Data protection for education providers

Steps data protection officers and organisation heads of education providers should take to stay compliant with data protection laws after the transition period.


All education providers will be a data controller or data processor and need to make changes following the end of the transition period.

Read this guidance if you:

  • are the head of an organisation, a data protection officer (DPO), or are responsible for data within an organisation
  • transfer personal data between the UK and the EU, Iceland, Liechtenstein and Norway (EEA)
  • transfer personal data within the EU, Iceland, Liechtenstein and Norway (EEA)

This guidance is:

  • not designed to cover every incidence of where you process personal data
  • not designed to replace your own risk review
  • not a substitute for legal advice


General Data Protection Regulation (GDPR)

GDPR will be brought into UK law and the Information Commissioner will remain the UK’s independent supervisory authority on data protection.

The Data Protection Act 2018 (DPA 2018) will continue to apply and the provisions of the GDPR will be incorporated directly into UK law from the end of the transition period, to sit alongside the DPA 2018.

The government has published a Keeling Schedule for the UK GDPR which shows the planned amendments.

For more information, see Data protection law.

Personal data

Personal data includes, but is not limited to:

  • contact information about pupils, students, learners, staff and carers
  • health information
  • details about recipients of pupil premium
  • employee references
  • safeguarding information about an individual
  • passport information, if planning trips to the EU
  • pupil exam references and results

Data controller

Data controller means a person, company or other body that determines the purpose and means by which personal data is processed.

Educational establishments, such as schools, colleges and universities, are often data controllers in their own right.

Data processor

Data processor means anyone who handles personal data on the instructions of a controller. Examples include, storing, collecting or analysing data as part of a service provided to the controller.

Data protection officer

GDPR requires all organisations to appoint a data protection officer. Data protection officer duties include advising on data protection obligations, monitoring internal compliance and providing advice on data protection impact assessments. Read the ICO guidance about data protection officers.

Steps you should take

These steps will help you to continue sharing and receiving personal data lawfully.

You should:

  • continue to carry out your own risk review
  • get legal advice if you are not sure
  • make sure you are complying effectively with GDPR
  • use the ICO free web resources to determine what changes, if any, you may need to make

At the end of the transition period there will be 2 sets of rules to consider:

  1. UK rules on transferring data outwards from the UK to the EU (including the EEA) and the rest of the world
  2. the impact of EU transfer rules on those sending you personal data from outside the UK (including from the EEA) into the UK

In both cases, you can transfer personal data if it is covered by an adequacy decision, an appropriate safeguard or an exception.

The ICO have published a statement in response to UK Government’s announcement on the extended period for personal data flows, that will allow time to complete the adequacy process.

Sharing data with the EU, Iceland, Liechtenstein and Norway

Contact anyone you share personal data with within the EU, Iceland, Liechtenstein or Norway.

You should explain you can still share personal data lawfully with them now that the UK has left the EU.

Receiving data from the EU, Iceland, Liechtenstein and Norway

Identify where you receive data from the EU, Iceland, Liechtenstein, or Norway, and determine:

  • who the data controllers and processors are
  • where the data is stored

Contracts: new and existing

Ensure that contracts, which include the processing of personal data in the EU, provide the additional safeguards required, and where appropriate, standard contractual clauses (SCCs).

This includes where data is being transferred from a data controller within the EU, Iceland, Liechtenstein and Norway to a UK data controller, or a UK data processor.

This applies to:

  • existing contracts
  • new contracts you put in place

Use the ICO free interactive tool to determine what contract changes, if any, you may need to make.

Data Protection Impact Assessments (DPIA) and privacy notices

Review and update with your data protection officer (or whoever has responsibility for data protection in your organisation):

Make sure they:

  • are up-to-date
  • reflect any changes you are making to your ways of working

Further information

Read the guidance on the Information Commissioner’s Office website for more information on data protection.

Published 27 March 2019
Last updated 31 December 2020 
Share this article