Home > About Us > FOI and DPA Advice for schools
FOI and DPA Advice for Schools

FOI and DPA Advice for Schools

All Schools must meet their Information Rights obligations.

Data protection – looking after the information you hold


Recommendations for Schools from the ICO

The ICO have produced a report, indicating areas of good practice, areas for improvement and practical advice, is based on the results of a questionnaire of over 400 schools across nine different local authorities in England and Wales. 

View the Summary report      

Subject Access    

Your pupils and students have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. They – and their parents – also have the right to see their educational records.


The Protection of Freedoms Act 2012 places controls on the use of biometric systems in schools, for example for cashless catering or borrowing library books.

Exam results

If you intend to publish exam results in the media, you must inform your pupils and students first.

Taking photos in schools

The Data Protection Act does not prevent parents and teachers from taking photos of events such as the Christmas play or sports day. Asking permission to take photos is normally enough to ensure compliance. 

Freedom of information – making public information available

If the educational establishment you work in is a public authority, the Freedom of Information Act means you must produce a publication scheme, which outlines the information you will routinely make available to the public - such as minutes of meetings, annual reports or financial information.

ICO definition documents explain the detail of what you need to publish: 

Schools In Northern Ireland Definition Document

For further information & resources on the above please refer to https://ico.org.uk/for-organisations/education/ or contact the SELB Information Management Team.


Sharing of Personal Data


Schools are increasingly using third parties to assist with the delivery of services, some of which require the sharing of personal data. Some examples include: 

  • Text or e-mailing services
  • Attendance / behaviour management reporting
  • Cashless catering systems
  • Virtual learning environments or online assessment environments 

Because schools originally collect the personal data and the provider is conducting the service on behalf of the school, the school is accountable for any breach of the Data Protection Act by the provider, where proper assurances were not obtained around data security. Guidance has been created to help schools obtain these assurances. The guidance can be downloaded at the following here.

 The guidance provides advice on the information security/data protection areas schools must consider when using a third party provider to help deliver a service, and has three parts: 

  • Part 1. Data Protection considerations
  • Part 2. Technical standards and controls
  • Part 3. A proforma for schools to use to obtain assurances from providers in the areas referenced in Parts 1. and Part 2. 

It is the responsibility of the School Principal and Board of Governors to ensure that their school complies with the Data Protection Act throughout all its operations.   

Privacy Notice

The Data Protection Act requires personal data to be processed fairly, and often this is only possible if certain information is given to the individual or individuals concerned.

The oral or written statement that individuals are given when information about them is collected is often called a ‘fair processing notice’ or ‘privacy notice’.

In general terms, a privacy notice should state:

  • your School Name;        
  • the purpose or purposes for which you intend to process the information; and      
  • any extra information you need to give individuals in the circumstances to enable you to process the information fairly.      

Sample Privacy Notice

Advice for Governors

The following advice has been prepared to help develop a consistent approach to minute taking and to provide some guidance to staff who record minutes.

Guidance on Minute Taking

The SELB have also made a leaflet available providing Summary Guidance for Principals and Governors on FOI, EIR and DPA.

Sample Data Protection Policy for Schools


NameJob TitleContact Number
Colm Daly Information Management Unit Manager028 3751 2350
Monika FergusonRecords Officer028 3741 5365


The Southern Education and Library Board (the ‘Board’) was established as part of Local Government reorganisation in 1973 and is the largest of the five area Boards. The Board's principle functions are the provision of education and youth services to the District Council areas of Armagh, Banbridge, Cookstown, Craigavon, Dungannon & South Tyrone and Newry & Mourne. It spans 1,450 square miles with a total population of approximately 390,300 including 75,767 pupils.


3 Charlemont Place, The Mall, Armagh, BT61 9AX.
Telephone number: 028 3751 2200 | Email: info@eani.org.uk