We know the jargon can be confusing. As can the timelines for responding to the various requests that you receive. Whether it’s an email from a disgruntled parent or a letter from a solicitor, the clock starts ticking the moment it hits your inbox. But before you start pulling files, you must answer one critical question: What exactly are you looking at?
Following the success at our conference last week we are delighted to publish our Records Management Handbook.
We've uploaded a Subject Access Request Extension Template to the SAR Best Practice Library.
We're already seeing the leavers' hoodies when we're visiting schools and our help desk has received tickets asking about year book administration, so here's some best practice about 'Leaver's Memorabilia'.
📸✅ It's World Book Day on the 5th March when most schools will be celebrating reading and capturing photos of staff and students in their costumes. Given this is one of many significant photographic events in the calendar, we thought it was a good opportunity to remind everyone of photo and video best practice so there are no data protection slip ups.
Sharing personal data with a third-party organisation?
Supplier due diligence is about the contracts between controllers and processors. As a controller you determine the purpose and means of the processing (Article 4 (7)) and are responsible for ensuring processors (i.e. suppliers and third-parties) have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk for any data processed.
One of the simplest ways to reduce the risk of a data breach on your organisation's premises is to establish a Clear Desk and Screen Policy. Beyond just tidy classrooms and offices, this initiative protects sensitive student data and staff privacy.
The Keeping Children Safe in Education (KCSIE) 2025 document obliges schools and colleges in England to “ensure appropriate filters and appropriate monitoring systems are in place and regularly review their effectiveness”. This responsibility is now a standard, no just a technical tick box, but a core leadership and safeguarding function.
🛡️Are your School's Digital Gates Secure? Governors are the gate keepers to cyber security. Today, as we celebrate School Governor's Day, it's the perfect time to ask the question that is critical right now: how do we protect our schools in a digital world?
📢📢 Come and register for our new Data Protection Education webinars for 2026!
The Data (Use and Access) Act is already law and It received Royal Assent on June 19, 2025. While it is legally an Act of Parliament, its various provisions are being "commenced" (brought into legal effect) in a phased approach that will continue throughout 2026.
Join us for our latest podcast episode breaking down the key changes introduced by the UK's new Data (Use and Access) Act (DUAA), explaining its phased rollout and objectives. The DUAA becomes law on Thursday 5th February 2026.
A recent ICO reprimand for the Staines Health Group, shows the importance of how special category deserves specific protection. This article highlights the risks associated with 'data dumping' when organisations overshare sensitive information excessively - when the sharing of sensitive safeguarding becomes the safeguarding issue.
The SEROCU (South East Organised Crime Unit) has advised schools across Surrey and Sussex to be aware of a rise in M365 phishing emails.
In a world of hybrid work and virtual meetings, the ability to record and transcribe discussions has become an essential tool for productivity. However, with this convenience comes a responsibility to protect privacy, maintain security and consider your lawful basis for recording/transcribing. To provide clear guidance we are introducing our new Recording and Transcription Policy Template.
We've had a few questions recently about parents and students recording conversations with members of staff, both covertly or overtly without seeking permission. This article only covers recordings made by external individuals, not organisations or individuals acting on behalf of an organisation.
The DfE previously issued training and guidance about the use of AI in Education - this has now changed to standards. Standards define minimum requirements that must be met, whereas a guideline offers recommended best practice or advice. The standards outline the safety standards that generative AI products and systems should meet to be used in educational settings.
Finding the right IT partner and support provider is a big decision. Due diligence for IT Support isn't just about who can 'fix computers', it's about ensuring standards are followed and they work with you to meet your organisation's strategy. Data Protection Education has a DfE IT Support Tracker and Supplier Due Diligence Directory to provide support and guidance as well as tracking your progress.
The Government Cyber Action Plan, published in January 2026, sets out a radical shift in how the UK public sector manages cyber security and digital resilience. It moves away from fragmented, siloed defences toward a "Defend as One" model led by a new Government Cyber Unit within the Department for Science, Innovation and Technology (DSIT).
NUNEATON, January 7, 2026 — Higham Lane School in Nuneaton has been forced to remain closed this week following a "significant" cyber attack that has crippled its entire digital infrastructure. The incident, which was discovered over the weekend just as students were set to return from the Christmas break, has left approximately 1,500 pupils unable to attend classes.
We're sharing some small snippets over Christmas to share with staff. Please feel free to share the link to this short news article or follow us over on our social media channels where we share additional help and advice - we'd love to see you there!
We've updated the CCTV policy to consider the requirements of retention, especially over the summer holiday.
There may be situations where at the start of a summer holiday a subject access request comes in for CCTV footage - but there are no resources available in school to stop the footage from being deleted under the regular retention schedule.
Therefore, where organisations are unable to access and retrieve this footage over the holidays, we recommend extending the re
We're sharing some small snippets over Christmas to share with staff. Please feel free to share the link to this short news article or follow us over on our social media channels where we share additional help and advice - we'd love to see you there!
We're sharing some small snippets over Christmas to share with staff. Please feel free to share the link to this short news article or follow us over on our social media channels where we share additional help and advice - we'd love to see you there!
The DfE Technology in Schools survey: 2024 to 2025 was published this week. We give our views on the results:
Several London councils are believed to have been targeted in cyber attacks within the past few days, including Hammersmith, who were previously attacked in 2020.
The government has announced an additional Digital Standard to help with planning, commissioning and reviewing their IT support services. The services can be internal, external or a hybrid. Effective IT support is essential for maintaining technology, planning improvements and mitigating risks like outages and cyber incidents, and sits alongside the other 11 standards.
The ICO has published some updated guidance for people and organisations who work in the education sector with children and young people under 18. The idea of the guidance is to help organisations feel confident to share personal information for safeguarding purposes.
Whether it's via a support ticket, online data protection compliance meeting or data walk around an organisation, we are having lots of conversations about the use of Shadow AI - the use of AI tools, applications or models by staff or students without the formal approval, oversight or governance of the organisation.
As Cyber Security Awareness Month draws to a close, it's important to recognise that cybersecurity isn't a destination; it's a continuous journey. For organisations, particularly those in the education sector, this journey often involves working towards recognised standards and certifications. In the UK, Cyber Essentials and Cyber Essentials Plus are government-backed schemes designed to help organisations protect themselves against common cyber threats. For schools, the Department for Educat