Helping you comply with your responsibilities to information rights in schools, colleges, and universities.

Last updated 24 January 2018: Department for Education video: GDPR guidance for schools added. 

Department for Education video: GDPR guidance for schools

Iain Bradley from the DfE explains how you can review and improve your handling of personal data.

Getting ready for the GDPR

Data Protection law is changing on 25 May 2018 and organisations need to be ready for the General Data Protection Regulation (GDPR).  The ICO has produced a package of tools and resources to help you get ready. These resources include:

Webinar: Data protection for the education sector

Fundraising and marketing in education organisations

If you're planning a fundraising or marketing campaign, it is essential that it is undertaken in line with the Data Protection Act and Privacy and Electronic Communication Regulation (PECR). The ICO has produced a number of resources that offer guidance about how organisations can ensure the activities undertaken are compliant with the law.


In the event that an education organisation decides to use surveillance technology, ie CCTV and body worn video it needs to be done in line with the Data Protection Act. Advice about these technologies is provided in our CCTV code of practice.

It is important to make sure that any images are only used for the purpose you have specified. Individuals have to be made aware they may be recorded and appropriate measures must be put in place to keep the recorded images secure.

We recommend that schools always undertake a privacy impact assessment (PIA) before deciding whether or not to use surveillance technology.

Information rights video for schools

Aimed at head teachers, managers and governors, this video focuses on the areas we think are most relevant.

Lesson plans

Helping children understand the value and importance of their personal information, how to look after it, and the obligations organisations have.

Data protection – looking after the information you hold

Subject access

Your pupils and students have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. They – and their parents – also have the right to see their educational records. 

 Our subject access requests webinar offers advice and guidance about best practice.


The Protection of Freedoms Act 2012 places controls on the use of biometric systems in schools, for example for cashless catering or borrowing library books.

Exam results

If you intend to publish exam results in the media, you must inform your pupils and students first.

Taking photos in schools

The Data Protection Act does not prevent parents and teachers from taking photos of events such as the Christmas play or sports day. Asking permission to take photos is normally enough to ensure compliance.

Bring your own device (BYOD) guidance

Guidance for organisations who want to allow staff to use personal devices to process personal data that they are responsible for.

The Department for Education have also provided guidance on data protection for schools considering cloud software services.

Guidance on the use of cloud computing

This guidance covers how the security requirements of the DPA apply to personal data processed in the cloud.

Advice based on the experiences of schools

Our report, indicating areas of good practice, areas for improvement and practical advice, is based on the results of a questionnaire of over 400 schools across nine different local authorities in England and Wales.

Freedom of information - making public information available

If the educational establishment you work in is a public authority, the Freedom of Information Act means you must produce a publication scheme, which outlines the information you will routinely make available to the public - such as minutes of meetings, annual reports or financial information.

Our definition documents explain the detail of what you need to publish:

Further reading