DfE updates Data Protection in Schools guidance: what schools need to know

The Department for Education (DfE) updated its Data protection in schools guidance on 17 June 2026, this refresh aligns the guidance with the wider expected KCSIE 2026 guidance and reinforces existing obligations that schools should already be acting on.

This article sets out what has changed, what it means for your school in practice, and the actions your data protection lead should be taking now.

 

What does the 17 June update cover?

The June 2026 refresh to the ‘Data protection policies and procedures’ section does not introduce new law. Instead, it consolidates and cross-references guidance, ensuring the policies and procedures page reflects the full current picture. The key themes running through the updated guidance are:

•        expanded expectations around filtering and monitoring, including AI-powered systems

•        stronger signposting to the DfE Digital and Technology Standards (updated for KCSIE 2026)

•        reinforcement of DPIA obligations before deploying new or significantly changed technology

•        clearer requirements for what privacy notices must say about monitoring activities

•        the alignment of data protection obligations with the safeguarding duty under KCSIE 2026

 

Filtering and monitoring: the data protection angle

One of the most significant areas of the updated guidance concerns filtering and monitoring systems. While the statutory duty to have appropriate filtering and monitoring in place sits in KCSIE, the data protection obligations that attach to these systems are now more clearly articulated in the DfE guidance. DPE published The DSL's Guide to Filtering and Monitoring, which covers the safeguarding and technical leadership aspects of this requirement in full.

What the guidance now says

The guidance makes clear that filtering and monitoring systems must be used in a way that is lawful, proportionate and transparent. Where systems use automated tools, such as AI , schools are explicitly required to ensure this. This is not a new legal requirement, but the explicit mention of AI is significant.

Many of the filtering and monitoring products now in use by schools incorporate machine learning or AI-driven content categorisation, alert generation, or risk-scoring. If your school uses one of these tools, your DPO needs to know about it. For broader guidance on evaluating AI tools in schools from a data protection perspective, see DPE’s article Can you use AI safely in schools?.

 

DPO action required If your filtering or monitoring system uses any form of AI or automated decision-making, you must be able to demonstrate that you have assessed this under UK GDPR Article 35 (DPIA) before deployment or following any significant change to the system. DPE has a free Free AI DPIA Decision Infographic available to download.

 

DPIA requirements for filtering and monitoring

The guidance is explicit: schools must conduct a Data Protection Impact Assessment (DPIA) before introducing a new filtering or monitoring system, or before making significant changes to an existing one. This applies regardless of whether the system is managed in-house or by a third-party IT provider.

A DPIA is required in this context because:

•        pupils are children and therefore vulnerable data subjects

•        monitoring captures detailed behavioural and sometimes sensitive data

•        automated systems may make decisions or generate alerts that have a real impact on individuals

•        third-party providers may process data outside your direct control

If your school has not completed a DPIA for its current filtering and monitoring solution,  particularly if that solution was procured or significantly updated in the last two to three years, this should be treated as a priority action.

 

Privacy notices: filtering and monitoring must be included

The updated guidance reinforces that schools must address filtering and monitoring in their privacy notices. Your privacy notice for pupils and staff must explain what is monitored, why it is monitored, who can access alerts or reports, and how long that information is retained. DPE’s recent article Navigating the Future: 2026 Privacy Updates, Data Access, and Student Wellbeing covers the wider suite of 2026 privacy notice updates schools need to make, including changes required by the Data Use and Access Act (DUAA) and the Children’s Wellbeing and Schools Act.

Schools should also review the privacy notices of any third-party filtering and monitoring providers they use. Where those providers process personal data on your behalf, they are acting as data processors and you need appropriate Article 28 contracts in place.

 

Checklist: privacy notice coverage for filtering and monitoring Does your pupil privacy notice explain what online activity is monitored? Does it explain why monitoring takes place (safeguarding duty)? Does it identify who can access monitoring reports or alerts? Does it state how long monitoring data is retained? Have you reviewed your provider’s own privacy notice? Do you have an up-to-date Article 28 data processing agreement with your provider?

 

Access to monitoring data: the authorised staff requirement

The guidance is clear that access to monitoring data must be restricted to authorised staff only, and that those staff must receive appropriate training. This extends to in-house and third-party IT support staff who manage the systems, they too must receive safeguarding training, including in online safety.

In practice, this means your school should be able to demonstrate:

•        a defined list of roles with access to monitoring alerts or dashboards

•        a record of safeguarding training completed by those individuals

•        a process for reviewing and removing access when staff leave or change roles

This is an area where data protection and safeguarding governance intersect directly. The DSL, DPO and IT lead should be working together to ensure appropriate access controls are in place and documented.

 

Automated decision-making in your Record of Processing Activities

The guidance’s section on Record of Processing Activities (ROPA) now explicitly prompts schools to record whether any processing involves automated decision-making. This is particularly relevant where filtering systems automatically block content, where monitoring tools generate automated risk scores, or where AI tools are used in any aspect of school data processing.

Under UK GDPR Article 22, individuals have rights in relation to solely automated decisions that have a significant effect on them. While most school filtering and monitoring systems do not make fully autonomous decisions — a human should always review before action is taken: this area is worth checking with your IT provider. For further context on AI risk in the school environment, see DPE’s article Guardians of Privacy: Social Media, Privacy, Children and the AI Threat, which covers AI-generated threats and the data protection obligations they create.

 

Cyber security: an integral part of data protection

The guidance cross-references the six core DfE Digital and Technology Standards, which schools must meet by 2030. Cyber security is one of the six standards, and the guidance is clear that schools must protect critical data from cyber attacks. DPE’s What School Leaders Need to Know About the DfE's New Cyber Security Hub provides a school leader’s overview of the DfE Cyber Security Hub launched in May 2026, and the The Cyber Security Breaches Survey 2025/2026 – Key Advice for Schools sets out the current threat picture based on DSIT’s 2025/2026 survey findings.

The consequences of inadequate cyber security controls are not theoretical. DPE’s analysis of Human Error and High Stakes: What the Horizon Academy Trust Incident Teaches Us About School Data Breaches illustrates how human error combined with insufficient access controls can result in a serious personal data breach with significant reputational and regulatory consequences.

 

The legislative context: DUAA and the Children’s Wellbeing and Schools Act

The June 2026 DfE guidance update sits alongside a busy legislative period for schools. The Data Use and Access Act (DUAA) and the Children’s Wellbeing and Schools Act both have direct implications for how schools handle personal data. DPE has published detailed analysis of both: What the Data (Use and Access) Act Means for Schools and The 2026 Mandate: Navigating the Children's Wellbeing and Schools Act.

These legislative changes reinforce the direction of travel in the DfE guidance: data protection is no longer a back-office compliance function but is embedded in safeguarding practice, governance, and school operations at every level.

 

Summary of actions for data protection leads

Action	Priority	Who
Check whether a DPIA has been completed for your current filtering and monitoring system	High	DP lead/ IT lead
If your filtering/monitoring system uses AI, confirm this is reflected in your DPIA and ROPA	High	DP Lead/ IT lead
Review pupil and staff privacy notices to ensure filtering and monitoring is addressed	High	DP Lead
Check Article 28 contracts are in place with filtering and monitoring providers	High	DP Lead/ Business Manager
Confirm that only authorised staff have access to monitoring data and that training records exist	Medium	DSL / DP Lead/ IT lead
Review the ROPA and check automated decision-making column is completed for relevant tools	Medium	DP Lead
Confirm data protection policies have been reviewed and are on the governor agenda	Medium	DP Lead/ Clerk
Check that any IT staff managing monitoring systems have completed safeguarding training	Medium	DSL / IT lead

 

 

Further reading and DPE resources

The following DPE articles and resources are directly relevant to the topics covered in this guidance update:

 

Article	Published	Topic
The DSL's Guide to Filtering and Monitoring	15 June 2026	Filtering & monitoring
Can you use AI safely in schools?	19 May 2026	AI in schools
Navigating the Future: 2026 Privacy Updates, Data Access, and Student Wellbeing	2 June 2026	Privacy notices
What the Data (Use and Access) Act Means for Schools	27 May 2026	Legislation
The 2026 Mandate: Navigating the Children's Wellbeing and Schools Act	30 April 2026	Legislation
What School Leaders Need to Know About the DfE's New Cyber Security Hub	12 May 2026	Cyber security
The Cyber Security Breaches Survey 2025/2026 – Key Advice for Schools	1 May 2026	Cyber security
Human Error and High Stakes: What the Horizon Academy Trust Incident Teaches Us About School Data Breaches	9 June 2026	Data breaches
Guardians of Privacy: Social Media, Privacy, Children and the AI Threat	13 May 2026	Online safety / AI
Free AI DPIA Decision Infographic	Free resource	Free resource
DfE Digital Standards Overview	Free resource	Free resource
A Guide to Multi-Factor Authentication	7 May 2026	Cyber security

 

 

Need support with any of these requirements? DPE subscribers can access guidance for DPIAs for filtering and monitoring systems, updated privacy notice clauses, and ROPA templates through the Knowledge Bank. If you have questions about any of the requirements covered in this article, contact your DPO service lead or visit dataprotection.education.

 

Data Protection Education Ltd | This article is for guidance purposes only and does not constitute legal advice. Always seek specific advice for your school’s circumstances.