The ICO's edtech audit programme, covering 28 providers used across UK primary and secondary schools, has resulted in one of the most significant data protection reports to affect the education sector in years. Published in June 2025, the ICO's EdTech Examined report made 596 recommendations and found widespread compliance failures in how edtech providers handle children's personal data. This article sets out what was found and what schools and

The Department for Education (DfE) updated its Data protection in schools guidance on 17 June 2026, this refresh aligns the guidance with the wider expected KCSIE 2026 guidance and reinforces existing obligations that schools should already be acting on.

This article sets out what has changed, what it means for your school in practice, and the actions your data protection lea

The Keeping Children Safe in Education (KCSIE) document obliges schools and colleges in England to “ensure appropriate filters and appropriate monitoring systems are in place and regularly review their effectiveness”. This responsibility is now a standard, no just a technical tick box, but a core leadership and safeguarding function.

In May 2026, Shottermill Junior School in Haslemere, Surrey became the latest UK primary school to fall victim to a ransomware attack. The LockBit 5.0 group officially listed the school as a victim on 9 June 2026, with threat intelligence monitors detecting the initial network infiltration as far back as 20 May 2026. This means the attackers had approximately three weeks of dwell time inside school systems before the attack became public

When a Multi-Academy Trust (MAT) accidentally leaks highly sensitive pupil data, it makes national headlines.

Earlier this year, we brought together schools and multi academy trusts from across the sector for a day focused on something that continues to challenge us all:  data protection in education.

The response was incredible.

On 4 June 2026, Powys County Council confirmed that a cyber security incident had resulted in the theft of personal data belonging to pupils, staff, and others connected to schools in mid-Wales. Thirteen schools were affected by the wider incident, with personal data specifically taken from at least one. The attack was first identified in April 2026 and, according to the council, was “quickly contained”, but not before

As your external Data Protection Officer, we are pleased to introduce the May 2026 updates to our suite of model privacy notices. These revisions ensure that the schools we support remain at the forefront of compliance, specifically addressing the requirements of the Data Use and Access Act (DUAA) and the Children's Wellbeing and Schools Act.

We present an article written by our Featured Guest Expert Ralph T O'Brien for our school and multi academy trust customers about the Data Use and Access Act where he breaks down what the latest legislative changes mean for the education sector.

📢 Thinking about your training for inset days in September? Then look no further and book onto our online training sessions.

ChatGPT, Gemini, Copilot and Data Protection

A Practical Guide for School Leaders and Data Protection Officers

This article combines guidance from the Guardians of Privacy series, produced by Data Protection Education in collaboration with Litus Digital, with urgent new advice issued in May 2026 following confirmed blackmail attempts against UK schools using AI-manipulated images of children. Key sources include the UK Safer Internet Centre (8 May 2026) and the Internet Watch Foundation.

Cyber attacks on schools are no longer a distant threat. The Department for Education (DfE) has just launched a dedicated Cyber Security Hub to help schools navigate this growing danger, and as a school leader, it's worth understanding exactly what it offers and why it matters.  If you were at our conference in February you were lucky enough to see a preview of the tool!

The main benefit of multi-factor authentication (MFA) is that it significantly enhances your organisation's security by requiring users to verify their identity using more than just a username and password.

🔒  World Password Day 2026

Keeping your organisation secure in a changing authentication landscape

The Cyber Security Breaches Survey 2025/2026 was published on 30t April 2026 by DSIT and the Home Office.  We outline the current threat picture for schools.

What is this? A new law that came into force on 29 April 2026. It changes how schools, councils, health services and police work together to keep children safe. Several parts of it directly affect how schools handle children's information. Data Protection is now embedded within Safeguarding practice.

Navigating the entry requirements for educational settings can sometimes be confusing for both the school and the visitor.  To ensure a smooth, secure, and legally compliant process, it is essential to balance safeguarding requirements with data protection principles and DfE guidance.

Following the popularity of our recent CCTV webinar, we've published some pointers for headteachers, governance professionals, head of operations and estates managers about CCTV compliance.

We discuss the legal obligations and common pitfalls of CCTV surveillance under the UK GDPR and Data Protection law.

To operate CCTV lawfully, organisations must move beyond just installing camera.

The DfE has announced a new update to the DfE Digital Cyber Security Standards for Schools and Colleges.

The DfE Wireless Networks is part of the DfE Digital Standards guidance and has recently been updated to include references to Wi-Fi7. You must check with this standard before you plan any Wi-Fi upgrades!

There is a now clear guidance that specifies that any new wireless solution or upgrade must, at a minimum, meet the Wi-Fi 8 standard.

Wi-Fi 7 provides significantly higher throughput and lower latency. In a classroom where 30 students might si

Just at the start of the Easter holidays, an IT system called C2K was the target of a cyber attack. The attack disrupted access to digital tools used by schools across Northern Ireland at a critical point ahead of the exam season. 

🔄☁️ Having a robust backup is being prepared against data loss and data theft.  March 31st is World Backup day to remind everyone of the importance of having a robust and accessible backup.

St Anne's Catholic School in Southampton has been forced to close four days after a cyber attack.

We're pleased to share our Acceptable Use Policy & Agreement for volunteers in response to our customer's requests.

This policy ensures the volunteers in your organisation use school technology responsibly and protect the personal data of pupils and staff. 

We typically see a spike in Subject Access Requests (SARs) at the end of term.  Understanding how to recognise and response to these requests is vital for staying compliant with Data Protection Law.

Did you know there is an increase in cyber attacks on a long weekend? Long weekends and holidays are 'peak season' for hackers who exploit reduced oversight.

A paper archive is a physical collection of documents, records and contracts stored in their original hard-copy form.  This article discusses best practice guidance for keeping records, safe, secure and accessible - an archive is much more than just a 'storage unit'.

Schools are increasingly required to manage sensitive information in ways that balance transparency, fairness, and data protection. One area that frequently creates confusion is the difference between redaction undertaken for a Subject Access Request (SAR) and redaction applied when preparing documentation for a Permanent Exclusion (PEX) Review Panel. The Redaction Guide for PEX Panels has been introduced to address this issue and provide clear, practical guidance for staff.