New data protection changes are landing across the UK education sector, and they’re not just “for the DPO”. The Data (Use and Access) Act 2025 (DUAA) introduces updates that affect how schools share information for safeguarding, how they handle concerns from parents and staff, and what they should expect from suppliers whose services are used by children.
Most school leaders already know the basics: minimise data, secure access, train staff, keep policies current. The harder part is staying on top of what’s changed and turning it into a simple, repeatable process. Here’s a practical checklist to help get organised this term, without drowning in jargon.
What’s changed for schools
A clearer route for lawful sharing (including safeguarding)
The DUAA introduces changes to how lawful bases and “by design” expectations operate in practice. For schools, the impact is most visible in day-to-day decision-making: being confident about when you can share information, documenting why you shared it, and ensuring access is restricted to the people who genuinely need it.
A stronger expectation of “complaints-ready” data protection
One of the key shifts signposted in DUAA and associated regulator comms is that organisations are expected to make it easier for people to raise concerns about data use, and for those concerns to be handled consistently. For schools, that means moving away from “email the office and we’ll see” to a clear, documented route with ownership and timelines.
More pressure on children’s data protections (and your supplier chain)
The DUAA contains explicit provisions on “data protection by design” for children’s higher protection matters. In school terms: if an online service is likely to be accessed by pupils, you should expect stronger evidence from suppliers on how children’s data is protected, how profiling is avoided/limited, and how defaults are set.
Where schools typically fall short
Even well-run schools tend to trip up in the same places, usually because processes evolved over time and nobody stopped to standardise them.
DPIAs that don’t keep pace with procurement
New tools arrive fast: assessment platforms, messaging apps, behaviour trackers, CPD portals. DPIAs are often missed or left half-finished, which becomes painful when a concern is raised and you need to evidence due diligence.
SARs handled “case by case” instead of as a workflow
Subject Access Requests can become stressful when there’s no consistent method for logging, searching, redacting, and responding, especially when information lives across emails, documents, and multiple platforms.
Over-reliance on consent
Schools sometimes default to consent because it feels safest. But consent can be withdrawn, and it’s not always the most appropriate lawful basis for core school functions. The result is messy record-keeping and avoidable risk.
Limited visibility of third-party processing
Many schools can list their systems, but fewer can confidently answer: What exact data does each supplier hold? Where is it stored? Who can access it? What’s the retention policy? Under stronger expectations for children’s data, this visibility matters more.
A practical compliance checklist for 2026
Schools that want to get ahead of the June deadline and align with the broader DUAA changes should prioritise the following steps.
1. Audit current data processing activities. Update your Records of Processing Activities (ROPA) to reflect every system, platform, and process that handles personal data. If you last reviewed this more than twelve months ago, it is overdue.
2. Review EdTech supplier contracts. Check that every supplier processing student data can demonstrate compliance with the DUAA’s children’s higher protection requirements. Where contracts are silent on this, raise it before renewal.
3. Build a formal complaints handling procedure. This must be in place before June 2026. It should include a clear submission route (not buried in a policy document), defined response timescales, a named responsible person, and a logging system for tracking outcomes.
4. Update privacy notices. Reflect the new recognised legitimate interests basis where applicable, particularly around safeguarding and emergency response data sharing. Review SAR wording to ensure it aligns with current ICO guidance.
5. Train key staff. Designated Safeguarding Leads, office managers, and anyone handling data requests should understand when and how pupil data can be shared under the new lawful basis. This is not just a DPO responsibility.
6. Set a regular review cycle. Data protection compliance is not a one-off exercise. A termly review, even a brief one, will catch gaps before they become problems.
How technology can help
If your data is scattered across spreadsheets, inboxes, paper files, and disconnected apps, compliance becomes manual effort, and manual effort is the first thing to slip in a busy term.
A well-designed school management system can support data protection in schools by making “good practice” the default: centralised records, role-based permissions, clear audit trails, and more consistent reporting. The big win is not flashy features, it’s fewer places for data to hide, fewer people with unnecessary access, and faster responses when something needs checking.
Cloud-based platforms can also reduce risk associated with local storage and unmanaged updates, while making it easier to pull together information for SARs or internal reviews, because the data is organised in one place, rather than stitched together at the last minute.
Act before September
The June 2026 complaints deadline is the most immediate pressure point, but schools should treat the broader DUAA changes as a prompt to review their entire data protection posture. Waiting until September, when new systems and staff arrive, makes the task harder. The summer term is the window to get this right.
If you use the checklist above as a termly rhythm, compliance becomes steadier, lighter, and far less reactive.
