GDPR for Schools: Pupil Records, SEN Data and EdTech Compliance
How schools and academies can comply with GDPR when handling pupil records, SEN data, Ofsted inspections, CCTV, EdTech platforms, and parental consent obligations.
Schools handle more personal data than almost any other organisation of their size. Pupil records, medical information, safeguarding files, CCTV footage, biometric meal payment systems, cloud-based learning platforms — the data flows are extensive, often sensitive, and subject to some of the strictest obligations under UK GDPR.
This guide covers the key GDPR obligations for UK state schools, academies, and independent schools, with practical guidance on the most common compliance challenges.
Pupil Records as Personal Data
Every document a school holds about a pupil is personal data under UK GDPR. This includes:
- Admission forms and registration data
- Attendance records
- Academic progress reports and assessment results
- Behaviour and exclusion records
- Correspondence with parents and carers
- Medical and health information
- Photographs and CCTV footage
- Financial data (free school meals eligibility, payment records)
- Communication records (emails, letters, phone call logs)
Schools act as a data controller for all of this data. That means the school — not the local authority, not the MAT, not the DfE — is responsible for ensuring this data is processed lawfully, fairly, and transparently.
Special Educational Needs (SEN) Data as Special Category Data
SEN data is special category data under Article 9 of UK GDPR. This applies to:
- Education, Health and Care (EHC) plans
- SEND registers
- SEMH (social, emotional and mental health) assessments
- Occupational therapy, speech therapy and clinical reports
- Correspondence with specialist services and NHS
Processing special category data requires a higher legal basis than ordinary personal data. For schools, the most relevant Article 9 conditions are:
- Substantial public interest (Schedule 1 of the Data Protection Act 2018): applicable to special educational needs provision, safeguarding, and statutory assessment processes
- Vital interests: rarely applicable, reserved for emergencies where consent cannot be obtained
- Explicit consent: possible, but schools should not rely on consent for processing required to fulfil their statutory duties
Schools must document their legal basis for processing SEN data in their Record of Processing Activities (RoPA). An EHC needs assessment, for example, would typically rely on substantial public interest, not consent.
Parental Consent vs Pupil Consent: The Age 13 Rule
The age at which a young person can give their own valid consent under UK GDPR is 13. Below this age, a parent or carer must give consent on the child's behalf.
What this means in practice:
- For pupils under 13, consent requests (for things like school photographs, online platforms, or optional data collection) must be directed to parents/carers
- For pupils aged 13 and over, schools should consider whether the young person is capable of giving their own valid consent, particularly for sensitive matters
- Consent must be freely given — a pupil or parent should not face disadvantage for withholding consent for optional processing
Where schools get this wrong: Treating consent as a blanket mechanism for all processing. For statutory functions (attendance registers, educational records, safeguarding referrals), schools do not need consent — they have a legal obligation or substantial public interest basis. Using consent forms for statutory processing creates problems because consent can be withdrawn.
Sharing Data with Local Authorities and Ofsted
Schools share data with external bodies regularly. The key principle: sharing must have a lawful basis.
Local Authority (LA) data sharing is typically covered by statutory duties. Schools share data with their LA for:
- Education, Health and Care (EHC) plan processes
- SEND assessment and reviews
- Exclusions and alternative provision
- Child in Need and Child Protection processes
- Joint working between education, health and social care
Ofsted inspections present a specific scenario. During an inspection, Ofsted inspectors may request access to pupil records, safeguarding files, and staff data. Schools should note:
- Ofsted has legal powers under the Education Act 2005 and related legislation to request information
- Sharing with Ofsted inspectors is covered by these statutory powers — you do not need separate consent
- Schools should ensure any information shared is proportionate to the inspection purpose
- Safeguarding files shown to inspectors should not be copied or retained by Ofsted without explicit authorisation
Data sharing with third parties (educational psychologists, CAMHS, speech and language therapists, etc.) should be covered by a signed Data Processing Agreement or data sharing agreement, and should be disclosed in the school's privacy notice.
CCTV in Schools: ICO Guidance
CCTV in schools is subject to the same UK GDPR obligations as any other CCTV system, plus additional considerations around the processing of children's data.
Key requirements:
- Schools must have a clear lawful basis for CCTV. For most state schools this is substantial public interest (specifically, the safeguarding of children and staff, and the prevention of crime). Some schools use legitimate interests, but this requires a Legitimate Interests Assessment
- CCTV use must be proportionate. Cameras should not be placed in changing rooms, toilets, or prayer rooms
- CCTV footage is special category data if it captures a pupil in circumstances that reveal health conditions, religious beliefs, or other sensitive characteristics
- Retention periods must be defined. The ICO recommends 31 days for most educational settings, unless footage is retained as evidence
- A CCTV policy must be in place, and the existence of CCTV must be disclosed in the school's privacy notice
- Subject access requests for CCTV footage must be handled within one month. If footage captures other identifiable individuals, those individuals' faces must be redacted before release
Schools using biometric data (fingerprint-based meal payment systems, for example) face additional obligations under the Protection of Freedoms Act 2012, which requires explicit written consent from parents/carers and the option for an alternative system.
School Trip Photography and Parental Consent
Photographs and videos of pupils on school trips and during school activities are personal data. They can be special category data if they reveal protected characteristics such as disability or religion.
Best practice:
- Collect explicit parental consent before using pupil photographs in school publications, websites, social media, or promotional materials
- Use a separate consent form for media use (distinct from general school consent forms)
- Never publish photographs with full names that could identify a child's location
- Retain consent records alongside the images
- Allow parents to withdraw consent for future use at any time
Where a third-party photographer is contracted (for school photos, prom photographs, sports events), a Data Processing Agreement must be in place. The photographer is a data processor acting on the school's behalf.
Exclusion Records and Safeguarding Files
Exclusion records are subject to specific retention requirements. Under DfE guidance, exclusion records should be retained for the duration of the pupil's time at school and typically for a period after they leave. These records may be requested by future schools as part of the Common Transfer File.
Safeguarding files are among the most sensitive records a school holds. They should:
- Be stored separately from the main pupil file
- Have restricted access (typically limited to the DSL and relevant senior leadership)
- Be retained for longer periods than general pupil records — typically until the pupil turns 25, or longer where there are specific concerns
- Be transferred to the receiving school, via secure means, when a pupil moves on
The transfer of safeguarding files to other schools and local authorities is covered by statutory guidance (Keeping Children Safe in Education). Schools should document the legal basis (substantial public interest in safeguarding) and maintain transfer records.
Free School Meals Eligibility Data
Free school meals (FSM) eligibility data is sensitive. It reveals information about a family's financial circumstances and, where means-tested, may be connected to benefits entitlement — data that can expose families to stigma.
Schools must:
- Process FSM eligibility data on a lawful basis — substantial public interest in administering statutory entitlement
- Minimise disclosure within school. Staff who need to know should have access; FSM status should not be visible to other pupils or parents
- Ensure any EdTech platforms (cashless catering systems, for example) process FSM data under a signed DPA and do not use it for any other purpose
Universal Infant Free School Meals (UIFSM) data is different — entitlement is automatic rather than means-tested — but must still be handled with appropriate security measures.
Teacher Data as Employee Data
Schools are employers, and teacher and support staff data is also personal data under UK GDPR. The lawful basis for most HR processing is:
- Performance of a contract: contracts of employment, payroll, DBS checking, occupational health referrals
- Legal obligation: Keeping Children Safe in Education, Teachers' Standards, Disclosure and Barring Service requirements, pension scheme administration
- Legitimate interests: workforce planning, internal communications, school improvement data
Schools must provide staff with a staff privacy notice explaining what data is held, the lawful basis, retention periods, and their data subject rights. This is separate from the pupil and parent privacy notice.
Sensitive staff data — including DBS disclosure information, health conditions, and disciplinary records — is special category data and must be processed accordingly. DBS certificates should never be photocopied or retained beyond the permitted period.
DfE Statutory Returns and Data
Schools submit significant personal data to the Department for Education through statutory data returns, including:
- School Census: termly collection covering pupil characteristics, attendance, SEN, exclusions, free school meals, and staff data
- National Pupil Database (NPD): DfE compiles census data into the NPD, which is used for research, policy, and statistical purposes
- Teacher workforce census: staff qualification, employment and salary data
The DfE has its own privacy notices covering how it uses NPD data. Schools should reference the DfE's privacy notice in their own privacy notices, so parents and pupils understand that their data is shared with central government.
Data Breaches in Educational Settings
Schools experience data breaches more frequently than many organisations — often through accidental disclosure rather than cyberattack. Common examples:
- An email sent to the wrong parent containing another child's data
- A pupil report posted to an incorrect address
- A USB drive containing pupil data left on a train
- Accidental exposure of SEN data to other parents at a meeting
- A ransomware attack on school systems
What to do after a breach:
- Contain the breach (recover data if possible, stop the processing causing the breach)
- Assess the risk to affected individuals — is there a risk to their rights and freedoms?
- If there is a high risk to individuals, notify the ICO within 72 hours
- If affected individuals are at risk, notify them promptly
- Document the breach in your breach register, regardless of whether you notify the ICO
Schools that experience a breach involving safeguarding files or SEN data should treat this as high priority and seek specialist advice. Custodia's automated scanning can help schools identify whether their website is inadvertently exposing pupil-related data through misconfigured third-party tools — run a free scan at https://app.custodia-privacy.com/scan.
Subject Access Requests from Parents and Pupils
Both parents and pupils have rights under UK GDPR to request access to their personal data (or the data held about their child).
Parent SARs can request data about:
- Their child's education records (this right is also governed by the Education (Pupil Information) (England) Regulations 2005)
- Any other personal data the school holds about the parent themselves
Pupil SARs — pupils of sufficient maturity (generally accepted as Gillick competence in educational settings) can make their own subject access requests.
Key rules:
- Respond within one month (extendable by two months for complex requests)
- Provide the data free of charge (unless the request is manifestly unfounded or excessive)
- Redact any third-party personal data before disclosure (e.g., other pupils mentioned in reports)
- Do not assume a parent is entitled to all data about their child — separated parents, for example, may have restricted court orders
EdTech Platforms and Data Processing Agreements
Modern schools use numerous EdTech platforms. Each one that processes pupil or staff personal data on the school's behalf is a data processor and must have a Data Processing Agreement (DPA) in place.
Common platforms and DPA status:
- Google Workspace for Education: Google provides a DPA (available in the Admin Console). Schools should configure data processing to the minimum necessary region (European data processing where available). Google's NPE agreement for education restricts advertising use of pupil data
- Microsoft 365 Education: Microsoft provides a DPA and has specific education data protection commitments. Schools should review the Microsoft Products and Services DPA
- Arbor: Arbor MIS provides a DPA and is UK-based. Schools using Arbor should check their DPA covers all modules in use
- SIMS (by Capita): SIMS provides a DPA. Following Capita's 2023 data breach, schools using Capita-hosted services should review their incident response protocols
Other platforms commonly used without adequate DPAs include online assessment tools, video calling platforms, digital learning tools, and communication apps. Schools should maintain a data processing register documenting every processor, the data shared, the DPA reference, and the review date.
The ICO's guidance on data sharing agreements provides a template that schools can adapt for smaller processors who do not have standard DPAs.
Retention Schedule for Pupil Records
The DfE does not mandate a single retention schedule, but the Information and Records Management Society (IRMS) publishes guidance for schools that is widely referenced by the ICO.
Key retention periods from the IRMS toolkit:
| Record Type | Retention Period |
|---|---|
| Admissions register | 6 years after last entry |
| Attendance register | 3 years after last entry |
| Pupil report (academic) | Duration of education + 1 year |
| SEN files and EHC plans | Age of majority (18) + 6 years = 25 minimum |
| Safeguarding files | Age 25, or longer where abuse/significant risk involved |
| Exclusion records | Duration at school + 6 years |
| General pupil record | Age of majority (18) + 7 years = 25 minimum |
| Staff employment records | Termination of employment + 6 years |
| DBS check records | 6 months after decision made |
| Accident and injury records | Date of incident + 3 years (or 21st birthday for minors) |
Schools should maintain a formal retention schedule as a policy document, review it annually, and ensure deletion processes are actually implemented (not just documented).
Practical Compliance Checklist for Schools
Use this checklist to assess your school's current GDPR position:
Governance
- [ ] Data Protection Officer (DPO) appointed (required for schools as public authorities)
- [ ] Record of Processing Activities (RoPA) maintained and current
- [ ] Data protection policies reviewed in last 12 months
- [ ] Staff trained on data protection annually
Privacy Notices
- [ ] Pupil and parent privacy notice published and accessible
- [ ] Staff privacy notice provided to all employees
- [ ] Privacy notices updated to reference all current processors and statutory bodies
Lawful Basis
- [ ] Legal basis documented for each processing activity
- [ ] Special category data processing conditions documented (Article 9 and Schedule 1 DPA 2018)
- [ ] Consent forms used only where consent is the appropriate basis
Data Sharing
- [ ] DPA in place with every data processor (Google, Microsoft, Arbor, SIMS, etc.)
- [ ] Data sharing agreements with local authority and NHS where applicable
- [ ] Transfer records maintained for safeguarding file transfers
Security
- [ ] CCTV policy in place with defined retention periods
- [ ] Biometric consent obtained in writing where biometric systems are used
- [ ] Data breach register maintained
- [ ] Breach notification process documented (ICO within 72 hours for high-risk breaches)
Subject Rights
- [ ] Process in place to handle SARs within one month
- [ ] Retention schedule adopted and enforced
- [ ] Deletion process implemented (not just documented)
Online Compliance
- [ ] School website privacy notice covers all processing activities
- [ ] Cookie consent banner implemented if non-essential cookies are used
- [ ] Third-party tools on school website reviewed for GDPR compliance
Schools increasingly use their websites not just to communicate with parents but to collect data through contact forms, newsletter sign-ups, and learning portal integrations. A free scan at app.custodia-privacy.com/scan will show you exactly which trackers and third-party tools are loading on your school website — and whether they are operating with the correct consent mechanisms. The scan takes 60 seconds and requires no sign-up.
For schools and Multi-Academy Trusts that need ongoing compliance monitoring, automated privacy policy generation, and DSAR management tools, Custodia provides the infrastructure to manage compliance at scale without a dedicated legal team.
This guide is intended for informational purposes and does not constitute legal advice. Schools with complex data protection questions, ICO investigations, or high-risk processing activities should seek specialist DPO support or legal advice.
Top comments (0)