Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Navigating the Future: 2026 Privacy Updates, Data Access, and Student Wellbeing
Visual representation of May 2026 privacy notice updates for schools, ensuring compliance
Victoria Hodkinson
Best Practice Updates

Navigating the Future: 2026 Privacy Updates, Data Access, and Student Wellbeing

As your external Data Protection Officer, we are pleased to introduce the May 2026 updates to our suite of model privacy notices. These revisions ensure that the schools we support remain at the forefront of compliance, specifically addressing the requirements of the Data Use and Access Act (DUAA) and the Children's Wellbeing and Schools Act.

These updates represent a significant step forward in transparency, particularly regarding the integration of digital systems and the holistic support of the school community.

AI and the Data Use and Access Act (DUAA)

The Data Use and Access Act (DUAA) has established essential guardrails for the use of automated and digital systems in education. Our updated templates now explicitly detail how schools leverage AI to support their mission while protecting individual rights:

  • Empowering Learning & Accessibility: The updated Pupil Privacy Notice introduces sections on how AI-assisted tools support translation, accessibility, and personalised learning feedback.

  • Workforce Efficiency: The Workforce Privacy Notice now outlines the use of AI for document summarisation, recruitment screening, and administrative planning.

  • The Human Element: Central to DUAA compliance is the guarantee of human oversight. No significant decisions affecting a student’s education or an employee’s contract will be made by an automated system alone.

The Children's Wellbeing and Schools Act

The Children's Wellbeing and Schools Act reflects increased data sharing between agencies. We have deepened our policy templates to reflect these duties:

  • Holistic Support: Data collection and sharing categories have been expanded to include specialised mental health and wellbeing support services.

  • Integrated Safeguarding: Policy language now reflects closer collaboration with safeguarding partners and public health bodies to identify and respond to welfare concerns more effectively.

  • Medical Duty of Care: In line with the Act’s emphasis on health, the notices clarify the legal obligation to process essential medical data to support children with various medical conditions.

Security and Transparency: Key Protocol Enhancements

Beyond AI and wellbeing, we have strengthened general data protocols across all notices:

  • Legitimate Interests: We have provided greater clarity on when schools may process data for "legitimate interests," such as maintaining network security, preventing fraud, and ensuring operational resilience.

  • International Safeguards: As schools increasingly use global educational tools, we have updated the "International Transfers" sections to ensure any data processed outside the UK meets rigorous adequacy standards.

  • The Appendix A Mandate: Transparency is now more granular. There is a strict requirement for schools to explicitly list all third-party app and service providers in Appendix A, ensuring parents, staff, and pupils know exactly who is processing their data.

Next Steps

These updates ensure that as the schools we serve grow more digital, they also grow more secure and supportive. We encourage school leadership and governors to review these updated notices to ensure they are tailored to their specific local setting.

Ensure you communicate any changes to those individuals affected.

Download our new privacy notice templates:

🆕Governor and Trustees Privacy Notice Template

General Privacy Notice Template

Employee Privacy Notice Template

Pupil Privacy Notice Template

Summary of Changes/Updates

1. Governor & Trustees Privacy Notice

  • Version Update: Updated to v1.0 (May 14, 2026) by VH.

  • New AI Provisions: Explicitly includes the use of digital governance systems and AI-assisted tools for administration, ensuring human oversight for significant decisions.

  • Expanded Data Categories: Now formally lists digital account access information and CCTV images as collected data.

  • Refined Lawful Basis: Specifically references Schedule 1 of the Data Protection Act 2018 for processing criminal offence data (e.g., DBS checks).

  • International Transfers: Added a section regarding safeguards for data processed outside the UK.

  • Annual Review: Formalised a requirement for the notice to be reviewed annually or following legislative changes.

2. General Privacy Notice

  • Version Update: Updated to v3.2 (May 14, 2026) by VH.

  • Legitimate Interests: Added a detailed section outlining when legitimate interests are relied upon (e.g., fraud prevention, network security) and the requirement for a balancing test.

  • Mandatory Third-Party Listing: Introduced a strict requirement to explicitly list all third-party service providers (like payment or communication apps) in Appendix A.

  • Expanded Sharing Categories: Broadened the list of potential data recipients to include safeguarding partners, IT/cloud providers, and law enforcement.

  • Security Measures: Enhanced descriptions of technical and organisational measures used to maintain system security and detect malicious activity.

3. Employee (Workforce) Privacy Notice

  • Version Update: Updated to v3.2 (May 14, 2026) by VH.

  • AI Integration: Significant new section on "Automated Decision Making and AI Systems," detailing use cases like recruitment screening, document summarisation, and safeguarding monitoring.

  • Data Category Refinements: Added marital status, nationality, and specific "special category" data like trade union membership and biometric data for entry/payment systems.

  • International Transfers: Included specific language regarding adequacy regulations and approved contractual clauses for service providers outside the UK.

  • Enhanced Security Protocols: Detailed specific measures such as encryption and staff training used to protect personnel files.

4. Pupil Privacy Notice

  • Version Update: Updated to v3.3 (May 14, 2026) by VH.

  • Educational Technology (EdTech) & AI: New section governing the use of digital learning platforms and AI features for accessibility, translation, and feedback.

  • Safeguarding & Security: Expanded "Why we collect" and "Whom we share with" sections to specifically include online safety, filtering/monitoring providers, and mental health support services.

  • Legitimate Interests: Added a specific clause for processing technical usage data to maintain the security of school devices and networks.

  • Appendix A Mandate: Reinforced the legal requirement to list every app and online platform used by pupils in the Appendix A table.

©2026 Data Protection Education Ltd.

Search