Guidance on Data and Data Breaches

Based on DfE guidance (3/2/23)

Good data protection practices ensure that an organisation and the individuals within it can be trusted to collect, store and use our personal data fairly, safely and lawfully.

All those who process others’ personal data have to follow strict rules.

These rules are set primarily by:

The UK GDPR sets out 7 key principles that should guide you in processing personal data.

Those principles are:

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimisation
  • accuracy
  • storage limitation
  • integrity and confidentiality (security)
  • accountability

You can read more about the personal data processing principles on the website of the Information Commissioner’s Office (ICO). The ICO is the independent body that upholds the UK’s information rights.

Personal Data:

Personal data is information that relates to an identified or identifiable living individual. In a school, examples of personal data include:

  • identity details (for example, a name, title or role)
  • contact details (for example, an address or a telephone number)
  • information about pupil behaviour and attendance
  • assessment and exam results
  • staff recruitment information
  • staff contracts
  • staff development reviews
  • staff and pupil references

Special Category Data:

Special category data is personal data that’s considered more sensitive and given greater protection in law.

Special category data includes:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade-union membership
  • genetic information
  • biometric information (for example, a fingerprint)
  • health matters (for example, medical information)
  • sexual matters or sexual orientation

In a school, it would be best practice to also treat as special category data any personal data about:

  • a safeguarding matter
  • pupils in receipt of pupil premium
  • pupils with special educational needs and disability (SEND)
  • children in need (CIN)
  • children looked after by a local authority (CLA)

Criminal Offence Data

Criminal offence data is personal data that’s treated in a similarly sensitive way to special category data. It records criminal convictions and offences or related security measures. Criminal offence data includes:

  • the alleged committing of an offence
  • the legal proceedings for an offence that was committed or alleged to have been committed, including sentencing

Schools process criminal offence data in storing the outcome of a Disclosure and Barring Service (DBS) check on their employees, non-employed staff and volunteers. As this data relates to criminal convictions, collecting and retaining it means the school is processing criminal offence data. This applies even though the check has not revealed any conviction.

You can read about handling DBS data in the statutory guidance on keeping children safe in education.

Data Breaches

A data breach is a security incident that results in personal data a school holds being:

  • lost or stolen
  • destroyed without consent
  • changed without consent
  • accessed by someone without permission

Data breaches can be deliberate or accidental. A breach is about more than just losing personal data.

Breaches: When and How to Alert The Information Commissioner’s Office

The ICO offers the following advice on its website: If you are unsure whether your organisation needs to report a breach to the ICO, use our self-assessment tool or read our examples.  

UK GDPR data breach reporting (DPA 2018) | ICO

To report a breach, call our helpline on 0303 123 1113.

Our normal opening hours are Monday to Friday between 9am and 5pm. If you would like to report a breach outside of these hours, you can report online.

If you have an impairment and might need a service adjustment, please let us know. For more information about how we use your personal information, see our privacy notice.

Our helpline staff can also offer you advice about what to do next, including how to contain it and how to stop it happening again. We can also offer advice about whether you need to tell the data subjects involved.

What information will I need to provide?

When you phone, we’ll ask you questions about:

  • what has happened;
  • when and how you found out about the breach;
  • the people that have been or may be affected by the breach;
  • what you are doing as a result of the breach; and
  • who we should contact if we need more information and who else you have told.

You should ensure the information provided is accurate and supply us with as much detail as possible. We’ll send you a copy of the information you give us. 

If you have experienced a data breach and need to report it but you’re confident you can manage it without support from the ICO, you may prefer to report it online. You may also want to report a breach online if you are still investigating and will be able to provide more information at a later date.

The online form can also be used to report breaches outside our normal opening hours. 

If you are reporting online please make sure you include the telephone number of someone familiar with the breach, in case we need to follow up with you about any of the information provided.

The online form can be found here: Personal data breach reporting form

The ICO has also created a guide to help you complete the personal data breach reporting form.

How to guide – breach report form (

Member Zone

Lost your password?
Find a school Login