Skip Ribbon Commands
Skip to main content
Welcome | Login

Data Protection Act 1998

Page last updated: 15/03/2018

The Governing Body of the school has overall responsibility for ensuring that records are maintained, including security and access arrangements, in accordance with The Data Protection Act 1998, Education Regulations and all other statutory provisions.

All schools are required to have a Data Protection policy in place. Here is an example school data protection policy that schools can download

Data Protection Guidance

This guide from the Information Commissioner’s Office (ICO) explains the purpose and effect of each Data Protection Act Principle:  download a pdf version ​of the Guide​

A report has been written by the Information Commissioner’s Office, and gives practical advice on how to comply with the Data Protection Act.  Read the report detailing data protection advice for schools

As the UK’s independent authority set up to uphold information rights in the public interest, the Information Commissioner’s Office (ICO) has commissioned a set of teaching materials to give teachers an introduction to information rights and provide them with a series of lesson activities. The materials will raise some of the key issues with students, so that at a young age they can become aware of their information rights, understand the potential threats to their privacy, and know how to protect themselves.
Read Your rights to your information and our lesson plans.

Access the plans here.

All schools are responsible to ensure their notification is up-to-date. How to notify the Information Commissioner read here: Register (notify) under the Data Protection Act

Closed Circuit Television Cameras (CCTV)

The ICO have issued guidance to help organisations who use CCTV to comply with the Data Protection Act 1998 and to help them inspire public confidence that they are using CCTV responsibly:  A data protection code of practice for surveillance cameras and personal information.​

Fingerprinting in Schools

This is the ICO's advice on  The use of biometrics in schools  for purposes such as cashless catering and borrowing library books.

Further guidance is available from the Department for Education:  Parents given power of veto on schools’ use of biometrics

Taking photos in schools

A good practice note produced by the ICO about  taking photos in schools ; this is aimed at Local Education Authorities and people working in schools, colleges and universities. It explains what sort of photos are exempt from the Data Protection Act (for example if a grandparent wishes to video a school nativity play) and which photos are not exempt (including photos of students taken for security passes).​

Press and Publicity in Primary Schools

The purpose of this  guidance  is to offer headteachers and the governing body advice on this matter, although it is ultimately a local decision which should be made by headteachers in consultation with governing bodies and parents.​

Exam Results

Do your students want to find out more about their exam results? For example, examiners' comments, mark breakdowns or policies about marking and appeals. The Data Protection Act gives them the right to access some exam related material. To find out more, read the ICO's good practice note on  individuals' rights of access to examination records

This good practice note aims to explain to boards of governors, head teachers and school data protection officers how the Data Protection Act affects the  Publication of examination results  by school The Information Commissioner's Office regularly receives enquiries from schools about this. Publication can be done in a variety of ways, including posting lists of results on publicly accessible notice boards, or providing examination results to the media.​

Accessing pupils' information - Data Protection Act Subject Access Requests

The ICO has produced a  Code of Practice  for handling requests from pupils, parents and members of staff for access to the personal information your school is processing about themselves. This Code of Practice will help state primary and secondary schools, and Boards of Governors in understanding their data protection responsibilities regarding requests for personal information. All schools will need to adhere to this Code of Practice or have a suitable alternative in place.​

Data Protection and Staff

As an employer, you have responsibilities to ensure your employees' personal details are respected and properly protected.

The ICO’s  quick guide to the Employment Practices Code provides all the information you'll need to keep on the right side of the law and covers the following areas:

• What the Data Protection Act means to an employer
• Recruitment and selection
• Employment records
• Monitoring at work
• Information about workers' health
• What rights do workers have?

The ICO also publish the following guides which cover the code in detail and provide answers to all the main questions you’re likely to ask:
•  Employment Practices Code 
•  Employment Practices Code: Supplementary Guidance (PDF)​

Privacy Notice

The Department for Education has provided suggested text and guidance for issuing Privacy Notices and guidance for issuing  Privacy Notices  for privacy notices to be used by schools and local authorities in the associated resources of this page.

The Privacy Notices also refer the recipients to the Department for Education website to see how they will store and use the data. Explanations are provided on how the data collected in the School Census, Children in Need Census and the School Workforce Census will be used​.

Information Sharing

'Sharing Personal Information - Our approach'  Guidance from the Information Commissioner's Office.

The Department for Education have produced guidance for practitioners working with both children and adults available here:  Information sharing: Advice for practitioners providing safeguarding services to children, young people, parents and carers.​

Information Security

Schools should follow our  Model School Policy for ICT Acceptable Use Incorporating eSafety and Data Security

Bring your own device (BYOD) 
This guidance explores what you need to consider if permitting the use of personal devices to process personal data for which you are responsible.

Cloud computing 
Cloud computing offers the promise of a cost effective means to access a range of computing services. This guidance explains how the Data Protection Act applies to processing of personal data in cloud computing services.

IT disposal 
The ICO have produced guidance to help organisations securely dispose of their IT equipment. This guidance explains what you need to consider when disposing of electronic equipment that may contain personal data.

Personal information online 
The personal information online code of practice explains how the Data Protection Act applies to the collection and use of personal data online. It provides good practice advice for organisations that do business or provide services online.

Laptop thefts highlight the need for encryption - Information ... 
The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress - must be encrypted. This is one of the most basic security measures and is not expensive to put in place.

A practical guide to IT security: ideal for the small business 
Keeping your IT systems safe and secure can be a complex task and odes require time, resource and specialist knowledge. If you have personal data within your IT system you need to recognise that it may be at risk and take appropriate technical measures to secure it.​

Production of Guidance

This is the  guidance  from the ICO's office on basic information security and where to get more advice/information.​

Information Security Breaches

Guidance on Dealing with a Personal Data Loss - ICO 

Read more about how to respond to a security breach and our more detailed guidance on information security breach management. Security Breaches must be investigated and logged; remedial action should be taken where necessary. Guidance on   How to Report and Handle a Security Incident is available here​