The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO carried out a programme of audits at multi academy trusts. This was to better understand how MATs process personal data and how this processing linked into the rights of the individual under the DPA and GDPR, as well as new provisions for children.

The ICO also carried out a review of eight educational establishments in relation to their compliance with data protection legislation, particularly their SAR handling. 

A statement from Anulka Clarke, Acting Director, Regulatory Assurance:

“The report we’re publishing today, on the data protection performance of a selection of multi-academy trusts (MATs), is important reading. But it may be tough reading for some.

“Our consensual audits of these 11 MATs helped us to understand the education sector better, and the findings from these audits will inform ICO work going forward. For the 325 individual schools involved, the findings will provide them with a clear action plan and a blueprint of how to improve their data protection practices. Where we found areas of good practice, we have highlighted these to ensure that this good practice continues.

“To support the MATs work, we looked at a good size sample of schools and their performance of subject access requests (SARs). This again intends to help educators understand the rules around this sometimes misunderstood activity and support improved performance.

“These reports aim to encourage good practice, and have built up our own knowledge of how children’s privacy is addressed in the education sector. We hope you find our conclusions here helpful and useful for your own data protection practices.”