InfoSec / Cyber

    You are here:  
  1. Home
  2. InfoSec / Cyber
  3. Is your IT Support Provider Compliant?
Know Your IT Support Provider: IT Support Due Diligence for Schools and Colleges
Information/Cyber Security

Is your IT Support Provider Compliant?

Finding the right IT partner and support provider is a big decision.  Due diligence for IT Support isn't just about who can 'fix computers', it's about ensuring standards are followed and they work with you to meet your organisation's strategy. Data Protection Education has a DfE IT Support Tracker and Supplier Due Diligence Directory to provide support and guidance as well as tracking your progress.

While schools and colleges should look to the DfE IT Support Standards recently published, this should be viewed alongside data protection due diligence for third party providers as part of your usual data protection compliance and best practice.  And although the IT Support Standards are written for schools and colleges, the types of questions and guidance they contain make for best practice for all organisations when either choosing an IT Support provider or updating/renewing a contract with them.

Given you are handing IT support providers the main 'keys' to your safeguarding systems, student data and financial data, it's important that your due diligence is thorough. 

With most systems now online, it's also imperative that the right kind of support can be provided when a system crashes, or worse still, the cyber attack happens.

Risks

Safeguarding Failures: ensuring filtering and monitoring systems are appropriately set up and reports are being sent regularly to the correct personnel are paramount for safeguarding. 

Financial Liability: checking the financial stability of an IT provider should be part of your due diligence to ensure you don't lose access to systems and data.

Compliance Gaps: schools and colleges should look to providers that understand KCSIE and the Data Protection requirements for compliance.  The school, not provider, is legally liable for breaches. A cyber attack is a breach.

The DfE IT Support Standards: The New Benchmark

In a previous article, IT Support Standards for Schools and Colleges Guidance (DfE Digital Standards) we summarised the new standard.

The standards that the schools and colleges should meet are:

  1. Make sure IT support helps you meet the digital and technology standards
  2. Make sure IT support actively maintains and approves your digital technology in line with your digital strategy
  3. Make sure your IT support is responsive and meets agreed service expectations
  4. Review your IT support at least once a year
  5. Make sure staff get clear guidance and training on using technology

DPE Customers can get further help, support, guidance and access to trackers to track their progress of the DfE Digital Standards through our Knowledge Bank platform. 

 Data Protection Education has a specific IT Support Tracker:

Questions to ask your IT support provider. IT support is more than fixing computers. Due diligence is critical.

IT Support Checklist. Questions to ask your IT support provider to ensure data protection compliance and strategic alignment.

This is also included as part of our data protection compliance reports which customers can run themselves and request DPO feedback from the team.

We provide additional documentation about roles and responsibilities when tracking the standards in a RACI chart, showing who is:

Responsible

Accountable

Consulted 

Informed

Additional timeline information is also documented, so you can share with SLT and your governing body about 'who should be doing what'.

The are many short videos to share with staff members about what the standards are, in simple, easy to understand language as we recognise that talking about IT matters with IT professionals can be overwhelming.

SLT Digital Lead

The SLT Digital Lead is the first check that needs to be completed and we have provided help, support and guidance about how to find that person in your organisation:

The SLT Digital Lead in schools plays a crucial role in driving digital strategy, ensuring the effective integration of technology into teaching, learning, business continuity, cyber security and administrative processes.

Who should be the SLT Digital Lead?

1. An SLT Member - for example, the deputy head or assistant head teacher. Someone from SLT mean that they have the authority and influence in school decision-making.

2. Background in Teaching - they should have a deep understanding of teaching and learning and how technology can enhance it.  Experience as a classroom teacher or curriculum leader for example.

3. Technology Proficient - they don't need to be technical, like an IT technician, but they should have a strong grasp of digital tool, trends and how they are used in education.

4. Strategic Thinker - they should be capable of understanding and helping to implement the long-term vision for digital transformation for the organisation.

5. Effective Communicator - the digital lead should be skilled in engaging everyone and be able to communicate the benefits and goals of the digital strategies.  They will need to consult and inform various staff and third-parties effectively.

6. Organisational and Management Skills - they will need to keep track of where the organisation is with the digital standards and be able to assign tasks to various members of staff and third parties.

Responsibilities

1. Strategic Leadership - they should keep track of where the organisation is with applying the digital standards and understand and plan how the standards can be met.

2. Staff Training - they should help facilitate the required training by consulting and informing relevant staff and governors.

3. Collaboration - they will need to collaborate and inform staff members and third parties, including governors and leadership.  They should consult experts for answers to questions and advice on how to meet the standards.

4. Monitoring and evaluation - they should regularly review if the standards are being met, particularly those that have current legal requirements such as data protection and the filtering and monitoring.  Standards currently being met should continue to be reviewed to ensure that they continue to do so.

Who Typically Takes on the Role?

  • Deputy Headteacher or Assistant Headteacher: Often suited due to their experience in both strategic planning and operational oversight.
  • IT or Computing Specialist SLT Member: A leader with a background in computing or technology may bring specific expertise. Not the IT Manager or Technician.
  • Innovative Curriculum Leader: Someone passionate about integrating technology into pedagogy.

The SLT (Senior Leadership Team) digital lead in UK schools plays a crucial role in driving digital strategy, ensuring the effective integration of technology into teaching, learning, and administrative processes. The choice of this individual is critical for success, and the role typically suits someone with the following qualifications, skills, and responsibilities:

    Factors to Consider When Selecting the Digital Lead
    • Interest and Expertise: Choose someone genuinely interested in technology and its potential for education.
    • Support Network: Ensure they have the backing of the headteacher, SLT and Central trust team and access to IT support staff.
    • Time Allocation: Provide the leader with dedicated time and resources to fulfil their role effectively.

    DPE Customers can download an overview of the DfE Digital Standards here

    Supplier Due Diligence

    Supplier Due Diligence is a requirement under Article 28 of the UK GDPR, a 'data controller' (you) is legally required to only use 'Data Processors' (the provider) that provide sufficient guarantees.  A controller is primarily responsible for its own compliance and ensuring the compliance of its processors. This means that, regardless of the terms of the contract with a processor, the controller may be subject to any of the corrective measures and sanctions set out in the UK GDPR. These include orders to bring processing into compliance, claims for compensation from a data subject and administrative fines.

    We would advise our customers to work through a series of due diligence steps:

    1. An initial screening - use our DPIA Lite form to check for limited data sharing.
    2. Deeper Due Diligence - If medium or high risk is identified, use extended questions to investigate further.
    3. Full DPIA -For tools confirmed as high-risk, a complete, formal DPIA is required.

    Perform a 'sense' check on all tools - always verify if a tool is age-appropriate and secure even if it seems low-risk.

    Avoid relying on consent.

    Be cautious with AI and New Ed Tech - careful assessment before allowing student access.

    Our customer can access our Due Diligence Directory for any generic risk assessments already completed by Data Protection Education.

    Anyone assessing a Cloud Provider should perform supplier due diligence alongside the DfE Cloud Solutions Standards and the IT Support Standards to ensure you meet data protection compliance standards and cyber security recommendations.

    ©2025 Data Protection Education Ltd.

    Search