Schools are, in data protection terms, high-risk organisations: they hold large volumes of sensitive information about children who cannot fully protect their own privacy. That makes student data protection both a legal obligation and an ethical one. This article sets out what UK schools most need to know — what data they hold, their responsibilities, the rights of pupils and parents, and how to handle sensitive information properly.
Quick summary
- Schools hold extensive sensitive data about children, creating heightened responsibility.
- Under UK GDPR and the Data Protection Act 2018, schools are data controllers accountable for that data.
- Pupils and parents have data rights the school must honour.
- Special category data (health, safeguarding) needs the highest protection.
- Third-party platforms handling pupil data must be vetted and compliant.
What data do schools hold?
Schools process a remarkable breadth of personal data, including:
- Identity and contact details for pupils and families
- Attainment and assessment records
- Attendance and behaviour data
- Safeguarding and child protection records
- Health and medical information
- SEND information
- Free school meal / disadvantage indicators
- Images and, increasingly, online learning data
Much of this is special category or highly sensitive data, warranting the strongest protection.
Schools as data controllers
In most cases a school is the data controller — the organisation that determines how and why personal data is processed — and is therefore accountable for it. This means the school must:
- have a lawful basis for processing,
- apply the data protection principles,
- keep data secure,
- honour data subject rights, and
- be able to demonstrate compliance (see GDPR for Schools Explained).
Where third parties process data on the school’s behalf (such as EdTech providers), they are usually data processors, but the school remains accountable — which is why vetting them matters.
The rights of pupils and parents
Individuals have rights the school must be ready to honour, including:
- Being informed through clear privacy notices
- Accessing their data (a subject access request)
- Rectifying inaccurate data
- Erasing data in certain circumstances
- Restricting or objecting to processing
For younger children, parents usually exercise these rights on their behalf; as children mature, they may exercise their own. Schools should have clear processes to respond within statutory timeframes.
Handling sensitive information securely
Sensitive pupil data demands particular care:
- Store securely, with access limited to those who need it.
- Keep safeguarding records confidential and separate.
- Share only when lawful and necessary, and securely.
- Retain only as long as needed, then dispose of securely.
- Transfer securely when a pupil moves school.
See Data Protection Best Practices for Schools for practical detail.
Third-party platforms and pupil data
Modern schools share pupil data with numerous digital platforms. Because the school remains accountable, it must ensure each platform is secure, compliant and appropriate before sharing data — see Choosing GDPR-Compliant EdTech Platforms and Questions Schools Should Ask Every EdTech Provider.
Frequently asked questions
Is a school a data controller?
In most cases, yes. The school determines how and why pupil data is processed and is accountable for it.
What data protection rights do parents have?
Parents (and, as they mature, pupils themselves) can be informed about, access, rectify, erase, restrict and object to the processing of personal data.
What is special category data in a school?
Sensitive data such as health, and information revealing safeguarding concerns — needing an additional lawful condition and the strongest protection.
Who is responsible when data goes to an EdTech provider?
The provider is usually a data processor, but the school remains accountable as controller — so vetting the provider is essential.
How long can a school keep pupil data?
Only as long as necessary for the purpose, in line with a retention schedule, after which it should be securely disposed of.
How should schools handle a subject access request?
Through a clear process that provides the individual’s data within the statutory timeframe.
Conclusion
UK schools hold some of the most sensitive personal data about children anywhere, and the law holds them accountable for protecting it. Know what data you hold, apply the principles, honour pupils’ and parents’ rights, protect sensitive information, and vet the platforms you share data with. Handled well, student data protection is simply part of treating children — and their information — with care.
How AI Buddy supports schools
Because a school remains accountable for pupil data shared with any platform, choosing well-governed tools reduces risk. AI Buddy is built by Tutopiya to support schools in strengthening areas evaluated during Ofsted inspections: pupil data is minimised and pseudonymised — only necessary information is shared — encrypted and hosted on AWS, with a documented privacy policy and privacy notice for parents, defined data-subject rights, and regular accuracy and compliance reviews. AI Buddy is not endorsed or certified by Ofsted; it is built so that the pupil data you entrust to it stays protected.
Discover how AI Buddy helps schools strengthen teaching, learning and evidence-informed school improvement. Or start a short consultation with our schools team using the form below.
Sources
- Information Commissioner’s Office, UK GDPR guidance and resources (ICO)
- Data Protection Act 2018 (legislation.gov.uk)
- Department for Education, Data protection in schools (GOV.UK)
- Department for Education, Keeping Children Safe in Education (GOV.UK)