Back to School Basics for Data Protection and Cyber Security Compliance

As schools begin to welcome back students, staff and new joiners, the focus is on the new academic year: curriculum planning, safeguarding and operational logistics.  An equally critical and statutory area that demands attention is data protection and cyber security compliance.  Adhering to data protection law isn't just about avoiding fines; it's about protecting sensitive personal data of children, their families and staff.

A new year means new pupils, new records, new consent forms and new digital and paper footprints.  New staff require onboarding and existing systems should be re-evaluated for vulnerabilities.  Here's a breakdown of key compliance areas for schools to focus on before they head back to school:

Data Protection Checklist for the New Year

✅ Policy Refresh:

Check the following policies and procedures are up to date:

• Data Protection Policy
• Privacy Notices (Pupil, Workforce and General)
• Retention Schedule
• Subject Access Request Procedure
• Data Breach Procedure
• CCTV Policy (if required)
• Photo and Video Consent Form
• Freedom of Information Policy
• Publication Scheme
• AI Policy
  
  DPE Customers should review our Policies Page for template policies and documents.

✅ Data Retention:

• Ensure old digital and paper records have been removed as per your retention schedule.
• Ensure leavers have been removed from any systems, including email.
• Review our article: Guidance for the use of school email and applying email retention in schools
  
  DPE Customers should review our Records Management Best Practice Area.

✅ Consent Management:

• Review any consent forms and refresh if required and ensure there is a clear process for withdrawing consent at any time.
  
  DPE Customers should review our Photos & Video Best Practice Area.

✅ Training and Awareness:

• Schedule data protection training for all staff.
• Schedule cyber security training for anyone that has access to the organisation's systems
• Ensure any staff that have access to sensitive data receive extra training about how to keep the data safe.
  
  DPE Customers should review our Data Protection courses and learning nuggets, consider our Data Protection 2025 E-Learning which includes the Data Use and Access Act and AI.

✅Procedures:

• Remind staff about subject access procedures and how to recognise a request.
• Ensure staff understand the data breach procedure.
• Review any third party data processing agreements
• Check due diligence against any new third party agreements (preferably before sharing any personal data).
  
  DPE Customers should review the following best practice areas:
  Subject Access Requests
  Data Breaches
  Supplier Due Diligence
  
  

✅Cyber Security Compliance

With six of the DfE Digital Standards now required there are elements of cyber security and network security that should be addressed:

✅Device and Network Security:

• Ensure all school-owned devices and software are fully updated with the latest security patches before the term starts and devices are allocated.
• Review access control to the network and systems, including Wi-Fi security.
• Check anti-virus and anti-malware meets the DfE Digital Standards requirements
• Ensure your BYOD policy is clear, staff (and students if applicable) are aware of their responsibilities and appropriate security measures are in place
• Ensure you review your Acceptable Use Policy, for both staff and students.

✅Password Policies:

• Enforce strong passwords
• Implement MFA were possible. Share our MFA video which explains to staff how configuring it can help prevent data breaches.

DPE Customers should review: Password Best Practice Area

✅Awareness

• Ongoing phishing awareness training.
• Ongoing cyber response training

✅Backups:

• Confirm backups are working and only backing up what is required.
• Confirm/review/update your incident response plan.

        DPE Customers should review: DfE Cyber Security Standards

✅Remote Access:

• Review any remote access and check if it is still required.
• Remind staff of security procedures when using devices remotely
  
  DPE Customers should review our Cyber Security Best Practice Area and DfE Digital Standards Overview.  Review our Work Out of School Best Practice Area for practical security guidance.

The start of the academic year is a busy time, but prioritising data protection and cyber security compliance is an investment in the safety and trust of your community. By taking proactive steps now you will have a more secure and compliant environment.