BLS Stay Compliant

News and Information

Data Protection and the Education Sector

The education sector has always been faced with a wide range of competing pressures on a day-to-day basis, from SATs and exam results through to OFSTED inspections.

As well as these established pressures the need to ensure compliance with data protection and the General Data Protection Regulations (GDPR) is more important than ever before to ensure that safeguarding practices are effective and ultimately that children and students are protected.

The past 18 months has seen a rise in public sector audits carried out by the Information Commissioners Office (ICO), and a number of these have focused on the education sector. The outcomes of these audits give very clear messages for all within education to ensure they remain compliant in terms of all aspects of data protection.

Between September 2018 and October 2019 the ICO conducted audits of 11 Multi Academy Trusts (MATs) which involved a range of different settings (from nurseries through to sixth forms and post 16 education settings) who educate approximately 200,000 pupils.

The findings and recommendations were far reaching and the potential impacts for all education settings are clear. The findings included:

  • 70% of the MATs provided Information Governance (IG) induction and refresher training which did not include training for all staff nor did it cover all the key aspects (including data protection, GDPR, data security and breaches, records management, data sharing and requests for personal data).
  • Over 70% did not have clearly defined operational roles to support and promote effective compliance with all aspects of data protection.
  • 36% of the MATs had an inadequate policy framework in relation to data protection.
  • 46% did not have an effective internal audit system to ensure that policies, procedures and safeguards were regularly checked.

The full audit report can be found at: mats-outcome-report-v1_1.pdf (

It should also be noted that no organisation is immune to the scrutiny of the ICO. In October 2020 the ICO published a report following their compulsory audit of the Department for Education as a result of concerns about their data protection processes and systems.

As can be seen from the chart below the ICO made 89 separate key recommendations which were identified as either Urgent or High priority:

Education Chart

The full report can be read at:

Department for education audit executive summary (

BLS Stay Compliant has years of experience of supporting public sector organisations to ensure that they remain compliant across the full breadth of data protection. The team have over 85 years combined experience of working in the public sector, including one of our team who worked in the education sector for 25 years, including over a decade as a Headteacher.

We can support schools and MATs with a range of specialist services and training packages.


  • Data protection awareness for whole staff and volunteers.
  • Awareness and compliance for governors and Trustees.
  • Focused training for staff with specialist roles including Business Managers, Headteachers, Data Protection Officer (DPO) and Information Asset Owners (IAO).
  • Subject Access Requests (SARs) – how to manage and reply to them, including the use of redaction.
  • We can also support schools to identify key training areas and compile a Training Needs Programme.

Specialist Support:

  • We can act as your designated DPO for a school or MAT providing regular support and guidance.
  • Support with key data protection paperwork including Data Protection Impact Assessments (DPIAs), data flow mapping, risk registers, Privacy Notices and key policies.
  • Support to respond to Subject Access Requests including reaction and response letters.


  • Full audits of all key Data Protection and GDPR policies and guidance.
  • Physical security audits to ensure school and MAT sites are physically secure and so data is effectively protected.
  • At the end of both audits a full report complete with recommendations will be issued.

If we can support you with any aspect of data protection compliance and training please contact us and one of the team will be happy to discuss your needs:

Tel: 01757 616885


Share this post