Data protection

The Data Protection Act 1998 is designed to safeguard personal data and allow organisations to collect and process this data for legitimate purposes.

All schools are required to have a registration under the Data Protection Act 1998.

To ensure you are compliant with this law, you need to notify the Information Commissioner's Office of the type of personal data you hold.

Failure to notify is a criminal offence.

A notification registration lasts for one year and it will cost you £35 to register your school.

Register now

Under the Data Protection Act 1998 all schools processing personal data must comply with the eight data protection principles:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Not kept longer than necessary
  • Processed in accordance with the data subject's rights
  • Secure
  • Not transferred to other countries without adequate protection.

Guidance and resources for schools

The Information Commissioner's Office (ICO) website has guidance and resources for school. Please visit:

Practice notes summary

  • All employees need to ensure that other people’s information is protected and kept safe at all times
  • If personal information is taken from one location to another it must be done in the safest possible way
  • Equipment should be fully password protected and encrypted, and kept secure at all times
  • Files, diaries, notepads or computer equipment must never be left unattended in vehicles or on public transport.

Ealing Council documents

Dos and don'ts of data protection* (pdf) login required
Some guidance on how to comply with the act.

Ealing data protection policy* (pdf) login required
Information includes the council's responsibilites, what the act means for the individual and the Ealing framework.

Ealing data protection principles* (pdf) login required
Detailed explanation of the eight principles of data protection.

Changes to the GDPR - May 2018

On 25 May 2018, the European Union (EU) General Data Protection Regulations (GDPR) will come into effect in the UK.

The government has confirmed that the UK’s decision to leave the EU will not prevent the introduction of the GDPR.

As schools are data controllers they are required to comply so it is important that governors and trustees begin to consider any potential impact.

The GDPR apply to all personal data collected by an organisation.

Schools might find the following document useful:

Be prepared for the changes to the GDPR in May 2018 (pdf)

National websites

Data Protection Act 1998 (
Ministry of Justice on data protection (GOV.UK)

Contact us

Lorraine Cox
Tel: 020 8825 5512

Was this page useful? 
Last updated: 02 May 2018