DfE Cyber Standards, GDPR and Safeguarding: What Schools Must Have in Place

Schools and academy trusts operate within a layered set of obligations around data security and cyber resilience. The Department for Education's cyber security standards, the ICO's requirements for schools handling children's personal and sensitive data, Ofsted's leadership and management assessment criteria, and the specific obligations around safeguarding records all converge on a single operational requirement: schools need demonstrable, documented security controls — not just good intentions.

The DfE Cyber Security Standards

The Department for Education published its Cyber Security Standards for Schools and Colleges in 2023, providing specific expectations for educational settings. The standards are mapped to the NCSC's Cyber Essentials framework and cover five technical domains: firewalls, secure configuration, user access control, malware protection, and patch management — the same five controls that Cyber Essentials certifies.

The DfE standards also address backup and recovery, staff training, incident management, and third-party supplier security — going beyond the Cyber Essentials technical baseline to address the operational security programme that schools need to maintain. The standards are not currently statutory requirements but are strongly recommended, and the DfE's expectation is that schools and trusts treat them as the minimum acceptable level of cyber security provision.

Ofsted inspectors assessing schools under the Education Inspection Framework include governance and leadership of safeguarding and information management within the well-led judgement. A school or trust that cannot demonstrate it has addressed the DfE cyber standards may receive adverse findings under this judgement area. For a trust undergoing a full inspection, weak information governance findings affect the overall leadership and management grade.

UK GDPR: Children's Data and Special Category Information

Schools process two categories of data that carry the highest protection requirements under UK GDPR: children's personal data and Special Category data (including health information, SEND records, and safeguarding information).

The ICO's Children's Code — the Age Appropriate Design Code — establishes specific expectations for organisations processing children's data. While it was primarily designed for online services, it signals the ICO's heightened concern for children's privacy and the standard it expects organisations to meet when handling data about minors.

Special Category data — including health information in SEND records, mental health referrals, and child protection information — attracts the most serious consequences when breached. The Article 32 requirement for appropriate technical measures applies with maximum force. The ICO has issued enforcement notices and fines to schools and local authorities for failures to protect sensitive pupil data, including cases involving inadequate encryption, insufficient access controls, and the absence of any breach detection capability.

The 72-hour breach notification obligation applies to schools exactly as it applies to any other data controller. A school that discovers a ransomware attack on a Monday morning has 72 hours to notify the ICO — a timeline that is challenging without a pre-documented notification procedure and a security contact who can rapidly assess the scope of the breach.

Safeguarding Data: The Highest-Stakes Category

Safeguarding records — child protection plans, referrals to social care, multi-agency child protection conference records, and records of disclosures — sit outside the normal data protection framework in one important respect: the obligation to protect vulnerable children may require sharing this information with appropriate authorities in ways that override normal confidentiality constraints. This does not reduce the security obligation — it heightens it. Information that must sometimes be shared with specific, authorised parties must be protected from disclosure to unauthorised ones with particular rigour.

The designated safeguarding lead (DSL) is responsible for the management and security of safeguarding records. This responsibility includes ensuring that safeguarding records are accessible to appropriate staff when needed — including in the event of a cyber incident — while being protected from unauthorised access. A ransomware attack that encrypts safeguarding records, making them unavailable to the DSL at a moment when they are needed to manage an active safeguarding concern, creates a child protection emergency alongside the IT incident.

Schools should maintain an offline, up-to-date copy of active safeguarding records — either paper-based or on an isolated system — as part of their business continuity planning for cyber incidents. This is a child protection requirement, not just a backup planning one.

The RSC and Trust-Level Governance

Academy trusts are accountable to Regional Directors (formerly Regional Schools Commissioners) for the governance and management of their schools. The Academies Financial Handbook, published annually by the ESFA, includes requirements for appropriate risk management and internal control. A trust that experiences a significant cyber incident — particularly one involving public funds or pupil data — may be subject to scrutiny from the Regional Director and the ESFA in addition to the ICO.

Trusts should ensure their cyber security arrangements are reflected in their risk register, their audit and risk committee oversight, and their annual governance statement. The Confidence Score report — a monthly document produced by a named analyst — provides the ongoing evidence of risk management activity that governance reporting requires.

Keeping KCSIE and Cyber Security Together

Keeping Children Safe in Education (KCSIE) — the statutory safeguarding guidance for schools — includes requirements around online safety and the safe use of technology by pupils. While KCSIE's primary focus is the protection of children from online harm, its governance requirements — that leaders ensure appropriate policies are in place and that staff are trained — apply to the school's own data security as well as to pupil online safety. A school where leadership cannot demonstrate awareness of and compliance with cyber security standards is not meeting the KCSIE governance expectations.