UK require transfer mechanism documentation)
  • What sub-processors does the provider use?
  • How quickly will the provider notify the school of a data breach?
  • What happens to the data when the school switches provider?

Schools should maintain a register of all data processors and the DPAs in place with each.

Staff Data: The Same Rules Apply

It is sometimes assumed that GDPR applies primarily to pupil data. It applies equally to staff data — and schools are employers, with all the obligations that come with that.

Staff data that schools hold includes:

  • Recruitment data (applications, interview notes, references)
  • Employment contracts and payroll data
  • Performance management records
  • Disciplinary and grievance records
  • Sickness absence and occupational health records
  • DBS check records and teacher prohibition check records
  • Training and qualifications records
  • CCTV footage in which staff appear

Key points for staff data:

DBS records — schools must not retain copies of DBS certificates beyond the period of necessity (typically 6 months after the decision about recruitment, unless a specific reason exists to retain longer). Schools should maintain only a record of the DBS check date and level, the result (satisfactory/unsatisfactory), and the disclosure certificate number.

Sickness records — these are health data and special category data. Schools need an Article 9 condition for processing (typically Article 9(2)(b) — employment obligations). Sickness records should be retained for the minimum period necessary and access restricted to HR staff with a legitimate need.

Performance and disciplinary records — these should be retained in accordance with the school's Retention and Disposal Schedule. Live warnings should be retained for the specified warning period; records of serious misconduct that led to dismissal may be retained longer if needed for reference purposes or potential legal claims.

Staff monitoring — monitoring of staff activity on school devices or networks must be proportionate, transparent (staff must be informed), and justified. Covert monitoring of staff is almost never permissible under UK GDPR and Employment Practices guidance.

A Governor's GDPR Overview

School governors (and trustees in the case of academies) have a governance responsibility for data protection. They are not the data controller — the school (or the academy trust) is the data controller — but governors have oversight duties.

Key Governor Responsibilities

Data Protection Officer (DPO) — schools processing the personal data of children are likely to be engaged in large-scale processing of sensitive data, and most schools will be required to appoint a DPO under UK GDPR Article 37. The DPO must have expert knowledge of data protection law, must be independent, and cannot be given instructions about how to exercise their DPO role. Many schools share a DPO with their local authority or use a contracted DPO service.

Oversight without micromanaging — governors should receive regular reports from the DPO or the Senior Information Risk Owner (SIRO) about the school's data protection posture, but should not directly manage day-to-day compliance. Governance means scrutiny and accountability, not operational control.

Approving key policies — the governing body should formally approve:

  • The school's Data Protection Policy
  • The Records Management and Retention Policy
  • The CCTV Policy
  • The Online Safety Policy (which intersects with data protection)
  • The Subject Access Request procedure

Data breach oversight — governors should be informed of significant data breaches (those reported to the ICO or those involving children's data). The governing body should review the school's response and any lessons learned.

DPIA governance — for high-risk processing activities (new CCTV systems, new digital platforms for pupils, biometric systems), the governing body should be informed that a DPIA has been conducted and the outcome.

Annual review — the governing body should receive an annual data protection review that covers: any ICO investigations or complaints, DPO activity, staff training completion rates, and upcoming changes to processing activities.

Academy Trusts

In multi-academy trusts (MATs), the trust is the data controller, not the individual academies. The trust's Data Protection Officer covers all academies in the trust. Trustees bear the same governance responsibilities as governors but for the trust as a whole. Local governing bodies may have delegated responsibilities for oversight of individual academy data protection practices, which should be documented in the scheme of delegation.

Building a School Data Protection Programme

For schools starting from scratch or reviewing their existing programme, the following priorities apply:

1. Create or update your Records of Processing Activities (RoPA) — document every processing activity: what data, for what purpose, on what lawful basis, with what third parties, retained for how long. This is the foundation of everything else.

2. Review and update your privacy notices — you need a parent-facing privacy notice, a staff privacy notice, and (for secondary schools) a pupil-facing privacy notice appropriate to the age of your pupils. These must be accurate, readable, and specific.

3. Conduct a Retention and Disposal Schedule review — the DfE publishes retention guidance for schools. Make sure you are not retaining records beyond their specified period, and that safeguarding records are not being deleted prematurely.

4. Audit your third-party processors — list every platform and provider that processes personal data on the school's behalf, verify DPAs are in place, and check where data is stored.

5. Train your staff — data protection training should be mandatory and annual for all staff. Front-line teachers handle personal data every day. They need to understand what they can and cannot share, how to respond to a data request, and when to escalate.

6. Establish a data breach response procedure — when something goes wrong (and it will — even the best-run schools have breaches), you need a clear escalation path. A breach involving children's data has a 72-hour reporting window to the ICO if it meets the threshold for reporting.

7. Appoint a DPO if required — and give them the independence and resources to do the job.

Check Your School's Website for Data Compliance Issues

Your school website is a data collection point — contact forms, newsletter signups, embedded Google Maps, social media feeds, analytics scripts, and third-party services all process visitor data. Does your website have appropriate cookie consent? Is your privacy notice up to date? Are you inadvertently embedding third-party trackers?

Run a free automated scan at https://app.custodia-privacy.com/scan to see what your website is actually collecting and where your compliance gaps are. It takes 60 seconds and requires no signup.

Summary

Schools hold some of the most sensitive personal data of any organisation — children's safeguarding records, SEN assessments, medical information, and staff HR files. UK GDPR applies in full, with additional complexity from:

  • Special category data requirements (health, SEN, ethnicity, religion, biometrics)
  • The tension between parental rights and Gillick-competent children's own rights
  • Non-negotiable safeguarding record retention that overrides erasure requests
  • Statutory data sharing obligations with Ofsted, local authorities, and exam boards
  • CCTV obligations under the ICO's CCTV code of practice
  • Data processor agreements with school management software providers
  • Governance responsibilities for school governors and academy trustees

Getting this right is not optional. It is a statutory duty, and the data at stake is that of children.

Last updated: March 27, 2026. This post provides general information about UK GDPR and data protection for schools. It does not constitute legal advice. Requirements vary based on school type, local authority arrangements, and specific circumstances — consult a qualified data protection lawyer or your DPO for advice specific to your institution.

Top comments (0)