You are in: School Admin » Schools Admin » GDPR, Data Protection & Freedom of Information


GDPR (General Data Protection Regulation)

Herts for Learning services and support:

GDPR Toolkit

This toolkit is designed to help Data Protection Officers (DPOs) in educational settings to carry out their role and contains supporting guidance, advice and materials to help schools achieve GDPR compliance and drive the right data protection culture throughout the organisation. This toolkit will evolve in the light of feedback from users and best practice in educational settings and provide support and guidance for your staff throughout the period of your subscription. Visit the HfL website:

DPO Support Services

For details on the Herts for Learning additional DPO support services, which include the GDPR toolkit and telephone and email support visit:

In-School Data Protection Awareness Training

Herts for Learning offers in-school, all-staff training on basic data protection and cyber security. This 90-minute staff meeting is a non-specialist, non-technical information and awareness session aimed at any member of staff that has access to personal data.

We discuss what constitutes personal data and the behaviours we need to adopt in order to protect it. The session provides the general information needed by all staff, but not the higher level, specialist training that may be required for a Data Protection Officer role. Similarly, the session does not cover the technical aspects of keeping a network secure, etc. and no information delivered in the session should be considered legal advice.

During the 90-minute session, we cover, for example:

  • A general overview of data protection and GDPR
  • Discussing potential risks to data
  • Precautions around sending emails
  • Protecting portable disks
  • Keeping a clear desk
  • Recognising 'phishing' and other types of fraud
  • Protecting ourselves again malware
  • How to make a strong password
  • How social media can mine our data
  • And more.

Schools that book the session will receive, electronically, a written summary of the advice given, an A3 poster to print / display and a certificate to evidence that the training has taken place.

To find out more or book a session, please contact Chris Carter, eDevelopments Adviser, at



If you have any DPA or FOI queries please contact the Schools Legal Helpline - 01992 555520 (comnet - 25520)


Cloud Software Services and Data Protection

The DfE have produced guidance for local authorities, school leaders, staff and governing bodies on cloud software services. It outlines how schools need to consider data security when moving services and sensitive information to the internet-based facilities of cloud computing (the cloud).


Data Security

Security of Confidential / Personal Data - Electronic and Paper

It is critical that schools consider the safety of confidential / personal data removed from a school site (electronic and paper). Ensuring that ALL staff are aware of how to handle sensitive or personal information and their responsibilities when accessing data is vital and this section provides guidance on staff training and recommendations.

If you are considering applying this method of security to any computer devices in your school which you think may be taken off-site:

  • data encryption must not be attempted on any file servers or computer devices configured as RM Community Connect 3 or 4 workstations;
  • storage devices such USB sticks are best encrypted in their entirety;
  • staff laptops that hold personal data should have an encrypted ‘container’ created where all sensitive data should be stored;
  • existing SIMS ‘master’ PCs should not be encrypted at this stage.  SITSS are considering the feasibility of encrypting the whole of the hard drive on all new SIMS ‘master’ computers.  We are also investigating the possibility of encrypting existing, older SIMS ‘master’ PCs;
  • backup media must be kept secure at all times.

Warning – keep your encryption password in a safe place.  Access to encrypted drives and ‘containers’ is controlled by password - should you loose it you will NOT be able to access your data!

How to Encrypt Files in schools only

School Policy in Brief


Also see:


Privacy Notice Guidance

The DfE provides suggested privacy notices for schools and local authorities to issue to staff, parents and pupils about the collection of data. These can be found on the DfE website:

 The HfL GDPR Toolkit also contains model privacy notices, including versions written in plain English.  More information on the HfL GDPR toolkit can be found on the Herts for Learning website:

Freedom of Information Act

ICO Advice to Schools Regarding Data Protection and Freedom of Information

The Information Commissioner's Office advice on the responsibilities of schools regarding Data Protection Act and Freedom of Information.

Freedom of Information and Environmental Information Regulations Act Guidance for Hertfordshire Schools (2016)in schools only

A document has been produced by Hertfordshire County Council Information Governance Unit in conjunction with Herts for Learning. It is designed to help schools understand their responsibilities under Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations 2004 (EIR). The document can be downloaded here:


Publication Schemes (Freedom of Information)

The ICO has guidance for schools on publication schemes and model documentation including definition for schools, guides and templates


Template Model Publication Scheme for Nursery, Primary and Small Schools

Records Management for Schools

The Information Management Toolkit for Schools developed by the Information and Records Management Society can be downloaded from: