You are in: School Admin » Schools Admin » Data Protection & Freedom of Information

GDPR Guidance


Privacy Notice Guidance
formerly known as Fair Processing (Pupil Census)

Privacy Notice Guidance
formerly known as Fair Processing (Workforce)


Data Protection &
Freedom of Information

Records Management for Schools

Data Security

Freedom of Information Act 2000 & Document Retention


Cloud Software Services


GDPR (General Data Protection Regulation)

As you may know, new data protection regulations (GDPR) come into force from 25th May 2018. These strengthen requirements around data security and will apply to all schools, academies and education settings

HCC have already published some guidance to support schools in this area:

In addition to this guidance, HCC and HfL have been working together to identify support to enable you to meet these new requirements is a measured and supported manner. Whilst there are a large number of private providers mailing schools about this area offering a range of services, these are often needlessly expensive. We believe that in reality, the requirements are not overly complex or onerous for schools. We are therefore currently developing a range of support mechanisms for schools which will enable you to train your staff (inc headteacher briefings, Data Protection Officer (DPO) training and whole staff training) which will be available in the Spring term. We are also developing a range of materials and templates to help schools meet the new regulations via an online toolkit.

Headteacher forums have asked us to mail headteacher email accounts with updates about support and requirements each term. However, we are also creating a mailing list for those who would like regular updates about GDPR and operational management of the new regulations. If you would like to register for these, or would like to forward this email for another staff member to register, please send your email address to:

The PowerPoint provides an overview of GDPR and support being developed for your school. Please do contact us if you have further questions about this or any other area of HfL’s Business Services.

GDPR Update – January 2018
Biometric data

Head Teachers and school business managers are alerted that under GDPR Biometric data used for identification purposes is classified as Sensitive Personal Data rather than Personal Data. Schools already using biometric systems to manage processes such as lunch payments and library borrowing are reminded that they should check they have explicit consent from a parent and that parents or pupils who refuse consent should have their wishes respected.

  • Schools should follow the guidance issued by the Dept. for Education in 2012, following the introduction of the Protection of Freedoms Act.
  • Schools should also ensure they can delete the data once they no longer have a business need to hold it, and that the security protecting it is appropriate.
  • Schools who are thinking about or in process of installing such a system should conduct a Privacy Impact Assessment /Data Protection Impact Assessment beforehand. The ICO (Office of the Information Commissioner) has produced guidance on PIA at: Data protection impact assessments

Support for schools

GDPR Toolkit NEW

The new GDPR Toolkit from Herts for Learning is now available online to purchase. This toolkit is designed to help Data Protection Officers (DPOs) in educational settings to carry out their role and contains supporting guidance, advice and materials to help schools achieve GDPR compliance and drive the right data protection culture throughout the organisation. This toolkit will evolve in the light of feedback from users and best practice in educational settings and provide support and guidance for your staff throughout the period of your subscription. Visit the HfL website: For full details and how to purchase the toolkit

General Data Protection Regulation/ new UK Data Protection Law : a brief guide for schools
In-School Data Protection Awareness Training

Herts for Learning offers in-school, all-staff training on basic data protection and cyber security. This 90-minute staff meeting is a non-specialist, non-technical information and awareness session aimed at any member of staff that has access to personal data.

We discuss what constitutes personal data and the behaviours we need to adopt in order to protect it. The session provides the general information needed by all staff, but not the higher level, specialist training that may be required for a Data Protection Officer role. Similarly, the session does not cover the technical aspects of keeping a network secure, etc. and no information delivered in the session should be considered legal advice.

During the 90-minute session, we cover, for example:

  • A general overview of data protection and GDPR
  • Discussing potential risks to data
  • Precautions around sending emails
  • Protecting portable disks
  • Keeping a clear desk
  • Recognising 'phishing' and other types of fraud
  • Protecting ourselves again malware
  • How to make a strong password
  • How social media can mine our data
  • And more.

Schools that book the session will receive, electronically, a written summary of the advice given, an A3 poster to print / display and a certificate to evidence that the training has taken place.

To find out more or book a session, please contact Chris Carter, eDevelopments Adviser, at



If you have any DPA or FOI queries please contact the Schools Legal Helpline - 01992 555520 (comnet - 25520)


Cloud Software Services and Data Protection

The DfE have produced guidance for local authorities, school leaders, staff and governing bodies on cloud software services. It outlines how schools need to consider data security when moving services and sensitive information to the internet-based facilities of cloud computing (the cloud).


Data Protection Guidance

August 2016 Updated EU-U.S. Privacy Shield

Schools are reminded that the data protection policy of third party data handlers (school data services for example) should always be checked for suitability according to the sensitivity of the data concerned. More information on the status of this new protection measure can be found at the foot of the document in this ICO link.

Here is the original European Commission press release.

Data Security

Security of Confidential / Personal Data - Electronic and Paper

It is critical that schools consider the safety of confidential / personal data removed from a school site (electronic and paper). Ensuring that ALL staff are aware of how to handle sensitive or personal information and their responsibilities when accessing data is vital and this section provides guidance on staff training and recommendations.

If you are considering applying this method of security to any computer devices in your school which you think may be taken off-site:

  • data encryption must not be attempted on any file servers or computer devices configured as RM Community Connect 3 or 4 workstations;
  • storage devices such USB sticks are best encrypted in their entirety;
  • staff laptops that hold personal data should have an encrypted ‘container’ created where all sensitive data should be stored;
  • existing SIMS ‘master’ PCs should not be encrypted at this stage.  SITSS are considering the feasibility of encrypting the whole of the hard drive on all new SIMS ‘master’ computers.  We are also investigating the possibility of encrypting existing, older SIMS ‘master’ PCs;
  • backup media must be kept secure at all times.

Warning – keep your encryption password in a safe place.  Access to encrypted drives and ‘containers’ is controlled by password - should you loose it you will NOT be able to access your data!

Password Security and Password storage – why it’s not as simple as 123…

Latest advice regarding password security from the Information Commissioner’s Office can be found here

Keeping Parents informed: What schools need to consider when using email

Latest advice from the Information Commissioner’s Office can be found here

How to Encrypt Files in schools only

School Policy in Brief


Also see the 'Model School Policy for ICT Acceptable Use Incorporating eSafety, Data Security & Disposal of ICT Equipment' in the esafety section:


Privacy Notice Guidance formerly known as Fair Processing (Pupil Census)

The DfE have updated the suggested privacy notices for schools and local authorities to issue to staff, parents and pupils about the collection of data. This page will be updated when further guidance and advice is available. The suggested text from the DfE is available below. The HfL Toolkit which will be available in the second half of the Spring Term will contain Privacy Notices versions written in plain English/transparency and age/audience relevant.


Privacy Notice Guidance formerly known as Fair Processing (Workforce)

The DfE have updated the suggested privacy notices for schools and local authorities to issue to staff, parents and pupils about the collection of data. This page will be updated when further guidance and advice is available.

Freedom of Information Act

ICO Advice to Schools Regardng Data Protection and Freedom of Information

The Information Commissioner's Office have posted a video and further advice on the responsibilities of schools regarding Data Protection Act and Freedom of Information. The Information rights video is aimed at head teachers, managers and governors to help comply with their responsibilities to information rights in schools, colleges and universities.

The Information Commissioner’s Office has updated its advice on the Freedom of Information Act and Environmental Information Regulations Act.

Freedom of Information and Environmental Information Regulations Act Guidance for Hertfordshire Schools in schools only Jan 2016

A new document has been produced by Hertfordshire County Council Information Governance Unit in conjunction with Herts for Learning. It is designed to help schools understand their responsibilities under Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations 2004 (EIR). The document can be downloaded here:



Records Management for Schools

The Records Management Toolkit for schools developed by the Information and Records Management Society can be downloaded from:

Publication Schemes

The ICO has updated their guidance for schools and provided greater guidance for nursery, primary and small schools.

Explanatory Notes for Model Publication Scheme for all schools including academies and free schools

Template Model Publication Scheme for Nursery, Primary and Small Schools

Guide to completing the Model Publication Scheme for Nursery, Primary and Small Schools