Data Protection in Schools

The Data Protection Act is designed to protect the privacy of individuals. It requires any personal information about an

individual to be processed securely and confidentially. In a school setting, this includes information relating to both staff

and pupils. If you must obtain, store, share, or use their personal data, it’s crucial that you so so securely, as personal data

is sensitive and private. Everyone, adults and children alike, has the right to know how the information held about them is

used and to feel confident that your school is protecting it.

Personal information is anything relating to a person that identifies them. This includes both physical records and digital records.

In a school, examples of personal information include:

• Names of staff and pupils.
• Dates of birth.
• Photographs of staff and pupils that are clearly linked to their identity or other personal information about them.
• Addresses.
• National insurance numbers.
• Financial information, such as bank details and tax status.
• Recruitment data.
• Attendance and behavioural information.
• Safeguarding information, including SEN assessments and data.
• School work and marks.
• Medical information, such as medical conditions and GP names.
• Exam results.
• Staff development reviews.

Under the Data Protection Act, all data controllers must notify the Information Commissioner’s Office (ICO) about how they process personal information. Each individual school is a data controller and so must register with the ICO. Failure to do so is a criminal offence.