On 15 July 2026, the Department for Education published How to reduce procurement risk: good practice guide for academy trusts. The guide is aimed at business managers, finance staff and others involved in procurement decision making, and follows the four phases of the procurement lifecycle: plan, define, procure and manage.
It sits alongside the new EdTech procurement section added to the DfE's Data Protection in Schools guidance on 9 July 2026, which we covered in DfE Data Protection Advice for Schools. Taken together, July 2026 has been a significant month for procurement guidance in the education sector, and both documents carry data protection obligations that trusts should not overlook.
Academy trusts are contracting authorities under the Procurement Act 2023, which generally applies to procurements started on or after 24 February 2025. The Academy Trust Handbook already requires trusts to have appropriate due diligence in place, respond to actual or perceived conflicts of interest, and follow the procurement rules and thresholds in the Act.
Why this matters for data protection
Although this is primarily a commercial and governance document, the guide contains several points that fall squarely within the remit of your DPO and data protection lead. We have summarised the key areas below.
1. Conflict of interest assessments contain personal data
The guide is explicit on this point. A conflict assessment is legally required for every procurement covered by the Procurement Act, must be prepared before a tender notice is published, and must be reviewed throughout the procurement. Assessments must cover anyone who may influence procurement decisions: trust employees, trustees and governance participants, and third parties such as consultants.
Because these assessments normally contain personal data, the DfE says trusts should consider the data protection implications of collecting, storing and reviewing this information. In practice, this may mean reviewing your trust's:
- Privacy notices: do they cover processing personal data for conflict of interest and procurement governance purposes?
- Record of processing activities (ROPA): is this processing activity recorded, with a lawful basis identified?
- Local data protection policies: do they address how declarations and assessments are handled?
- Secure storage locations: where are assessments held, and who can access them?
The guide also notes that an annual declaration of interests is not enough on its own, because conflicts can arise at any stage and may involve individuals who do not complete the annual declaration. If your trust moves to per-procurement conflict assessments, the volume of personal data being processed will increase, and your documentation should reflect that.
2. Due diligence is a Handbook requirement and it includes data protection
The Academy Trust Handbook expects appropriate due diligence to be in place when trusts buy goods and services. Where a supplier will process personal data on the trust's behalf, commercial due diligence and data protection due diligence are two sides of the same exercise: checking financial standing and delivery capability without checking UK GDPR compliance, security measures, sub-processors and international transfers leaves the job half done.
The ICO's EdTech Examined audit report, now directly referenced in DfE procurement guidance, showed why this matters. The audit of 28 providers found widespread compliance failures in how EdTech providers handle children's personal data, and the DfE now tells schools to take those findings into account when procuring EdTech tools. Our summary of the audit is here: ICO EdTech Audit 2025: Key Findings for Schools.
For a practical walkthrough of supplier checks, see our guides:
- Supplier Due Diligence Step by Step: Are you sharing personal data with a third party organisation?
- The Multiple Dimensions of Supplier Due Diligence
- Is your IT Support Provider Compliant?
3. Contract registers support both procurement and data protection compliance
The guide recommends that trusts maintain a contracts register to provide visibility of renewal points, termination windows, contractual obligations and contract values, and to identify strategic suppliers. A well-maintained contracts register does double duty: it also underpins your record of processing activities, your data sharing arrangements and your ability to answer the question every DPO asks: which suppliers hold our personal data, and under what terms?
We have covered this previously in Contracts Register, and DPE customers can record supplier and contract information in the Knowledge Bank as part of their compliance documentation.
4. Exit management: plan for the personal data before you sign
The manage phase of the guide includes a section on exit management that data protection leads should read in full. The DfE advises agreeing an exit plan at the start of a contract, and says that plan might include details on how personal information will be securely transferred and handled at termination or expiry. It specifically flags the need for care where employees may transfer under TUPE, and says information should be made available in time to support retendering and used only in accordance with data protection legislation.
In our experience, exit is where personal data problems surface: the supplier who cannot confirm deletion, the legacy system nobody can access, the export that arrives in an unusable format days before retendering closes. Building data return, deletion and certification obligations into the contract, and into an exit plan that is reviewed during the contract's life, not discovered at the end of it, is considerably easier than negotiating them with an outgoing supplier.
5. Record keeping and retention
The guide requires trusts to keep all communications with suppliers relating to a contract award and any document explaining a material decision, for as long as the trust's retention policy requires, and no less than the minimum period set by section 98 of the Procurement Act. Procurement records will include personal data (evaluator names and notes, conflict declarations, supplier contacts), so they should have a documented place in your retention schedule alongside a clear owner and secure storage location.
Practical actions for trusts
- Share the guide with your business manager, CFO and anyone involved in procurement, and make sure your data lead is aware of it too.
- Review your privacy notices and ROPA to confirm that conflict of interest assessments and procurement records are covered.
- Check your due diligence process includes data protection questions for any supplier processing personal data, drawing on the ICO EdTech findings for EdTech suppliers.
- Establish or refresh your contracts register, and use it to identify which suppliers hold personal data and when contracts are due for renewal.
- Ask for the exit plan on new contracts, including data return, deletion and transition support, before signing, and add contract exit risks to your risk register.
- Update your retention schedule to reflect the minimum retention requirements for procurement records under the Procurement Act.
How DPE can help
DPE customers can raise supplier due diligence questions through the DPO helpdesk, and the Knowledge Bank includes the Supplier Due Diligence checklist, DPIA templates and best practice guidance to support the steps above.
Related reading
- DfE Data Protection Advice for Schools : the new EdTech procurement section of Data Protection in Schools (9 July 2026)
- ICO EdTech Audit 2025: Key Findings for Schools
- DfE Cyber Security Standards for Schools: June 2026 Update
- Changes to the Academy Trust Handbook 2025
- Supplier Due Diligence Step by Step
- Contracts Register
- Why Due Diligence is Important: Fake apps
Contact us for support: 0800 0862018 or via the DPO helpdesk.
