Data Protection in Schools – Performing a Data Walk

Ensure your school is compliant with the GDPR and highlight potential breaches of your data protection policy with a simple walk through.

Ensuring internal compliance with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 is certainly not a simple task. It is important that schools have efficient processes in place to highlight any potential breaches to your school’s data protection policy. 

A data walk is a valuable tool to promote both managerial and peer review whilst nurturing a strong, demonstrable, data privacy culture. To ensure effectiveness, the data walk should be unannounced, random, carried out by either the school chief privacy officer or the department data champion (gatekeeper), and be part of the school overall review process which is reported back to the school data protection team.

When performing the walk, it is very helpful to follow a basic checklist, an example of which can be seen below:


GDPR and safeguarding in schools go hand in hand. If safeguarding notices (such as medical alert sheets) or documents are present they should be out of public sight but easily accessible i.e. behind a door or with a cover page over them. If you decide to secure them ensure it is not at the expense of your school safeguarding plans.

Remember! Safeguarding notices in the staff room have the purpose of raising awareness of staff who may not have regular access to that pupil but is required to be aware. It is strongly advised not to use the staff room as a meeting room with members of the public or suppliers.

See also:

Physical Security of Documents

In rooms containing sensitive data (such as data collection sheets, admission forms, medical records, job applications, staff records etc) identify where the security perimeter lies. For example, if it is in a shared office area, are the filing cabinets, draws etc lockable, or alternatively, if it is a dedicated office or an office not open to the public, is the room lockable and individual access controlled.

If the data walk is being carried out at the end of the school day, have the filing cabinets and draws, containing sensitive personal data, been locked.

One school had a counter in to control visitors and students, but it was left up allowing visitors and pupils to enter and view any personal information which had been left on desks unattended. Where is your control in the admin office?

If documents, containing sensitive personal data, are being carried around school, is a policy of clear desk clear screen being observed ensuring that none of these records is left unattended for extended periods of time. Are they being locked away at the end of the day?

See also:

Shared Printers and Photocopiers

In environments containing shared printers or photocopiers, are there signs on the walls reminding individuals to check and ensure that they take any printouts, copies, or original documents away with them?

Check the equipment and ensure that no documents are present.

Physical Security of Equipment

In areas of the school containing physical equipment ensure that public access is controlled. Especially in admin or publicly accessible areas. Are physical security methods employed such as tether locks (also known as Kingston locks), cages or any other security measures employed to ensure equipment cannot be stolen?

In areas where servers are kept, are they secure, locked and controlled access to authorised personnel only. Make special note of any servers not located centrally i.e. in IT suites, or separate offices. Do they contain any sensitive personal data? Are they secure? Are they vulnerable to theft?           

Have any portable devices been left out such as USB drives, tablets or laptops? Is the staff member following physical security best practices? Especially in relation to easily portable devices.

Cyber Security

When entering an area make a note to check if any workstations are left logged in, check under the keyboards for post-it notes or notebooks with passwords written down. It does happen!

See also:

Screens and Monitors

In areas where sensitive personal data is processed (admin areas, bursars office, SLT offices) are screens or monitors viewable via either windows, accessible by the public or in some cases staff (when processing personnel records, etc) or other areas accessible to the public or unauthorised staff members, such as front desks and corridors?

Key question! As text 1 inch tall is viewable up to 10 meters away, are you aware of your working environment?


We have a wide selection of courses focused on data protection in schools and schools risk management. From preventing common mistakes in your school to identifying and managing data breaches. Search our training courses.