
Building a Secure School: Using the ICO Accountability Framework to Meet DfE Digital Standards
The ICO Accountability Framework is a crucial tool for any organisation handling personal data, providing a structured approach to data protection compliance. When applied to the Department for Education (DfE) Digital Standards, it becomes a powerful mechanism for schools and trusts to ensure their technology and data practices are not only efficient but also legally compliant and secure.
The ICO Accountability Framework (ICO AF) offers a comprehensive roadmap that aligns directly with the key principles of the DfE Digital Standards (DfE DS), particularly those relating to data security and governance. Our Knowledge Bank portal is not just a repository of content; it is a suite of content, tools and resources to support and document your compliance. Our own information governance framework is based on the ICO AF breaks down the complex requirements of data protection law. Each section covers every aspect of data governance, from strategic decisions to operational policies and procedures. By using the framework, schools can systematically assess their data protection compliance against the data protection requirements of data protection law.
The DfE DS provide clear guidelines for schools about digital procurement of services and products, such as cyber security, cloud solutions and data handling. While the DfE DS set the 'what' for good practice, the ICO AF provides the how for demonstrating and maintaining compliance.
Schools share data with third party providers ( for example for cloud-based learning platforms or school management systems). The DfE DS require these solutions to be secure and compliant. The ICO AF provides a checklist for ensuring that Data Sharing Agreements and contracts with data processors include the necessary legal clauses. It also guides schools on conducting due diligence checks on suppliers to ensure they meet the required security and data protection standards.
The ICO AF acts as a powerful enabler for schools to achieve and demonstrate compliance with the DfE DS. It moves beyond a simple checklist to create a program of continuous improvement. Through the Knowledge Bank, customers can track, show progress and report on both the ICO AF and DfE DS. By integrating tools like the Knowledge Bank into their daily operations, schools can proactively manage data protection risks and foster a strong culture of security. It provides a clear path to meet both data protection compliance, the DfE DS and standards for responsible digital governance in education.
All schools and colleges should be aware of the core DfE Digital Standards which they should be compliant with by 2030:
The ICO Accountability Framework (ICO AF) offers a comprehensive roadmap that aligns directly with the key principles of the DfE Digital Standards (DfE DS), particularly those relating to data security and governance. Our Knowledge Bank portal is not just a repository of content; it is a suite of content, tools and resources to support and document your compliance. Our own information governance framework is based on the ICO AF breaks down the complex requirements of data protection law. Each section covers every aspect of data governance, from strategic decisions to operational policies and procedures. By using the framework, schools can systematically assess their data protection compliance against the data protection requirements of data protection law.
The DfE DS provide clear guidelines for schools about digital procurement of services and products, such as cyber security, cloud solutions and data handling. While the DfE DS set the 'what' for good practice, the ICO AF provides the how for demonstrating and maintaining compliance.
Leadership & Governance
The DfE DS emphasise the need for strong digital leadership and governance. The ICO AF supports this by providing a structure for demonstrating that leadership is engaged at the strategic level and that there is a clear organisational structure for data protection, with defined roles and responsibilities. This includes assigning a senior leader to be accountable for digital technology and ensuring that data protection risks are reported to the highest levels of management. The SLT Digital Lead should work with the Digital Governor.![]() |
Customers should review the Leadership & Governance Tracker tools, and Governors and Data Best Practice Area and our video about Data Protection & Cyber Security Responsibilities for Governors. More information about assigning an SLT Digital Lead can be found in our articles and DfE Digital Standards Overview Best Practice Area. |
![]() |
Customers should review the Leadership & Governance Tracker, Roles and Responsibilities document and our DfE Digital Leadership & Governance video. |
Records Management & Security
The DfE DS require schools to protect devices, networks and data. The ICO AF provides tools to document how this is achieved. For example the Record of Processing and Information Asset Registers are central to the framework. These tools help schools map where data is stored, what it is used for and who can access it - also all critical steps for meeting the DfE's DS. The framework also covers practical measures like establishing a Retention Schedule and ensuring Access Controls are in place.![]() |
Customers should review the Records Management Best Practice Area, our Retention Schedule and our Record of Processing tool. Our video about Access Controls and User Permissions provides simple guidelines about user permissions - the fundamentals of cyber security. Also review our Records Management and Data Retention video. |
![]() |
Customers should review the following trackers: Cyber Security and our DfE Cyber Security Standards video, Compliance with Regulations and Access Controls video. Digital Leadership & Governance and our Digital Leadership & Governance video. Servers and Storage Standards and our Servers and Storage Standards video. |
Training & Awareness
The DfE DS advises that all staff and students receive annual cyber security training. The ICO AF provides a detailed guide on what this training should cover, ensuring that it's comprehensive and effective. The framework encourages continuous learning through e-learning and drip-feed posters, including practical exercises like Phishing Simulations to build a robust security culture.![]() |
Customers should review our online e-learning courses, free webinars or contact us directly if there is a requirement for in person training, which we can tailor for the organisation. We recommend downloading and printing both our cyber security and data protection awareness drip-feed posters. |
![]() |
Customers should review the following trackers: Cyber Security and our DfE Cyber Security Standards video, and Compliance with Regulations. Digital Leadership & Governance and our Digital Leadership & Governance video. |
Response & Enforcement
The DFE DS require schools to have a cyber response plan in place. The ICO AF provides a detailed blueprint for managing and responding to data breaches. It includes measures for detecting, assessing and reporting incidents and ensures there is a clear process for notifying individuals and the ICO if a breach occurs. This approach helps schools mitigate harm and demonstrates accountability in the event of a security incident.![]() |
Customers should review our Data Breaches Best Practice Area, and ensure all data breaches are logged in the Data Breach Log, however serious. More information about a cyber security can be found in our Cyber Security Best Practice Area. |
![]() |
Customers should review the following trackers: Cyber Security and our DfE Cyber Security Standards video, and Compliance with Regulations. Digital Leadership & Governance and our Digital Leadership & Governance video. |
Contracts & Data Sharing
Schools share data with third party providers ( for example for cloud-based learning platforms or school management systems). The DfE DS require these solutions to be secure and compliant. The ICO AF provides a checklist for ensuring that Data Sharing Agreements and contracts with data processors include the necessary legal clauses. It also guides schools on conducting due diligence checks on suppliers to ensure they meet the required security and data protection standards.![]() |
Customers should start by reviewing our Supplier Due Diligence Best Practice Area, and review our third party supplier list. Customers can request a new supplier due diligence check through our Knowledge Bank ticketing system. |
![]() |
Customers should review the following trackers: Cyber Security and our DfE Cyber Security Standards video, and Compliance with Regulations. Digital Leadership & Governance and our Digital Leadership & Governance video. Cloud Solutions Standard and our Cloud Solutions Standard video. Filtering & Monitoring Standards and our Filtering & Monitoring video. Any procurement of devices and services where personal data might be shared should be reviewed which might include the Servers and Storage Standards and the Laptop, Desktop and Tablet Standards. |
The ICO AF acts as a powerful enabler for schools to achieve and demonstrate compliance with the DfE DS. It moves beyond a simple checklist to create a program of continuous improvement. Through the Knowledge Bank, customers can track, show progress and report on both the ICO AF and DfE DS. By integrating tools like the Knowledge Bank into their daily operations, schools can proactively manage data protection risks and foster a strong culture of security. It provides a clear path to meet both data protection compliance, the DfE DS and standards for responsible digital governance in education.
![]() |
Our DfE Digital Standards webinar outlines the basics about the DfE Digital Standards, with a demo of using the tracker tools in our Knowledge Bank platform. A more detailed explanation of the DfE Digital Standards can be seen in our video: The DfE Digital Standards Explained. |
All schools and colleges should be aware of the core DfE Digital Standards which they should be compliant with by 2030: