Creating a safe learning environment: Data security in schools


According to the UK's Department for Education (DfE), technology in education leads to improved teaching practices, better outcomes for pupils, and operational efficiencies. As digital technologies become central to the education system, ensuring data protection in schools is crucial for a safe learning environment.

Data security and GDPR compliance in schools

Schools hold enormous amounts of Personally Identifiable Information (PII) on both staff and students. This information uniquely identifies individuals. As such, it’s protected by UK GDPR.
For professionals providing IT support for schools, safeguarding this data and ensuring GDPR compliance is crucial. However, for resource-stretched IT teams in schools, this is just part of a long to-do list, which often includes managing older systems and legacy IT.

In this article, we'll look at:

  • Why data security is essential for complying with GDPR in schools.
  • Common data vulnerabilities faced by schools.
  • How to assess the security of your school’s data.
  • Steps you can take to improve your school’s data security.
  • Measures to take to ensure your school is UK GDPR compliant

Why data security is essential for UK GDPR compliance

Data security refers to the technical measures and processes schools establish to safeguard their data. While there is a specific GDPR ‘security principle’ maintaining compliance with all seven principles set out by UK GDPR depends on effective data security.

Principles set out by the UK GDPR:

  1. Lawfulness, fairness and transparency. Schools must have a lawful basis for collecting data and be clear and open with individuals about how their information will be used. Data security incidents can lead to unauthorised access and misuse, in breach of GDPR.
  2. Purpose limitation. Schools must clearly state why they are processing individuals’ information and obtain consent. This must be set out in your processing documentation. If the purpose changes, schools must ask for additional consent. If there is unauthorised access, information can be used in ways individuals haven’t consented to.
  3. Data minimisation. Schools should process the minimum data needed to complete a specific purpose. Any data that is no longer needed should be deleted. Storing more data than the minimum broadens the attack surface for cybercriminals, making a breach more likely and potentially more damaging.
  4. Accuracy. Data must be kept updated. If any data is incorrect or misleading, you must take ‘reasonable steps’ to correct or erase it. Unauthorised access can lead to errors that are hard to track and rectify.
  5. Storage limitation. Schools must not store data for longer than is needed. If you no longer need it, it should be deleted or anonymised. As with data minimisation, storing data for longer than you need increases the attack surface for cybercriminals and puts greater amounts of data at risk.
  6. Integrity and confidentiality. Also known as the ‘security principle’, the ICO says, “You must ensure that you have appropriate security measures in place to protect the personal data you hold.” Schools’ technical data security measures such as firewalls, anti-malware and encryption are critical for complying with GDPR’s security principle.
  7. Accountability. Schools should take responsibility for GDPR and ensure it complies with all GDPR principles whilst maintaining accurate records and documentation. Looking at these seven principles, strong data security measures are key to maintaining your school’s compliance with GDPR. Protecting your IT infrastructure is essential for preventing unauthorised access, avoiding data breaches, and safeguarding your school’s data.

How cyber incidents lead to data breaches

Schools’ sensitive data is an attractive target for cybercriminals. In the NSCS’s 2024 survey, 71% of secondary schools identified a breach or attack in the last 12 months, considerably more than the average across all UK businesses.

Schools that experience a cyber incident may face a reprimand from the Information Commissioner’s Office (ICO) for failing to comply with UK GDPR.

In December 2023, a school in Coventry was reprimanded by the ICO for a data breach that exposed the data of over 1,800 individuals following a cyber incident. The ICO had already given the school guidance after previous incidents, but it had failed to address the issues of inadequate account lockout policies and the use of reversible password encryption. In addition, employees lacked training on secure password practices.

Cybercriminals have access to more resources than ever, putting underfunded schools at a disadvantage. As schools adopt more technology, the number of vulnerable entry points increases, along with the risk posed by their unique data sets.

Key data vulnerabilities in schools

Schools collect 'Special category data'

This includes information on religious beliefs, ethnic origin, health data, children with special educational needs and even criminal offences through employee DBS checks. This data is given special protection by law, and staff must understand the rules for processing, handling and storing it.

Phishing attacks and ransomware

Phishing is often cyber criminals’ first line of attack. According to the UK Government’s Cyber security breaches survey 2024, 92% of primary schools and 89% of secondary schools said they had been affected.

A successful Phishing attack can lead to malware, payment fraud, data theft and ransomware. In 2022, confidential data from 14 UK schools was leaked online by a Ransomware gang. In June 2024, The Billericay School in Essex was forced to close following a ransomware attack, despite industry-standard firewalls, firmware and anti-malware being in place.

Human error

With an already stretched IT team, the constant onboarding and offboarding of students and staff increases the risk of accidental breaches. Staff unfamiliar with UK GDPR are more likely to make mistakes, such as clicking on phishing links or reusing passwords, leaving school data vulnerable to cyber threats.

Legacy systems

IT support for schools often have to contend with outdated technology. Older, unsupported software, problems with patching and difficulties integrating the latest security measures lead to increased network vulnerabilities, making them easier targets for attackers.

Is the data in your school safe? How to assess vulnerabilities

Cybercriminals are experts in detecting vulnerabilities across your IT infrastructure. It’s vital you discover them first.

While legacy systems and outdated tech are common in schools, they’re only part of the problem. Cyber incidents often have several contributing factors, making a comprehensive IT Audit essential.

Commenting on the ransomware attack that disrupted London healthcare services in July 2024, Dr Daniel Gardham from the University of Surrey's Centre for Cyber Security said,

“If you have old computers, then simply put, there’s going to be unpatched vulnerabilities. This means that there are ways in for attackers.”

He pointed out that many breaches are due to lapses in basic security, such as weak passwords.

An IT Audit is designed to uncover these risks. It identifies technical weaknesses in your school’s IT systems and software and evaluates the processes to safeguard data. They often measure against industry standards and best practices, such as ISO/IEC 27001.

For example, an IT audit will assess:

  • Unpatched systems and outdated software
  • Misconfigured security settings and network vulnerabilities.
  • Gaps in data encryption
  • Access policies to highly sensitive pinpointing where they need to be more rigorous.
  • Training, onboarding and offboarding procedures and overall cyber hygiene policies.

An IT audit will highlight key technical vulnerabilities and gaps in policies and procedures, helping to protect your school’s data from cyber criminals and reducing the risk of accidental breaches due to human error.

Steps to improve your school's data security

  1. Implement a strong password policy. 
    When it comes to passwords, the entire school community has a role in keeping school data safe. Everyone, from students to teachers must be educated on why strong passwords are important, how to create them and why they shouldn’t be reused.

    Writing passwords on Post-its might be convenient, but it's a serious security risk. In one case, a student spotted a teacher’s password on a sticky note, guessed it was reused, and accessed the school's Management Information System. The student altered exam grades and accessed 20,000 records, leading to an ICO reprimand for the school.
  2. Create a patch management strategy.

    An IT audit will reveal outdated systems and unpatched vulnerabilities, exposing serious security risks. Prioritise patching the most critical weaknesses first to protect your systems and school.

    If an organisation fails to patch a known vulnerability leading to a breach, the ICO may hold that organisation responsible. It recently reprimanded the London Borough of Hackney for failing to apply a patch management system across devices, contributing to a ransomware attack and a breach of sensitive data.

  3. Use encryption for sensitive data.

    Encryption procedures are essential for schools to comply with the Security principle. The ICO highlights pseudonymisation and encryption as ‘appropriate technical and organisational measures’ needed to comply with this principle.

    Data must be encrypted in Transit and at Rest. This means any time data is being sent to another user, and when it is lying dormant on a computer or server, it must be encrypted.

  4. Establish a robust backup strategy. 

    An effective backup strategy is vital for protecting your school against accidentally deleted files or if they become corrupted through cyber criminal activity. 14% of primary and 17% of secondary schools reported being affected by spyware, malware and viruses in 2023.

    Up-to-date backup files held offline can help you get your school’s systems up and running again. The NCSC recommends the ‘3-2-1 backup strategy;’ make at least 3 copies on 2 devices with 1 held offsite. All backup copies should be encrypted to prevent unauthorised access and to comply with GDPR.

  5. Use Mobile Device Management (MDM) for student devices.

    A steady influx of new students with Bring Your Own Devices (BYOD) makes onboarding and offboarding a constant job.

    With MDM, all student devices used in school must meet the same configuration and security standards. This means firewall rules, password policies and encryption procedures are followed.

    It also enables network segregation. If someone accidentally downloads malware, it’s much easier to detect and mitigate before it spreads across the entire system.

    MDM helps protect against a data breach. If a laptop is stolen or lost, it can be remotely wiped, ensuring that sensitive data doesn’t get into the wrong hands.

  6. Cyber security monitoring in schools.

    To comply with the GDPR Security Principle you must,

    ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements.

    Continuous cyber security monitoring identifies vulnerabilities and detects potential threats. It can also monitor system logs for unauthorised access, helping you react quickly to issues.

Complying with GDPR in schools

Technical data security measures that ensure ‘integrity and confidentiality’ are just one part of GDPR compliance. Schools are responsible for the personal data they hold and must adhere to all seven GDPR principles.

Many schools choose a GDPR Consultancy like Texaport’s to help them navigate GDPR’s complexities and keep their data safe.

Our GDPR Consultancy will guide you through the steps to achieve compliance:

  1. We’ll carry out an audit to analyse data storage, access and management across your school.
  2. We’ll report back with any steps to take to be GDPR compliant.
  3. We’ll help you implement changes and then double-check to give you peace of mind.

Next steps for safeguarding your school's data

Creating a safe learning environment for students is a priority for all school staff. Measures IT Managers put in place to identify and mitigate data vulnerabilities play a central role.

Data protection in schools is about keeping personal information safe and giving people control over their data. Breaching the GDPR not only risks a penalty from the ICO but also jeopardises the privacy of students and staff.

Strengthening your school’s data security not only ensures GDPR compliance but also helps keep your school’s community safe.

Power your progress

Join forces with us to build a stronger IT infrastructure, protect your data, and focus on your future.