Best Practice Update

Various end of term and cyber attack images, School's Out text, and Data Protection Education Logo

Navigating Privacy at the End of Term , Special Occasions and End of Year

We've updated our end of term and end of year guidance, alongside advice for privacy considerations for special occasions (which also normally occur at the end of term).
There are several areas to consider around these times, including general routines for clearing up old data that won't be needed next year or might need to be moved to archive, to sharing information during special occasions:

Special Occasions

This might include the school nativity and sharing performance information

Nativity scene in glitter (child like) on a yellow back ground

Considerations around sharing and celebrating these special occasions on social media:
Laptop computer with the DPE Knowledge Bank Dashboard on the display

End of Term/Year Routines

At the end of every term/year there are routines around data to consider:

The end of term checklist covers aspects of data minimisation for the end of term, what should you get rid of? What should you keep? This and other checklists can be found in the Schools and Trusts Best Practice Area. Unlike some of our other checklists, it is possible to create one for the end of each term so you can keep a record of what procedures were carried out.

There is both an online version and downloadable version available to customers:
  document End of Term Checklist (46 KB) (printable document)

DPE customers can get started on completing the End of Term checklist here:
End of Term Checklist (online)

End of Year Memorabilia


We are often asked about how to use names in year books and hoodies etc.  Further advice can be found about that here:


Subject Access Requests

We see a surge in subject access requests at the end of every term.  What can we do if the SAR arrives on the last day of term? The 30 day time limit for a subject access request does not warrant an extension.  It is important that the school/trust discuss the situation with the data subject if they feel they will not meet the deadline.  On occasion, where the data is unavailable because the school is completely closed, it may be possible to agree with the requester that it will be dealt with by a certain deadline upon the schools return.  It is always worth remembering that they are not obliged to agree and all effort to respond as soon as possible should be made.  If you are a Data Protection Education customer then please contact us for support and help with this, email us at dpo@dataprotection.education 

Further guidance about what to do when you receive a SAR can be found here:
Image of a hand holding a phone with a white keyboard and the word 'Access'


Cyber Attacks

We also see an increase in Cyber Attacks because threat actors know that systems might be unmonitored for a number of days/weeks.  Often staff return after a holiday period to find hackers have been accessing their server and/or systems for a while and have since encrypted and prevented access with a ransom demand.   Ensure that you have:
  • A Business Continuity plan and Cyber Response plan in place
  • There is a named contact that is available in case of an incident, and they understand how and who to contact for support.
  • That there is a backup plan in place with a practised recovery.
Further guidance about this can be found in the DfE Digital Standards Cyber Security document.

Ensure you have assigned an SLT Digital Lead in your organisation as this will help to achieve the standard and ensure you have the correct processes in place.

Review additional advice here:
children in front of a laptop, harry the hacker and DPE logo on the back of the laptop, infront of a computer screen with lots of computer text about cyber attacks and data breaches



Answer a sample end of term question:

Are devices such as laptops, iPads and mobile phones collected and arrangements made for the device to be wiped for the next member of staff?

Invalid Input

Search