search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
What the experts say…


GUARDING THE DIGITAL PLAYGROUND: KEY DATA PROTECTION LESSONS FOR MATS


Comment by KELLY DENTON, Data Protection Officer, Thinking Schools Academy Trust


W


ith the Information Commissioner’s Office (ICO) increasing its focus on data protection in education, multi-academy trusts are working to enhance and refine their practices, ensuring compliancy with the latest regulations and truly embedding data protection in daily operations.


At Thinking Schools Academy Trust (Thinking Schools), we prioritise data protection through a multi-faceted approach. We were delighted that our recent independent audit describing our approach as “the best audit and practice in a MAT I have ever seen”. Here are our top tips for strengthening data security and compliance across schools and trusts.


1. Embed a strong data protection culture


Data protection must be an integral part of a school’s culture, requiring commitment from leadership and active engagement from all staff. To do this, at Thinking Schools, GDPR is an ongoing conversation through regular briefings on changes in policy, practice or legislation, integration into decision-making, and continual staff training, helping embed this culture. Senior leaders must also champion best practices, encourage transparency and reinforce that data protection is a shared responsibility.


2. Appoint GDPR Leads


While there are different ways to effectively address data protection, a decentralised approach can lead to inconsistencies. Therefore, to maintain


accountability across our trust, we have appointed GDPR Leads in each school as the first point of contact for queries. They work closely with the Trust’s Data Protection Officer to maintain consistency. Our central data protection team engages regularly with the school GDPR leads through regular communication, advanced training and sessions to share best practices and learn from recent breaches.


3. Provide targeted GDPR training


Human error is one of the most significant risks in data protection. To mitigate this, we moved beyond generic GDPR training, offering role- specific programmes. Those handling complex personal data such as School leaders, Designated Safeguarding Leads, and HR team receive advanced data protection training. Tailoring training enhances engagement and ensures practical application of GDPR principles.


4. Implement a tiered Data Protection Impact Assessment (DPIA) process


A strong DPIA process is crucial for identifying and mitigating risks associated with new projects. Thinking Schools has developed a tiered DPIA approach to prioritise resources effectively. Lower-risk projects undergo a streamlined review, while high-risk initiatives receive in-depth assessments, balancing compliance with efficiency.


5. Prioritise safeguarding vulnerable groups’ data Extra precautions are needed when handling data from vulnerable groups such as students with Special Educational Needs and Disabilities (SEND), safeguarding measures, and children in care. At Thinking Schools, we identified our highest-risk systems processing this sensitive data and ensure they have the right configurations, the highest security levels and regular reviews. Staff handling this data receive enhanced training to manage it securely, focusing efforts where the risks are greatest.


6. Implement cybersecurity essentials


Robust cybersecurity measures are essential to managing data protection effectively, particularly given the rise in ransomware attacks on the education sector. At TSAT, we actively review and respond to breach patterns within our organisation, sector and region, adapting security practices to mitigate risks.


We have introduced measures such as Multi-Factor Authentication (MFA) for all staff and disabled portable USB drives. We conduct regular penetration testing to identify and address vulnerabilities before they can be exploited. Our strict access controls ensure staff only have access to the data necessary for their roles, reducing the risk of internal breaches. Additionally, we have changed our email domain names to lower the likelihood of misdirected emails and accidental data leaks.


Conclusion


Data protection is not just a regulatory requirement – it is fundamental to reliability, security and efficiency. Embedding a strong data protection culture, providing targeted training, implementing a risk-based DPIA process and strengthening cybersecurity enables trusts to stay ahead of regulations while protecting students and staff. Safeguarding children is at the heart of every good school and trust, and safeguarding their data is equally vital. Keeping data safe is a key element in protecting children, reinforcing its importance in every trust’s approach to security and compliance.


22 www.education-today.co.uk


April 2025


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48