
Changes to the Academy Trust Handbook 2025
A list of the all changes and recommendation can be found here: Academy trust handbook 2025: effective from 1 September 2025
We wanted to highlight those changes that affect data protection:
Digital and Technology Standards
1.16. Trusts should have an understanding of the extent to which they are meeting DfE’s digital and technology standards and be working towards meeting the following 6 core standards by 2030:
- Broadband internet
- Network switching
- Wireless network
- Cyber security
- Filtering and monitoring
- Digital leadership and governance
Retention of records
6.5. The trust must retain records to verify provision delivered by it, or its sub-contractors, in relation to this handbook and its funding agreement, at least 6 years after the period to which funding relates.
Find out more about:
- Record keeping and retention information for academies and academy trusts
- Secure sanitisation and disposal of storage media from the National Cyber Security Centre
Fraud, theft, irregularity and cybercrime
6.9. Academy trusts must be aware of the risk of fraud, theft and irregularity and address it by putting in place proportionate controls. Trusts must take appropriate action where fraud, theft or irregularity is suspected or identified.
6.10. The board of trustees must notify DfE as soon as possible of all instances of fraud, theft or irregularity exceeding £5,000 individually, or £5,000 cumulatively in any financial year. Unusual or systematic fraud, regardless of value, must also be reported. The following information is required:
- full details of the events with dates
- the financial value of the loss
- measures taken to prevent recurrence
- whether it was referred to the police (and if not why)
- whether insurance or the RPA have offset any loss.
6.11. DfE may conduct or commission investigations into actual or potential fraud, theft or irregularity in any academy trust, either because of a notification from the trust itself or from other information received. DfE may involve other authorities, including the police.
6.12. DfE publishes reports about its investigations and about financial management and governance reviews at academy trusts.
6.13. DfE also publishes guidance on reducing fraud. Trusts should refer to this and to the findings from DfE’s investigation reports, as part of its risk management approach.
Cybercrime
6.14. Academy trusts must also be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred. Trusts should take appropriate action to meet DfE’s cyber security standards, which were developed to help them improve their resilience against cyber-attacks.
6.15. Trusts must not pay any cyber ransom demands. DfE supports the National Crime Agency’s recommendation not to encourage, endorse, or condone the payment of ransom demands. Payment of ransoms has no guarantee of restoring access or services and is likely to result in repeat incidents.
Find out more about:
- Protect your charity from fraud (Charity Commission)
- Action Fraud (Police)
- National Cyber Security Centre
The Regulator and intervention
- Confirming that trusts must not pay any cyber ransomware demands (6.15).
DfE Digital Standards
We can help you assess where you are with the DfE Digital Standards: DPE's DfE Digital Standards Tracker tools. Our customers receive the DfE Leadership & Governance Tracker as part of their agreement with us.We have help, guidance and training to help you assess where you are with cyber resilience and the Cyber Security Standards.
Find out more about the DfE Cyber Security Standards:
For further information, email :