The Education Network for Waltham Forest
Supported by Waltham Forest

Data Protection

Guidance for Schools & Colleges

Schools must produce a data protection policy, which should be reviewed at least every two years. Data protection aims to protect people’s personal information from misuse by placing controls on organisations and people who handle personal information. The principal piece of legislation is the Data Protection Act 1998 (DPA). Schools are classed as 'Data Controllers' under the DPA.

Schools must comply with the DPA in respect of all the personal information that it holds about individuals whether they are an employee, pupil, parent or member of the public.

The DPA places a number of obligations on schools when they process personal data.

For example, schools must notify the Information Commissioner’s Office (ICO) about the information it holds and the purpose for holding such information and it must also comply with 8 data protection principles.

Personal data must be:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to countries without adequate protection

The ICO has produced comprehensive guidance for the education sector.

Cloud software services and the Data Protection Act

The Department for Education (DfE) has produced advice for all schools on how they need to consider data security when moving services and sensitive information to internet-based facilities of cloud computing ('the cloud').

Was this page useful?

Last updated: 
Thursday, 17 September, 2015
Last updated: 17 September 2015 by Admin Admin