The Academy Trust Handbook 2026 was published on 15 July 2026 and comes into effect on 1 October 2026. This year's edition strengthens the position on the DfE digital and technology standards and introduces new procurement requirements that have direct data protection implications, most notably around Management Information Systems (MIS).
A list of all the changes can be found here: Academy trust handbook 2026: effective from 1 October 2026
We wanted to highlight the changes and requirements that affect data protection, cyber security and third-party supplier due diligence:
Digital and Technology Standards
The wording in this section has been strengthened. Last year, trusts needed to "have an understanding of the extent to which they are meeting" the standards; this year the handbook says trusts should be working towards meeting them:
1.21. Trusts should be working towards meeting DfE's digital and technology standards and meeting the 6 core standards by 2030:
Importantly, the handbook now adds that DfE expects trusts to already be meeting the filtering and monitoring standards as set out in the statutory guidance Keeping children safe in education. Filtering and monitoring is no longer something to be working towards, it is treated as a current expectation, in line with KCSIE 2026.
Management Information Systems: a new requirement
A brand new "must" appears in the procurement section, and it is the change with the biggest data protection significance. Your MIS holds more pupil and family personal data than any other system in the trust, and the DfE is now mandating how those contracts are procured:
2.30. Trusts must ensure that all Management Information System (MIS) contracts are aligned with DfE's MIS framework by September 2027.
- where a contract expires before 1 September 2027, any contract extension or replacement must be for no more than 12 months, and act as a transitional arrangement ahead of framework procurement
- where a contract extends beyond 1 September 2027, trusts must not use extension options that delay transition
- trusts must use the DfE MIS framework when awarding their next full-term MIS contract
- if a trust cannot reasonably award a contract of 12 months or less, it may proceed only where the supplier agrees to DfE's latest MIS contractual principles, available in Get help buying for schools
Any MIS change is a significant data protection exercise: a Data Protection Impact Assessment (DPIA), due diligence on the new supplier, a data migration plan, and secure deletion of data from the outgoing system will all be needed. Trusts should start mapping their MIS contract end dates against the September 2027 deadline now. This requirement sits alongside the DfE's July 2026 EdTech procurement guidance and the ICO's EdTech findings, read our summaries here: DfE EdTech procurement guidance article
Procurement and supplier due diligence
The procurement basics remain, and due diligence on suppliers is a "must":
2.25. The academy trust must ensure:
- spending has been for the purpose intended and there is propriety in the use of public funds, including in relation to any actual or perceived conflicts of interest
- spending decisions represent value for money
- internal delegation levels are applied
- a competitive procurement procedure is in place and incorporated into the trust's financial framework
- procurement rules and thresholds in the Procurement Act 2023 and its associated regulations are followed
- Find a Tender service is used
- appropriate due diligence is in place
- professional advice is obtained where appropriate
New for 2026, trusts must consider DfE opportunities when making purchasing decisions and record their decision-making (2.27). For data protection purposes, "appropriate due diligence" on any supplier processing personal data means checking their security measures, sub-processors, international transfers and contract terms against UK GDPR Article 28 – before signing, not after.
Retention of records
6.5. The trust must retain records to verify provision delivered by it, or its sub-contractors, in relation to this handbook and its funding agreement, at least 6 years after the period to which funding relates.
Find out more about:
- Record keeping and retention information for academies and academy trusts
- Secure sanitisation and disposal of storage media from the National Cyber Security Centre
Cybercrime
6.14. Academy trusts must also be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred. Trusts should take appropriate action to meet DfE's cyber security standards, which were developed to help them improve their resilience against cyber-attacks.
Ransom and extortion demands: wording broadened
Last year's handbook said trusts must not pay any cyber ransom demands. The 2026 edition goes further:
6.15. Trusts must not pay any ransom or extortion demands, including cyber ransomware. DfE supports the National Crime Agency's recommendation not to encourage, endorse, or condone the payment of ransom or extortion demands. Payment of ransoms or extortion demands has no guarantee of restoring access or services and is likely to result in repeat incidents.
This broader wording matters because attackers increasingly steal data and demand payment not to publish it, rather than (or as well as) encrypting systems. The prohibition now clearly covers data-theft extortion as well as traditional ransomware. Remember that where personal data is taken, the incident is also likely to be a personal data breach reportable to the ICO under UK GDPR Article 33 within 72 hours – regardless of any demand.
How we can help
We can help you assess where you are with the DfE Digital Standards: DPE's DfE Digital Standards Tracker tools. Our customers receive the DfE Leadership & Governance Tracker as part of their agreement with us.
We have help, guidance and training to help you assess where you are with cyber resilience and the Cyber Security Standards, and our DPO service can support your trust with MIS supplier due diligence and DPIAs ahead of the September 2027 framework deadline.
Find out more about the DfE Cyber Security Standards:
Watch our video overview
Contains public sector information licensed under the Open Government Licence v3.0.
