Data Protection and Records Management

Article Image

Working together to shape Policy, Procedure and Practice

Under the General Data Protection Regulation (GDPR), all schools will need to appoint a Data Protection Officer (DPO).


Schools also need to adhere to the Data Protection Act 2018 (DPA) which is a United Kingdom Act of Parliament.



What does a DPO do?

Enable and help the school and its staff to understand and comply with current data protection regulations, including their own school Data Protection Policy and Privacy Notices. The DPO should encourage a ‘data protection culture’, ensuring staff understand their data responsibilities. .  

The DPO is the first point of contact for all stakeholders with regard to data – highlighting and upholding the principles of data processing, data subjects’ rights, records of processing activities, security of processing, and the notification and communication of data breaches.

What is included?

  • Each year subscribing schools will be sent an induction pack with registers and check lists
  • A site visit (lasting a day) will be undertaken to review data protection practices and learn the schools systems
  • A ‘Recommendations of Practice’, report will be written following the visit to guide the school and target areas of concern and action.
  • Up to 2 hours whole staff training
  • Telephone and email support all year round
  • Governor training sessions 3 x a year
  • Retention and records management advice with drop in clinics
  • Support with Freedom of information Requests and Subject Access Requests
  • Newsletters and legal updates to brief staff on any decisions made by the ICO

The DPO will working along side the school's data protection lead, known as the Data Controller to: 

  • Educate the whole school community in relation to Data Protection
  • Serve as the point of contact between the school and Data Protection Supervisory Authorities and third parties
  • Support the school's Data Controller to monitor performance and providing advice on the impact of data protection efforts
  • Work with the school in maintaining comprehensive records of all data processing activities conducted, including the purpose of all processing activities, which must be made public on request
  • Support the Data Controller when dealing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information
  • Support and inform policy and practice for risk and data breaches


The Service Level Agreement contains any specific terms and conditions for this service.