Category: News

The Data (Use and Access) Act 2025 (DUA) received Royal Assent on the 19^th June 2025. This new Act does not repeal UK GDPR or the Data Protection Act 2018 – rather it amends the existing provisions.

We understand that this change in legislation may cause concern, so we wanted to take the opportunity to breakdown the key changes that may affect schools and Multi Academy Trusts for you.

Clarification within Subject Access Requests.

The first major change that could affect Schools and MATs link to dealing with Subject Access Requests (SARs). The new legislation codifies some of the pre-existing guidance from the Information Commissioners Office (ICO), giving schools extra protection and direction on how to deal with SARs.

1. The Act states that organisations are only obliged to conduct searches that are ‘reasonable and proportionate’ when responding to SARs.

With the ongoing increase in Information Requests as a whole, this provision will allow schools to push back on overly broad requests, and in turn reduce the time spent on searching for information. The provision also reiterates the principle that you do not need to send information to the requester which they already hold or have access to, confirming there is no requirement to send emails to and from the requester.

This new provision commenced immediately upon Royal Assent and in fact is back dated to Jan 2024.

2. The Act also enacts the ICOs guidance on ‘stopping the clock’ when obtaining clarification from requesters. This provision allows you to pause the time limit for responding to requests whilst you wait for clarification from the requester. It is guidance we already follow, but again, having this written within the law could provide a little protection for schools.

This new provision will require a Commencement Order before coming into effect – so watch this space for further updates.

These are not a huge changes to how both the ICO, and the team at Education Data Hub deal with SARs so are unlikely to change our existing SAR Procedures. However, they do bolster the position of schools when dealing with requests as you can now rely on these provisions within the law should requesters dispute how a school has responded to a request.

Recognised Legitimate Interests.

The new Act introduces a list of ‘recognised legitimate interests’ to be used for certain processing activities. This was created to reduce time spent on completing legitimate interest tests, however it is unlikely to have a major impact on schools.

As a school, you will rely on the ‘public task’ lawful basis for a lot of your data processing needs, therefore you will not need to worry about the changes to legitimate interests.

This is an area that you may come across when working on new Data Processing Impact Assessments (DPIAs), where we, as your DPO, will assess whether a recognised legitimate interest applies to your new processing activity.

A new requirement for a ‘complaints procedure’.

There is a new requirement to have a ‘complaints procedure for data protection matters’. The UK GDPR already gives data subjects the right to make a complaint to the ICO about the way in which their personal data has been handled. However, this new law introduces additional requirements for your complaints procedures.

Schools will be required to acknowledge complaints within 30 days and take appropriate steps to respond to any data protection complaint without “undue delay”.

Although this may seem daunting at first, all schools and MATs should have a pre-existing complaints procedure in place and therefore you should be able to incorporate these data protection matters into your current complaints procedures. You should also review your data protection policy to ensure it expressly refers to the ability to make data protection complaints and who they should be directed to. This is something we will ensure is incorporated in the April 2026 policy suite.

Artificial Intelligence

Over the last year we have created a number of guidance documents on AI for our schools to use, this includes an AI policy and DPIAs. The new legislation reinforces the need for risk assessing the use of any AI tools. The legislation requires schools to have a robust framework in place for AI, which for our subscribing schools includes personalising our AI Policy and DPIA templates to fit the needs of your schools.

3 Key Takeaways:

1. ‘Reasonable searches’ does not mean records management is no longer important. So do keep working on your Retention Schedule and get rid of anything you should no longer have.
2. Review your complaints procedure to ensure it includes data protection complaints.
3. Don’t panic! If you subscribe to our data protection for school’s service, we will provide separate guidance or policy template updates on any major changes that occur as a result of this new legislation.

In an era where schools rely heavily on digital tools for everything from lesson planning to safeguarding, it’s easy for security gaps to appear without anyone realising. These gaps aren’t the result of negligence or poor practice; they simply emerge as technology evolves, and workloads grow.

The good news? Some of these vulnerabilities can be filled quickly, easily, and often without financial strain. Whether it’s tightening password policies, adjusting access controls, or updating software, many fixes require minimal effort yet provide significant protection.

When schools hear the term ‘audit’ there’s often a sense of unease – an assumption that it’s about catching people out, identifying failures, and making life harder. In reality, a cyber audit is far from a punitive exercise; it’s an opportunity to strengthen school resilience, shore up digital defences, and uncover simple, often cost-free ways to improve security.

At Education Data Hub, our focus is on ensuring that school leaders have an understanding of their current support levels across their IT systems, and awareness of the cyber security risks that may be present. By examining systems, policies, and procedures, we can help you build a more resilient digital infrastructure, ensuring staff and students remain protected in an increasingly online world.

Our team members all come from educational backgrounds. They know the pressures staff face – tight budgets, stretched resources, and the constant balancing act between security and usability. Their goal isn’t to make things harder for you, but to lighten the load by offering meaningful and realistic solutions.

Our cyber team is currently experiencing an exceptionally high demand and is fully booked for the remainder of this academic year. However, we are welcoming bookings for the 2025/26 academic year.

For more information about the services we offer, please email [email protected] or take a look at our page on S4S

World Password Day reminds us of the important role that passwords play in being our first digital line of defence. 

Here we have a few password pointers from our cyber team to support you in enhancing your online security:

Create strong passwords for important accounts.​ Weak passwords are one of the biggest risks in a security breach and when implemented correctly are a free, easy and effective way to prevent unauthorised users accessing your devices and accounts. The NCSC recommend the use of three random words to prevent very short passwords from being used.

Use a separate password for your work account. You are likely to have loads of online accounts.  If one of those accounts gets compromised, you don’t want the attacker to have your work password so make sure your domestic and work passwords are different.

Where available, switch on MFA. Multi-factor authentication is normally a free service and stops cyber criminals getting into your accounts even if they have your password. Where MFA is not available a more complex password should be used. ​

​Store passwords securely. Remembering lots of passwords can be difficult.  A password manager can store all your passwords securely, so you don’t have to worry about remembering them. This allows you to use unique, strong passwords for all your important accounts.  ​

Avoid Frequent Password Changes The NCSC advises against regular password changes unless there is evidence of a security breach. Frequent changes can lead to weaker passwords and increased user frustration. Instead, focus on creating strong, memorable passwords and changing them only when necessary.

Avoid Predictable Patterns: Steer clear of using easily guessable information such as birthdays or common phrases.

Check for password compromise. Visit Have I Been Pwned to find out if your email addresses have been involved in a data breach and whether your passwords for that account were exposed. Changing your password is the most important thing to do if your account has been pwned. If you have reused that same password on other online accounts, you should change the passwords for those accounts as well to be more confident that cyber criminals cannot reuse that password to access other accounts.​​

The strongest passwords are hard to guess and are not repeated across your different accounts.

Are you considering setting up a social media account?  Do you have a school social media account or many different platforms and are they ready for a review?

There may be many benefits for schools to use and engage in a social media platform to showcase their school. From sharing good news, school events and celebrations, publicity and being part of the community to name but a few. However, should your school or trust decide to adopt Social Media platforms then important considerations should be made, these include being mindful of school’s obligations under UK data protection laws with regards to the processing of personal data.

The list below is not exhaustive, however here are a few things to keep in mind:

• Have you adopted our social media policy template?
• Have you completed a social media DPIA?
• Who is your audience – is It a public or private or group account? How will you use social media and what information will you post?
• Are your privacy settings within the account up to date?
• Do you know who has access to and posts on your social media (or your school website) –What happens if those authorised leave or are off work ill? Is there a contingency plan?
• Are your consents sufficient and up-to-date and checked before publishing images/videos/posts?
• Do you have a process for removing images when someone changes their consent?
• Do you check/vett the images/videos before posting? E.g. ensuring that students are appropriately dressed, considering what sensitive information is on view in the background/classrooms, are you showing a certificate where children are named?
• Is there a housekeeping plan for the images/videos and posts, which includes how long the information/images will show and when they will be removed. Does this regularly take place? Consider the digital footprint and its impact of the child or individual posted and advances in AI.
• Regularly review the platform to ensure it is still suitable for your school’s purpose and need.
• Report – If a breach occurs ensure mitigating action is taken and report the breach incident ASAP on GDPRiS. A notifiable breach must be reported to the ICO without undue delay, but not later than 72 hours after becoming aware of it.

Whether we like it or not AI is here and rapidly becoming a fact of life.  In order for schools to embrace and harness the potential of AI, it is essential to take strategic control, incorporating principles, practices, tools and governance.

In July 2024 the Audit and Risk Assurance Committee Handbook was updated to include a section on AI. This update requires MATs to be able to answer questions around AI, including:

• Who owns your AI strategy at Executive level.
• What appropriate expertise you have to oversee AI Development, and
• How prepared you are for new regulation.

As a result, we have devised a training session to bolster senior leaders in schools knowledge of this area which will enable them to confidently instruct and advise the remainder of school staff.

Delivered by our Education Data Hub Team Manager, Clare Wilson, this session will cover:

• What is AI?
• Regulation and The Regulators.
• AI Governors, Principles and Policy.
• Personal Data collected by AI.
• Where to get started.
• DPIAS.

We have upcoming sessions that individual can book onto:

–          29th January 2025 at 3:30pm via Microsoft Teams.
–          14th May 2025 at 4pm at The Quad, Chesterfield.
–          17th September 2025 at 3:30pm via Microsoft Teams.
–          12th November 2025 at 3:30pm via Microsoft Teams.

Please contact us at [email protected] if you require any assistance with booking training.

We are honoured to share that Education Data Hub has been awarded the Data Privacy Team of the year award at the PICCASO awards Europe.

Our team were shortlisted for the award alongside huge industry champions such as Royal Mail, Deliveroo, Revolut, and Visa.

This prestigious recognition is a testament to our continued commitment to support best practices in data protection, data privacy, and cyber risk in the education sector.

Big thanks go to the judges for their recognition, to our dedicated team, our loyal schools and MATs, and to our supportive partners. Your continued support inspires us to strive for even greater heights.

We now look forward to the Real Cyber Awards later on this month, with fingers crossed for a similar win in the Cyber Public Service category.

What is an Environmental Information Request?

The Environmental Information Regulations 2004 were created to provide public access to environmental information held by public authorities to encourage greater awareness of issues that affect the environment.

Schools have two main obligations under the Regulations. You must:

1. Make environmental information available proactively.
2. Respond to requests for environmental information.

What is Environmental Information?

The term Environmental information is defined in regulation 2(1) of the Environmental Information Regulations 2004.

In short, it refers to all information which relates to the environment in any way, please see a non-exhaustive list of the types of requests schools could expect below:

• Requests for information about buildings and constructions on school sites.
• Requests for information relating to planning permissions and land sales.
• Requests for information relating to waste and contamination.
• Any financial data in relation to environmental information / land use of school sites.

If you are not sure whether a request falls under environmental information, please ask your Data Protection Officer for assistance.

Who can make a request?

Anyone can make a request for information under the Regulations, including members of the public, journalists, researchers, and campaign groups.

An EIR request can be made either in writing or verbally, and they do not need to specifically quote the Environmental Information Regulations, if the request relates to Environmental information, you treat it as such.

Do we have to respond to every request?

Yes, you are required to respond to every request, even if your response is that you do not hold that information.

There are exceptions to consider under the Regulations which allow you to withhold information if it is deemed in the public interest to do so. In this case you are still required to respond to the request with your reasoning for withholding the data.

Your Data Protection Officer will help you decide if an exception applies.

What if I don’t know the answer?

You only have to disclose information you hold in a reportable format; you do not need to create information merely to respond to the request. If you do not hold recorded information, you do not have to respond to that question.

You are obligated to offer the requester guidance and support. If you do not have the requested recorded information, you must inform the requester of this. You should clarify why that information is unavailable and share any relevant details you do hold that might assist with their request.

When do we have to respond by?

Under the Regulations, you must respond to the request within 20 working days, however there is provision to extend the response time to 40 working days if the request is complex and voluminous.

How do we respond to a EIR Request?

Here at Education Data Hub, we provide schools with a ‘How to Guide’ for dealing with Environmental Information Requests.

This works in a similar way to our Freedom of Information process, the first step is for the school to log the request and from there you will receive correspondence from us, as your data protection officer, with advice on how to deal with the request. This will contain a template acknowledgement letter and a response template for your answer.

If you are unsure whether a request falls under Freedom of Information Act 2000 or Environmental Information Regulations 2004, our client schools can forward the request to us, and we will decide for you.

It is good practice to keep a log of all requests you have received, the relevant dates and your response, to produce an audit trail from your school.

If you require any assistance dealing with Environmental Information Requests, or any other Requests, please get in touch at [email protected]

The DfE’s Keeping Children Safe in Education statutory guidance states that Designated Safeguarding Leads (DSLs) are required to ‘act as a source of support, advice and expertise for all staff’*

Annex C of the KCSIE outlines that one of the roles of DSLs is to ‘understand relevant data protection legislation and regulations, especially the Data Protection Act 2018 and the UK General Data Protection Regulation’*

Added to that, the concluding report and recommendations of the Independent Inquiry into Child Sexual Abuse suggest significant changes need to be made in the way school staff report concerns.

It has never been more important to ensure your DSLs are equipped to navigate this area of data protection and UK GDPR.

We have devised a training session to bolster and embed DSL knowledge in this area which will enable them to confidently instruct and advise the remainder of the school staff.

Delivered by our Education Data Hub Team Manager, Clare Wilson, this session is aimed at DSL’s and Deputy DSLs and will explore:

• KCSIE 2024
• the IICSA Recommendations
• Information Sharing Advice for Practitioners May 2024
• ICO 10 Steps to Information Sharing to Safeguard Children
• DfE Dealing with Subject Access Requests Apr 2024
• and the latest case law

to provide you with a thorough understanding of:

• Recording concerns
• Retaining records
• Transferring records
• Securing records
• Sharing information
• Responding to requests for records

We have an upcoming session that individuals can book onto HERE.

Please contact us at [email protected] to enquire about bespoke sessions for MATs.

*information taken from KCSIE May 2024 pending publication Sept 2024

In an age where transparency is highly valued, it is understandable that schools want to keep parents, students, and staff well-informed about what’s going on. However, when it comes to security, it’s best to keep things under wraps.

Here are just a few reasons why schools shouldn’t post their Critical Incident Plans or IT Disaster Recovery Plans on their websites:

1. You don’t have to!

There is government guidance available to all schools that informs them exactly what must or should be published on a school websites. It is regularly updated, and you can find it using the links below:

What maintained schools must or should publish online

What academies and further education colleges must or should publish online

2. Keep Your Plans Secret – Increase Your Cyber Resilience

Imagine if someone who wanted to cause trouble knew exactly how the school handles emergencies or IT Disasters. When security plans are posted online, it’s like giving potential attackers a blueprint of the school’s defences. Perpetrators could find weak spots and take advantage of them or target individuals to gain access to school systems. By not sharing this information online, schools reduce that risk and immediately increase cyber resilience.

3. Protecting Personal Information

School security plans often include information about the people who keep the school safe. This might encompass names, roles, access levels, and even personal contact details. If these details are shared online, not only could this be a potential breach of UK GDPR, but those individuals could be at risk of being targeted, perhaps by phishing.

4. Insurance Policies

If you left a note on your car that let someone know where the keys were, would you expect your insurance company to pay out if it was stolen?  Publishing detailed school security and recovery plans on your school website may void insurance policies so please check the small print. To be on the safe side – don’t publish them!

Transparency is crucial in many aspects of school administration, but security information should be handled with the utmost discretion so that schools can better protect their students, staff, and wider school community from potential threats.

We support schools and MATs all over the UK. CONTACT US today to find out how Education Data Hub could support you.